From 9df768c413029870475a4571b21db886b3291c75 Mon Sep 17 00:00:00 2001
From: David Moreau Simard <dmsimard@redhat.com>
Date: Tue, 28 May 2019 12:27:13 -0400
Subject: [PATCH] Add missing selinux policy package for running gunicorn

Running gunicorn out of a virtualenv in a home directory requires
some extra selinux policies.

Fixes: https://github.com/ansible-community/ara/issues/49
Change-Id: I027d148d846e7add391b28e805f67cbe312dcde0
---
 roles/ara_api/files/ara-gunicorn.te           | 10 ++++++++++
 roles/ara_api/tasks/wsgi_server/gunicorn.yaml | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 roles/ara_api/files/ara-gunicorn.te

diff --git a/roles/ara_api/files/ara-gunicorn.te b/roles/ara_api/files/ara-gunicorn.te
new file mode 100644
index 00000000..60db14f7
--- /dev/null
+++ b/roles/ara_api/files/ara-gunicorn.te
@@ -0,0 +1,10 @@
+module ara-gunicorn 1.0;
+
+require {
+    type admin_home_t;
+    type init_t;
+    class file { execute execute_no_trans ioctl lock open read write };
+}
+
+#============= init_t ==============
+allow init_t admin_home_t:file { execute execute_no_trans ioctl lock open read write };
diff --git a/roles/ara_api/tasks/wsgi_server/gunicorn.yaml b/roles/ara_api/tasks/wsgi_server/gunicorn.yaml
index 696eca46..a98ade07 100644
--- a/roles/ara_api/tasks/wsgi_server/gunicorn.yaml
+++ b/roles/ara_api/tasks/wsgi_server/gunicorn.yaml
@@ -23,8 +23,27 @@
     virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
     virtualenv_command: /usr/bin/python3 -m venv
 
+- when: ansible_os_family == "RedHat"
+  block:
+    - name: Transfer gunicorn selinux type enforcement file
+      copy:
+        src: ara-gunicorn.te
+        dest: "{{ ara_api_root_dir }}/ara-gunicorn.te"
+
+    # TODO: Only compile a new module and policy package when necessary
+    - name: Compile ara-gunicorn selinux module
+      command: "checkmodule -M -m -o {{ ara_api_root_dir }}/ara-gunicorn.mod {{ ara_api_root_dir }}/ara-gunicorn.te"
+
+    - name: Compile ara-gunicorn selinux policy package
+      command: "semodule_package -o {{ ara_api_root_dir }}/ara-gunicorn.pp -m {{ ara_api_root_dir }}/ara-gunicorn.mod"
+
 - become: yes
   block:
+    # TODO: Only install the selinux module if it has changed
+    - name: Install selinux policy package
+      command: "semodule -i {{ ara_api_root_dir }}/ara-gunicorn.pp"
+      when: ansible_os_family == "RedHat"
+
     - name: Set up systemd unit file for gunicorn to run the ARA API
       template:
         src: ara-api.service.j2