diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-03-03 17:31:48 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-03-03 17:31:48 -0500 |
commit | 594ff9610ead86050d7e2e7e21a0eb2e160ae644 (patch) | |
tree | ca6eb04dcb7f701abc1e382cd1d4c184db08dc5b /roles | |
parent | 6837b64cced5b771c4764602d0dbb2817bf2c0a8 (diff) | |
download | selfhosted-594ff9610ead86050d7e2e7e21a0eb2e160ae644.tar.gz selfhosted-594ff9610ead86050d7e2e7e21a0eb2e160ae644.zip |
prosody: updates for 0.12
Diffstat (limited to 'roles')
-rw-r--r-- | roles/prosody/tasks/main.yml | 7 | ||||
-rw-r--r-- | roles/prosody/vars/main.yml | 10 |
2 files changed, 10 insertions, 7 deletions
diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index c29dd38..1b8bd3a 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -51,13 +51,6 @@ - xmpp-server tags: firewalld -- name: enable httpd_can_network_connect SELinux boolean - seboolean: - name: httpd_can_network_connect - state: yes - persistent: yes - tags: selinux - - name: create roster file with correct permissions copy: content: '' diff --git a/roles/prosody/vars/main.yml b/roles/prosody/vars/main.yml index d971fb7..438049e 100644 --- a/roles/prosody/vars/main.yml +++ b/roles/prosody/vars/main.yml @@ -25,8 +25,14 @@ prosody_selinux_policy_te: | type gssproxy_t; type gssproxy_var_lib_t; type ldap_port_t; + type unconfined_service_t; + type unreserved_port_t; + type sysctl_net_t; class dir search; + class key read; + class file { read open getattr}; class sock_file write; + class udp_socket name_bind; class unix_stream_socket connectto; class tcp_socket name_connect; } @@ -36,3 +42,7 @@ prosody_selinux_policy_te: | allow prosody_t gssproxy_var_lib_t:sock_file write; allow prosody_t gssproxy_t:unix_stream_socket connectto; allow prosody_t ldap_port_t:tcp_socket name_connect; + allow prosody_t sysctl_net_t:dir search; + allow prosody_t sysctl_net_t:file { read open getattr }; + allow prosody_t unconfined_service_t:key read; + allow prosody_t unreserved_port_t:udp_socket name_bind; |