You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2020/01/28 17:44:05 UTC
[airavata] 01/02: AIRAVATA-3291 Ansible: SELinux relabelfrom/to for
django uploads
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/airavata.git
commit 77b4f242e5f06845d1ae2a0182dc872759142fb8
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Tue Jan 28 12:36:33 2020 -0500
AIRAVATA-3291 Ansible: SELinux relabelfrom/to for django uploads
---
.../roles/django_setup/files/django-httpd.te | 30 +++++++++++++++++++++
.../ansible/roles/django_setup/tasks/main.yml | 31 ++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/dev-tools/ansible/roles/django_setup/files/django-httpd.te b/dev-tools/ansible/roles/django_setup/files/django-httpd.te
new file mode 100644
index 0000000..610e5bc
--- /dev/null
+++ b/dev-tools/ansible/roles/django_setup/files/django-httpd.te
@@ -0,0 +1,30 @@
+#
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+module django-httpd 1.0;
+
+require {
+ type httpd_t;
+ type httpd_sys_rw_content_t;
+ class file { relabelfrom relabelto };
+}
+
+#============= httpd_t ==============
+allow httpd_t httpd_sys_rw_content_t:file { relabelfrom relabelto };
diff --git a/dev-tools/ansible/roles/django_setup/tasks/main.yml b/dev-tools/ansible/roles/django_setup/tasks/main.yml
index 20e5d7f..11eb1d4 100644
--- a/dev-tools/ansible/roles/django_setup/tasks/main.yml
+++ b/dev-tools/ansible/roles/django_setup/tasks/main.yml
@@ -73,4 +73,35 @@
dest: "{{ httpd_conf_modules_dir }}/00-wsgi.conf"
become: yes
+# Allow httpd to copy file attributes when handling uploaded files and moving
+# them from temporary to final destination (which may cross partitions)
+- name: double check policycoreutils installed
+ yum: name=policycoreutils-python state=installed
+ become: yes
+
+- name: Copy SELinux type enforcement file
+ copy: src=django-httpd.te dest=/tmp/
+
+- name: Compile SELinux module file
+ command: checkmodule -M -m -o /tmp/django-httpd.mod /tmp/django-httpd.te
+
+- name: Build SELinux policy package
+ command: semodule_package -o /tmp/django-httpd.pp -m /tmp/django-httpd.mod
+
+- name: unLoad SELinux policy package
+ command: semodule -r django-httpd
+ become: yes
+ ignore_errors: True
+
+- name: Load SELinux policy package
+ command: semodule -i /tmp/django-httpd.pp
+ become: yes
+
+- name: Remove temporary files
+ file: path={{ item }} state=absent
+ with_items:
+ - /tmp/django-httpd.mod
+ - /tmp/django-httpd.pp
+ - /tmp/django-httpd.te
+
...