diff options
-rw-r--r-- | inventory-example/group_vars/xmpp_servers.yml | 1 | ||||
-rw-r--r-- | roles/prosody/tasks/main.yml | 7 | ||||
-rw-r--r-- | roles/prosody/vars/main.yml | 10 |
3 files changed, 11 insertions, 7 deletions
diff --git a/inventory-example/group_vars/xmpp_servers.yml b/inventory-example/group_vars/xmpp_servers.yml index dd6b7b4..03e110b 100644 --- a/inventory-example/group_vars/xmpp_servers.yml +++ b/inventory-example/group_vars/xmpp_servers.yml @@ -1 +1,2 @@ +apache_can_network_connect: yes nagios_https_vhosts: ['{{ prosody_http_host | default(ansible_fqdn) }}'] diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index c29dd38..1b8bd3a 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -51,13 +51,6 @@ - xmpp-server tags: firewalld -- name: enable httpd_can_network_connect SELinux boolean - seboolean: - name: httpd_can_network_connect - state: yes - persistent: yes - tags: selinux - - name: create roster file with correct permissions copy: content: '' diff --git a/roles/prosody/vars/main.yml b/roles/prosody/vars/main.yml index d971fb7..438049e 100644 --- a/roles/prosody/vars/main.yml +++ b/roles/prosody/vars/main.yml @@ -25,8 +25,14 @@ prosody_selinux_policy_te: | type gssproxy_t; type gssproxy_var_lib_t; type ldap_port_t; + type unconfined_service_t; + type unreserved_port_t; + type sysctl_net_t; class dir search; + class key read; + class file { read open getattr}; class sock_file write; + class udp_socket name_bind; class unix_stream_socket connectto; class tcp_socket name_connect; } @@ -36,3 +42,7 @@ prosody_selinux_policy_te: | allow prosody_t gssproxy_var_lib_t:sock_file write; allow prosody_t gssproxy_t:unix_stream_socket connectto; allow prosody_t ldap_port_t:tcp_socket name_connect; + allow prosody_t sysctl_net_t:dir search; + allow prosody_t sysctl_net_t:file { read open getattr }; + allow prosody_t unconfined_service_t:key read; + allow prosody_t unreserved_port_t:udp_socket name_bind; |