Add selinux to allow map for pamdatabase from unix_chkpwd

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/base/files/selinux/mapchkpwd.te

@@ -0,0 +1,11 @@
+
+module mapchkpwd 1.0;
+
+require {
+	type chkpwd_t;
+	type shadow_t;
+	class file map;
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t shadow_t:file map;

roles/base/tasks/main.yml

@@ -334,6 +334,23 @@
   - config
   - rsyslog-audit
 
+# Custom selinux policy to allow unix_chkpwd to map PAM database
+- name: copy over our custom selinux module
+  copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
+  register: selinux_module
+  when: ansible_distribution_major_version|int >= 27
+  tags:
+  - config
+  - selinux
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/mapchkpwd.pp
+  when: selinux_module|changed
+  when: ansible_distribution_major_version|int >= 27
+  tags:
+  - selinux
+  - config
+
 - name: Setup postfix
   import_tasks: postfix.yml