2 files changed, 21 insertions, 0 deletions

diff --git a/roles/ttrss/tasks/main.yml b/roles/ttrss/tasks/main.yml
index 13cd9b0..787b9ba 100644
--- a/roles/ttrss/tasks/main.yml
+++ b/roles/ttrss/tasks/main.yml
@@ -15,6 +15,17 @@
     version: '{{ ttrss_version }}'
     update: yes
 
+- name: create SELinux policy for apache to allow kerberos auth
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: apache_php_gss
+    selinux_policy_te: '{{ ttrss_selinux_policy_te }}'
+  tags: selinux
+
+
 - name: set httpd_sys_rw_content_t selinux context for writable directories
   sefcontext:
     target: '{{ ttrss_home }}/{{ item }}(/.*)?'
diff --git a/roles/ttrss/vars/main.yml b/roles/ttrss/vars/main.yml
index 96bdca4..788008d 100644
--- a/roles/ttrss/vars/main.yml
+++ b/roles/ttrss/vars/main.yml
@@ -44,3 +44,13 @@ ttrss_apache_config: |
       ErrorDocument 401 /index.php?noext=1
     </If>
   </LocationMatch>
+
+ttrss_selinux_policy_te: |
+  require {
+    type unconfined_service_t;
+    type httpd_t;
+    class key { read view write };
+  }
+
+  #============= httpd_t ==============
+  allow httpd_t unconfined_service_t:key { read view write };