Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

libravatar: SELinux fixes (enable sebooleans, use only apache user instead of www)

Browse source
This commit is contained in:
clime 2018-11-18 10:17:20 +01:00
parent 968932ce6c
commit 5dd20fa63b
2 changed files with 23 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

38
roles/libravatar/tasks/main.yml
View file

@ -19,8 +19,19 @@
- "python3-mod_wsgi" - "python3-mod_wsgi"
- "policycoreutils-python" - "policycoreutils-python"
- group: name=www - git:
- user: name=www group=www repo: https://git.linux-kernel.at/oliver/ivatar.git
dest: /srv/libravatar
version: "{{ git_branch }}"
ignore_errors: yes
- name: set correct file attributes for /srv/libravatar
file:
path: /srv/libravatar
owner: apache
group: apache
state: directory
recurse: yes
- name: set fcontext for /srv/libravatar - name: set fcontext for /srv/libravatar
sefcontext: sefcontext:
@ -28,17 +39,8 @@
setype: httpd_sys_content_t setype: httpd_sys_content_t
state: present state: present
- name: create /srv/libravatar - name: Apply new SELinux file context to filesystem
file: command: restorecon -ir /srv/libravatar
path: /srv/libravatar
setype: httpd_sys_content_t
state: directory
- git:
repo: https://git.linux-kernel.at/oliver/ivatar.git
dest: /srv/libravatar
version: "{{ git_branch }}"
ignore_errors: yes
- pip: - pip:
requirements: requirements.txt requirements: requirements.txt
@ -79,13 +81,17 @@
args: args:
chdir: /srv/libravatar chdir: /srv/libravatar
- name: So that Apache can talk to PostgreSQL - name: Allow libravatar connect to db remote services
seboolean: seboolean:
name: httpd_can_network_connect_db name: {{ item }}
state: yes state: yes
persistent: yes persistent: yes
with_items:
- httpd_can_network_connect_db
- httpd_can_network_connect
- nis_enabled
- name: So Apache can execute psyco shared lib in virtualenv with httpd_sys_content_t type - name: Allow Apache use psyco shared lib in virtualenv with httpd_sys_content_t type
seboolean: seboolean:
name: httpd_unified name: httpd_unified
state: yes state: yes

2
roles/libravatar/templates/httpd/libravatar.conf
View file

@ -10,7 +10,7 @@ RewriteEngine on
</Directory> </Directory>
WSGIPassAuthorization On WSGIPassAuthorization On
WSGIDaemonProcess libravatar user=www group=www threads=25 display-name=libravatar maximum-requests=8000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=8000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
WSGIScriptAlias / /mnt/data/wsgi.py WSGIScriptAlias / /mnt/data/wsgi.py
ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/" ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"