anubis-el: set correct selinux labels for podman

selinux was preventing anubis from reading its policy file. So, set the right context here so it is happy. Note that we cannot use :Z in the podman call, because it runs as the anubis user which cannot chcon those files on the host. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-03-20 03:57:02 +08:00 · 2026-02-12 09:03:08 -08:00
parent 96be99434e
commit 0d56b527a6
1 changed files with 19 additions and 0 deletions
--- a/roles/anubis-el/tasks/main.yml
+++ b/roles/anubis-el/tasks/main.yml
@@ -84,6 +84,25 @@
  - config
  - anubis

+- name: Set SELinux context for anubis directory
+  community.general.sefcontext:
+    target: "/srv/anubis(/.*)?"
+    setype: container_file_t
+    state: present
+  tags:
+  - config
+  - anubis
+  - selinux
+
+- name: Apply SELinux changes to anubis directory
+  ansible.builtin.command: restorecon -irv "/srv/anubis/"
+  register: restorecon_output
+  changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
+  tags:
+  - config
+  - anubis
+  - selinux
+
 # This service calls podman to pull the anubis container,
 # then sets various env variables for the service and runs it.