diff --git a/roles/pagure/frontend/files/selinux/pagure.fc b/roles/pagure/frontend/files/selinux/pagure.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/pagure/frontend/files/selinux/pagure.if b/roles/pagure/frontend/files/selinux/pagure.if new file mode 100644 index 0000000000..3eb6a3057b --- /dev/null +++ b/roles/pagure/frontend/files/selinux/pagure.if @@ -0,0 +1 @@ +## diff --git a/roles/pagure/frontend/files/selinux/pagure.pp b/roles/pagure/frontend/files/selinux/pagure.pp new file mode 100644 index 0000000000..a6248e7014 Binary files /dev/null and b/roles/pagure/frontend/files/selinux/pagure.pp differ diff --git a/roles/pagure/frontend/files/selinux/pagure.te b/roles/pagure/frontend/files/selinux/pagure.te new file mode 100644 index 0000000000..d661e611e9 --- /dev/null +++ b/roles/pagure/frontend/files/selinux/pagure.te @@ -0,0 +1,11 @@ +module pagure 1.0; + +require { + type httpd_t; + type gitosis_var_lib_t; + class dir { add_name remove_name write }; + class file { create link setattr unlink write }; +} + +allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write }; +allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write }; diff --git a/roles/pagure/frontend/tasks/main.yml b/roles/pagure/frontend/tasks/main.yml index b6c067cb69..d9ff9db476 100644 --- a/roles/pagure/frontend/tasks/main.yml +++ b/roles/pagure/frontend/tasks/main.yml @@ -261,8 +261,20 @@ tags: - pagure -- name: set sebooleans so pagure can talk to the db - seboolean: name=httpd_can_network_connect_db +- name: copy over our custom selinux module + copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp + register: selinux_module + tags: + - pagure + +- name: install our custom selinux module + command: semodule -i /usr/local/share/pagure.pp + when: selinux_module|changed + tags: + - pagure + +- name: set sebooleans so pagure can talk to the network (db + redis) + seboolean: name=httpd_can_network_connect state=true persistent=true tags: