diff --git a/roles/paas-docker/nginx/files/selinux/nginx.te b/roles/paas-docker/nginx/files/selinux/nginx.te new file mode 100644 index 0000000..4f1d392 --- /dev/null +++ b/roles/paas-docker/nginx/files/selinux/nginx.te @@ -0,0 +1,26 @@ +# ------------------------------------------------------------- +# Configuration for Let's encrypt nginx +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2018-10-27 +# Description: SELinux policy for nginx +# Allow to serve containers generated files +# Source file: roles/paas-docker/nginx/files/selinux/nginx.te +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +policy_module(nginx, 1.0) + +require { + type httpd_t; +} + +#============= httpd_t ============== +virt_exec_sandbox_files(httpd_t) +virt_read_sandbox_files(httpd_t) diff --git a/roles/paas-docker/nginx/selinux.sls b/roles/paas-docker/nginx/selinux.sls index b72af4f..ae33c40 100644 --- a/roles/paas-docker/nginx/selinux.sls +++ b/roles/paas-docker/nginx/selinux.sls @@ -1,22 +1,49 @@ # ------------------------------------------------------------- # Salt — Provision Docker engine # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-03-23 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- {% if grains['os_family'] == 'RedHat' %} # On Fedora and downstreams, SELinux restricts the capability # of HTTP server to connect to external servers. # # This feature allows nginx to connect to other servers, # and so to act as a front-end server through proxy_pass. httpd_can_network_connect: selinux.boolean: - value: True - persist: True +# ------------------------------------------------------------- +# Custom SELinux policies +# +# :: Give access to container files Let's Encrypt (T1364) +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +policycoreutils-devel: + pkg.installed + +/usr/local/share/selinux/nginx.te: + file.managed: + - source: salt://roles/paas-docker/nginx/files/selinux/nginx.te + - makedirs: True + +/usr/local/share/selinux/nginx.pp: + cmd.run: + - name: make -f /usr/share/selinux/devel/Makefile nginx.pp + - creates: /usr/local/share/selinux/nginx.pp + - cwd: /usr/local/share/selinux + +install_selinux_nginx_module: + cmd.run: + - name: semodule -i nginx.pp + - cwd: /usr/local/share/selinux + - onchanges: + - cmd: /usr/local/share/selinux/nginx.pp + {% endif %} diff --git a/roles/paas-docker/wwwroot-502/init.sls b/roles/paas-docker/wwwroot-502/init.sls index 63a7f7a..0b9570c 100644 --- a/roles/paas-docker/wwwroot-502/init.sls +++ b/roles/paas-docker/wwwroot-502/init.sls @@ -1,15 +1,29 @@ # ------------------------------------------------------------- # Salt — Provision Docker engine # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-09-08 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- +{% set has_selinux = salt['grains.get']('selinux:enabled', False) %} + /var/wwwroot-502: file.recurse: - source: salt://wwwroot/502 - exclude_pat: E@.git - include_empty: True - dir_mode: 755 - file_mode: 644 + +{% if has_selinux %} +wwwroot_502_selinux_context: + selinux.fcontext_policy_present: + - name: /var/wwwroot-502(/.*)? + - sel_type: httpd_sys_rw_content_t + +wwwroot_502_selinux_context_applied: + selinux.fcontext_policy_applied: + - name: /var/wwwroot-502 + - recursive: True +{% endif %}