diff --git a/roles/nginx/files/nginx.te b/roles/nginx/files/nginx.te new file mode 100644 index 0000000..47e9b08 --- /dev/null +++ b/roles/nginx/files/nginx.te @@ -0,0 +1,22 @@ +module nginx 1.0; + +require { + type httpd_t; + type unconfined_service_t; + type reserved_port_t; + type httpd_tmp_t; + type init_t; + type antivirus_t; + class dir { remove_name rmdir }; + class sem { destroy unix_read unix_write }; + class process2 nnp_transition; + class udp_socket name_bind; +} + +allow httpd_t antivirus_t:process2 nnp_transition; +allow httpd_t reserved_port_t:udp_socket name_bind; +allow httpd_t unconfined_service_t:sem { unix_read unix_write }; + +allow init_t httpd_t:sem destroy; +allow init_t httpd_tmp_t:dir { remove_name rmdir }; +allow init_t unconfined_service_t:sem destroy; diff --git a/roles/nginx/tasks/selinux.yml b/roles/nginx/tasks/selinux.yml index 47ecd60..b48a002 100644 --- a/roles/nginx/tasks/selinux.yml +++ b/roles/nginx/tasks/selinux.yml @@ -65,3 +65,36 @@ name: domain_can_mmap_files state: "{{ nginx_domain_can_mmap_files | bool }}" persistent: true + +- name: Ensure Nginx SELinux module is applied + block: + - name: Ensure temporary directory is present + ansible.builtin.tempfile: + state: directory + register: tmp_dir + tags: molecule-idempotence-notest + + - name: Ensure Nginx SELinux module is present + ansible.builtin.copy: + src: nginx.te + dest: "{{ tmp_dir.path }}/nginx.te" + tags: molecule-idempotence-notest + + - name: Ensure Nginx SELinux module is activated + ansible.builtin.command: "{{ item }}" + with_items: + - checkmodule -M -m -o nginx.mod nginx.te + - semodule_package -o nginx.pp -m nginx.mod + - semodule -i nginx.pp + args: + chdir: "{{ tmp_dir.path }}" + changed_when: false + tags: molecule-idempotence-notest + + always: + - name: Ensure temporary directory is absent + ansible.builtin.file: + path: "{{ tmp_dir.path }}" + state: absent + when: tmp_dir.path is defined + tags: molecule-idempotence-notest