Add missing selinux policy package for running gunicorn

Running gunicorn out of a virtualenv in a home directory requires
some extra selinux policies.

Fixes: https://github.com/ansible-community/ara/issues/49
Change-Id: I027d148d846e7add391b28e805f67cbe312dcde0

roles/ara_api/files/ara-gunicorn.te

@@ -0,0 +1,10 @@
+module ara-gunicorn 1.0;
+
+require {
+    type admin_home_t;
+    type init_t;
+    class file { execute execute_no_trans ioctl lock open read write };
+}
+
+#============= init_t ==============
+allow init_t admin_home_t:file { execute execute_no_trans ioctl lock open read write };

roles/ara_api/tasks/wsgi_server/gunicorn.yaml

@@ -23,8 +23,27 @@
     virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
     virtualenv_command: /usr/bin/python3 -m venv
 
+- when: ansible_os_family == "RedHat"
+  block:
+    - name: Transfer gunicorn selinux type enforcement file
+      copy:
+        src: ara-gunicorn.te
+        dest: "{{ ara_api_root_dir }}/ara-gunicorn.te"
+
+    # TODO: Only compile a new module and policy package when necessary
+    - name: Compile ara-gunicorn selinux module
+      command: "checkmodule -M -m -o {{ ara_api_root_dir }}/ara-gunicorn.mod {{ ara_api_root_dir }}/ara-gunicorn.te"
+
+    - name: Compile ara-gunicorn selinux policy package
+      command: "semodule_package -o {{ ara_api_root_dir }}/ara-gunicorn.pp -m {{ ara_api_root_dir }}/ara-gunicorn.mod"
+
 - become: yes
   block:
+    # TODO: Only install the selinux module if it has changed
+    - name: Install selinux policy package
+      command: "semodule -i {{ ara_api_root_dir }}/ara-gunicorn.pp"
+      when: ansible_os_family == "RedHat"
+
     - name: Set up systemd unit file for gunicorn to run the ARA API
       template:
         src: ara-api.service.j2