nginx: Fix SELinux issues

roles/nginx/files/nginx.te

@@ -0,0 +1,22 @@
+module nginx 1.0;
+
+require {
+        type httpd_t;
+        type unconfined_service_t;
+        type reserved_port_t;
+        type httpd_tmp_t;
+        type init_t;
+        type antivirus_t;
+        class dir { remove_name rmdir };
+        class sem { destroy unix_read unix_write };
+        class process2 nnp_transition;
+        class udp_socket name_bind;
+}
+
+allow httpd_t antivirus_t:process2 nnp_transition;
+allow httpd_t reserved_port_t:udp_socket name_bind;
+allow httpd_t unconfined_service_t:sem { unix_read unix_write };
+
+allow init_t httpd_t:sem destroy;
+allow init_t httpd_tmp_t:dir { remove_name rmdir };
+allow init_t unconfined_service_t:sem destroy;

roles/nginx/tasks/selinux.yml

@@ -65,3 +65,36 @@
     name: domain_can_mmap_files
     state: "{{ nginx_domain_can_mmap_files | bool }}"
     persistent: true
+
+- name: Ensure Nginx SELinux module is applied
+  block:
+    - name: Ensure temporary directory is present
+      ansible.builtin.tempfile:
+        state: directory
+      register: tmp_dir
+      tags: molecule-idempotence-notest
+
+    - name: Ensure Nginx SELinux module is present
+      ansible.builtin.copy:
+        src: nginx.te
+        dest: "{{ tmp_dir.path }}/nginx.te"
+      tags: molecule-idempotence-notest
+
+    - name: Ensure Nginx SELinux module is activated
+      ansible.builtin.command: "{{ item }}"
+      with_items:
+        - checkmodule -M -m -o nginx.mod nginx.te
+        - semodule_package -o nginx.pp -m nginx.mod
+        - semodule -i nginx.pp
+      args:
+        chdir: "{{ tmp_dir.path }}"
+      changed_when: false
+      tags: molecule-idempotence-notest
+
+  always:
+    - name: Ensure temporary directory is absent
+      ansible.builtin.file:
+        path: "{{ tmp_dir.path }}"
+        state: absent
+      when: tmp_dir.path is defined
+      tags: molecule-idempotence-notest