From 091a117c4f63e9655a7f3dafefa3868b855ffa6a Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Tue, 28 Jan 2014 19:51:26 +0000
Subject: A custom selinux module for fedmsg.

---
 roles/fedmsg_base/files/selinux/fedmsg.mod | Bin 0 -> 903 bytes
 roles/fedmsg_base/files/selinux/fedmsg.pp  | Bin 0 -> 919 bytes
 roles/fedmsg_base/files/selinux/fedmsg.te  |  11 +++++++++++
 roles/fedmsg_base/tasks/main.yml           |  12 ++++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.mod
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.pp
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.te

diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod
new file mode 100644
index 000000000..13953aa52
Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.mod differ
diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp
new file mode 100644
index 000000000..7620bdf0f
Binary files /dev/null and b/roles/fedmsg_base/files/selinux/fedmsg.pp differ
diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te
new file mode 100644
index 000000000..ba2a3c12f
--- /dev/null
+++ b/roles/fedmsg_base/files/selinux/fedmsg.te
@@ -0,0 +1,11 @@
+
+module fedmsg 1.0;
+
+require {
+	type anon_inodefs_t;
+	type httpd_t;
+	class file write;
+}
+
+#============= httpd_t ==============
+allow httpd_t anon_inodefs_t:file write;
diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml
index 9b47e9f28..d97e30cd1 100644
--- a/roles/fedmsg_base/tasks/main.yml
+++ b/roles/fedmsg_base/tasks/main.yml
@@ -70,3 +70,15 @@
   when: fedmsg_certs != []
   tags:
   - config
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/fedmsg state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semanage -i /usr/local/share/fedmsg/fedmsg.pp
+  when: selinux_module|changed
-- 
cgit