From 2320eef5ee22da5bf93fc499c888b68a61a75631 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 14 Dec 2021 15:54:38 -0800 Subject: [PATCH] openqa/worker: create custom SELinux module directory first Whoops. Also order these things a bit better. Signed-off-by: Adam Williamson --- roles/openqa/server/tasks/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml index 0db7607b97..3c248960ad 100644 --- a/roles/openqa/server/tasks/main.yml +++ b/roles/openqa/server/tasks/main.yml @@ -288,9 +288,11 @@ - openqa-websockets - openqa-gru -# we used to set this as a bigger hammer to let httpd connect to openQA -- name: Unset httpd_can_network_connect SELinux boolean - seboolean: name=httpd_can_network_connect state=no persistent=yes +- name: Create somewhere to stick our custom SELinux module + file: + path: /usr/local/share/selinux + state: directory + mode: '0755' - name: Copy over custom SELinux module allowing httpd to connect to openQA copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644 @@ -300,6 +302,10 @@ command: semodule -i /usr/local/share/selinux/httpd-openqa.pp when: selinux_module is changed +# we used to set this as a bigger hammer to let httpd connect to openQA +- name: Unset httpd_can_network_connect SELinux boolean + seboolean: name=httpd_can_network_connect state=no persistent=yes + - name: Allow Apache to read from NFS (as we store test data files there now) seboolean: name=httpd_use_nfs state=yes persistent=yes