Page MenuHomeDevCentral
Files F3769932

No OneTemporary
Actions

View Options

diff --git a/roles/paas-docker/nginx/files/selinux/nginx.te b/roles/paas-docker/nginx/files/selinux/nginx.te
new file mode 100644
index 0000000..4f1d392
--- /dev/null
+++ b/roles/paas-docker/nginx/files/selinux/nginx.te
@@ -0,0 +1,26 @@
+# -------------------------------------------------------------
+# Configuration for Let's encrypt nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-10-27
+# Description: SELinux policy for nginx
+# Allow to serve containers generated files
+# Source file: roles/paas-docker/nginx/files/selinux/nginx.te
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+policy_module(nginx, 1.0)
+
+require {
+ type httpd_t;
+}
+
+#============= httpd_t ==============
+virt_exec_sandbox_files(httpd_t)
+virt_read_sandbox_files(httpd_t)
diff --git a/roles/paas-docker/nginx/selinux.sls b/roles/paas-docker/nginx/selinux.sls
index b72af4f..ae33c40 100644
--- a/roles/paas-docker/nginx/selinux.sls
+++ b/roles/paas-docker/nginx/selinux.sls
@@ -1,22 +1,49 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-03-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os_family'] == 'RedHat' %}
# On Fedora and downstreams, SELinux restricts the capability
# of HTTP server to connect to external servers.
#
# This feature allows nginx to connect to other servers,
# and so to act as a front-end server through proxy_pass.
httpd_can_network_connect:
selinux.boolean:
- value: True
- persist: True
+# -------------------------------------------------------------
+# Custom SELinux policies
+#
+# :: Give access to container files Let's Encrypt (T1364)
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+policycoreutils-devel:
+ pkg.installed
+
+/usr/local/share/selinux/nginx.te:
+ file.managed:
+ - source: salt://roles/paas-docker/nginx/files/selinux/nginx.te
+ - makedirs: True
+
+/usr/local/share/selinux/nginx.pp:
+ cmd.run:
+ - name: make -f /usr/share/selinux/devel/Makefile nginx.pp
+ - creates: /usr/local/share/selinux/nginx.pp
+ - cwd: /usr/local/share/selinux
+
+install_selinux_nginx_module:
+ cmd.run:
+ - name: semodule -i nginx.pp
+ - cwd: /usr/local/share/selinux
+ - onchanges:
+ - cmd: /usr/local/share/selinux/nginx.pp
+
{% endif %}
diff --git a/roles/paas-docker/wwwroot-502/init.sls b/roles/paas-docker/wwwroot-502/init.sls
index 63a7f7a..0b9570c 100644
--- a/roles/paas-docker/wwwroot-502/init.sls
+++ b/roles/paas-docker/wwwroot-502/init.sls
@@ -1,15 +1,29 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-09-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
/var/wwwroot-502:
file.recurse:
- source: salt://wwwroot/502
- exclude_pat: E@.git
- include_empty: True
- dir_mode: 755
- file_mode: 644
+
+{% if has_selinux %}
+wwwroot_502_selinux_context:
+ selinux.fcontext_policy_present:
+ - name: /var/wwwroot-502(/.*)?
+ - sel_type: httpd_sys_rw_content_t
+
+wwwroot_502_selinux_context_applied:
+ selinux.fcontext_policy_applied:
+ - name: /var/wwwroot-502
+ - recursive: True
+{% endif %}

File Metadata

Mime Type
text/x-diff
Expires
Mon, Nov 25, 18:15 (11 h, 39 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2260693
Default Alt Text
(3 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator