Add keyserver selinux module

4 files changed, 19 insertions, 0 deletions

diff --git a/roles/keyserver/files/keyserver.mod b/roles/keyserver/files/keyserver.mod
new file mode 100644
index 000000000..0b094802a
--- /dev/null
+++ b/roles/keyserver/files/keyserver.mod
diff --git a/roles/keyserver/files/keyserver.pp b/roles/keyserver/files/keyserver.pp
new file mode 100644
index 000000000..809f3eefa
--- /dev/null
+++ b/roles/keyserver/files/keyserver.pp
diff --git a/roles/keyserver/files/keyserver.te b/roles/keyserver/files/keyserver.te
new file mode 100644
index 000000000..ac4dfe0d7
--- /dev/null
+++ b/roles/keyserver/files/keyserver.te
@@ -0,0 +1,11 @@
+
+module keyserver 1.0;
+
+require {
+	type httpd_t;
+	type pgpkeyserver_port_t;
+	class tcp_socket name_bind;
+}
+
+#============= httpd_t ==============
+allow httpd_t pgpkeyserver_port_t:tcp_socket name_bind;
diff --git a/roles/keyserver/tasks/main.yml b/roles/keyserver/tasks/main.yml
index 8401ca251..6591c1722 100644
--- a/roles/keyserver/tasks/main.yml
+++ b/roles/keyserver/tasks/main.yml
@@ -98,3 +98,11 @@
   tags:
   - service
 
+# Two tasks for handling our custom selinux module
+ - name: copy over our custom selinux module
+   copy: src=keyserver.pp dest=/srv/sks/keyserver.pp
+   register: selinux_module
+
+ - name: install our custom selinux module
+   command: semodule -i /srv/sks/keyserver.pp
+   when: selinux_module|changed