Fix selinux for Pagure

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/pagure/frontend/files/selinux/pagure.if

@@ -0,0 +1 @@
+## <summary></summary>

roles/pagure/frontend/files/selinux/pagure.te

@@ -0,0 +1,11 @@
+module pagure 1.0;
+
+require {
+        type httpd_t;
+	type gitosis_var_lib_t;
+	class dir { add_name remove_name write };
+	class file { create link setattr unlink write };
+}
+
+allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
+allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };

roles/pagure/frontend/tasks/main.yml

@@ -261,8 +261,20 @@
   tags:
   - pagure
 
-- name: set sebooleans so pagure can talk to the db
+- name: copy over our custom selinux module
-  seboolean: name=httpd_can_network_connect_db
+  copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
+  register: selinux_module
+  tags:
+  - pagure
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/pagure.pp
+  when: selinux_module|changed
+  tags:
+  - pagure
+
+- name: set sebooleans so pagure can talk to the network (db + redis)
+  seboolean: name=httpd_can_network_connect
                     state=true
                     persistent=true
   tags: