A custom selinux module for fedmsg.

4 files changed, 23 insertions, 0 deletions

diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod
new file mode 100644
index 000000000..13953aa52
--- /dev/null
+++ b/roles/fedmsg_base/files/selinux/fedmsg.mod
diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp
new file mode 100644
index 000000000..7620bdf0f
--- /dev/null
+++ b/roles/fedmsg_base/files/selinux/fedmsg.pp
diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te
new file mode 100644
index 000000000..ba2a3c12f
--- /dev/null
+++ b/roles/fedmsg_base/files/selinux/fedmsg.te
@@ -0,0 +1,11 @@
+
+module fedmsg 1.0;
+
+require {
+	type anon_inodefs_t;
+	type httpd_t;
+	class file write;
+}
+
+#============= httpd_t ==============
+allow httpd_t anon_inodefs_t:file write;
diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml
index 9b47e9f28..d97e30cd1 100644
--- a/roles/fedmsg_base/tasks/main.yml
+++ b/roles/fedmsg_base/tasks/main.yml
@@ -70,3 +70,15 @@
   when: fedmsg_certs != []
   tags:
   - config
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/fedmsg state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semanage -i /usr/local/share/fedmsg/fedmsg.pp
+  when: selinux_module|changed