From 6ceb5a873b3eef9721e0471daf4b64df891775aa Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 8 May 2019 22:49:55 +0000
Subject: [PATCH] cloud-noc01: set selinux to allow ntp port on 124

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../cloud-noc01.cloud.fedoraproject.org.yml    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/playbooks/hosts/cloud-noc01.cloud.fedoraproject.org.yml b/playbooks/hosts/cloud-noc01.cloud.fedoraproject.org.yml
index 60105abf4f..2bf61e747e 100644
--- a/playbooks/hosts/cloud-noc01.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/cloud-noc01.cloud.fedoraproject.org.yml
@@ -28,6 +28,24 @@
   - import_tasks: "{{ tasks_path }}/2fa_client.yml"
   - import_tasks: "{{ tasks_path }}/motd.yml"
 
+  - name: check if ntpd port is already known by selinux
+    shell: semanage port -l | grep ntp
+    register: ntp_selinux_port
+    check_mode: no
+    changed_when: false
+    failed_when: false
+    tags:
+    - config
+    - selinux
+
+  - name: allow alternate ntpd port
+    command: semanage port -a -t ntp_port_t -p tcp 124
+    when: "124" not in ntp_selinux_port
+    failed_when: false
+    tags:
+    - config
+    - selinux
+
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"