From 367d38818725b60988c6352a927732de5e364c44 Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Wed, 12 Apr 2023 08:46:55 -0400
Subject: add selinux policy for apache

---
 roles/apache/tasks/main.yml | 10 ++++++++++
 roles/apache/vars/main.yml  | 10 ++++++++++
 2 files changed, 20 insertions(+)

(limited to 'roles/apache')

diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 4892782..c1b42ee 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -41,6 +41,16 @@
     - { sebool: httpd_can_sendmail,           value: '{{ apache_can_sendmail }}' }
   tags: selinux
 
+- name: create SELinux policy for apache to allow kerberos with php fpm (why?)
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: apache_php_gss
+    selinux_policy_te: '{{ apache_selinux_policy_te }}'
+  tags: selinux
+
 - name: configure mod_gssapi
   import_tasks: gssapi.yml
   when: apache_gssapi or apache_use_nfs
diff --git a/roles/apache/vars/main.yml b/roles/apache/vars/main.yml
index fa0a293..90bfff2 100644
--- a/roles/apache/vars/main.yml
+++ b/roles/apache/vars/main.yml
@@ -35,3 +35,13 @@ apache_gzip_types:
   - text/javascript
   - text/plain
   - text/xml
+
+apache_selinux_policy_te:
+	require {
+		type unconfined_service_t;
+		type httpd_t;
+		class key read;
+	}
+
+	#============= httpd_t ==============
+	allow httpd_t unconfined_service_t:key read;
-- 
cgit