From 7e4cfba29e7a75a0bc8efa6d07a69eb98d641ce6 Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Wed, 12 Apr 2023 09:00:58 -0400
Subject: ttrss: move selinux hack from apache to ttrss role

---
 roles/ttrss/tasks/main.yml | 11 +++++++++++
 roles/ttrss/vars/main.yml  | 10 ++++++++++
 2 files changed, 21 insertions(+)

(limited to 'roles/ttrss')

diff --git a/roles/ttrss/tasks/main.yml b/roles/ttrss/tasks/main.yml
index 13cd9b0..787b9ba 100644
--- a/roles/ttrss/tasks/main.yml
+++ b/roles/ttrss/tasks/main.yml
@@ -15,6 +15,17 @@
     version: '{{ ttrss_version }}'
     update: yes
 
+- name: create SELinux policy for apache to allow kerberos auth
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: apache_php_gss
+    selinux_policy_te: '{{ ttrss_selinux_policy_te }}'
+  tags: selinux
+
+
 - name: set httpd_sys_rw_content_t selinux context for writable directories
   sefcontext:
     target: '{{ ttrss_home }}/{{ item }}(/.*)?'
diff --git a/roles/ttrss/vars/main.yml b/roles/ttrss/vars/main.yml
index 96bdca4..788008d 100644
--- a/roles/ttrss/vars/main.yml
+++ b/roles/ttrss/vars/main.yml
@@ -44,3 +44,13 @@ ttrss_apache_config: |
       ErrorDocument 401 /index.php?noext=1
     </If>
   </LocationMatch>
+
+ttrss_selinux_policy_te: |
+  require {
+    type unconfined_service_t;
+    type httpd_t;
+    class key { read view write };
+  }
+
+  #============= httpd_t ==============
+  allow httpd_t unconfined_service_t:key { read view write };
-- 
cgit