From 8c96b12e65a33e5728995db5e516418f6aa41f1c Mon Sep 17 00:00:00 2001
From: Tim Flink <tflink@fedoraproject.org>
Date: Thu, 16 Jan 2020 21:25:29 +0000
Subject: [PATCH] resultsdb: set sebool httpd_execmem=true for fedora-messaging

After the upgrade to fedora-messaging-2.0.1, we started seeing a bunch of 500s
coming out of resultsdb. Turns out that selinux was blocking part of the code
that was emitting messages on rabbitmq. This is apparently a known issue in
python-cryptography [1] and their docs say that the sebool deny_execmem needs
to be off.

Since this is executed by apache, this leads to httpd_execmem needing to be true.
I still don't understand why this started suddenly - the underlying issue in
python-cryptography has been there for a while. Either way, I'm changing the
sebool for resultsdb machines to make sure it doesn't continue to cause problems
for things that are submitting results to resultsdb.
---
 roles/taskotron/resultsdb-backend/tasks/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml
index d8ff05d116..c1ca05965f 100644
--- a/roles/taskotron/resultsdb-backend/tasks/main.yml
+++ b/roles/taskotron/resultsdb-backend/tasks/main.yml
@@ -46,6 +46,9 @@
 - name: ensure selinux lets httpd talk to postgres
   seboolean: name=httpd_can_network_connect_db persistent=yes state=yes
 
+- name: ensure selinux lets fedora-messaging emit messages
+  seboolean: name=httpd_execmem persistent=yes state=yes
+
 - name: generate resultsdb config
   template: src=settings.py.j2 dest=/etc/resultsdb/settings.py owner=root group=root mode=0644
   notify: