IPA-tuura: SELinux again

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

roles/ipatuura/tasks/main.yml

@@ -223,30 +223,43 @@
     setype: httpd_sys_content_t
     state: present
   tags:
-  - ipsilon
+  - ipatuura
   - selinux
 
-- name: Apply selinux type to the venv and code directories
-  ansible.builtin.file:
-    dest: /srv/{{item}}
-    setype: httpd_sys_content_t
-    recurse: yes
+- name: Set the SELinux policy for the binary libraries in the code
+  community.general.sefcontext:
+    target: "/srv/venv/lib.*\.so$"
+    setype: httpd_sys_script_exec_t
+    state: present
+  tags:
+  - ipatuura
+  - selinux
+
+- name: Apply SELinux changes
+  ansible.builtin.command: restorecon -irv "/srv/"
+  register: restorecon_output
+  changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
+  tags:
+    - ipatuura
+    - selinux
+
+- name: Set sebooleans
+  ansible.posix.seboolean:
+    name: "{{ item }}"
+    state: true
+    persistent: true
   loop:
-  - ipa-tuura
-  - venv
+  # Allow network connections on any port (IPA queries)
+  - httpd_can_network_connect
+  # Allow connection to SSSd over DBUS
+  - httpd_dbus_sssd
+  # Allow usage of PAM
+  # - httpd_tmp_exec
+  # - httpd_mod_auth_pam
   tags:
-  - ipsilon
+  - ipatuura
   - selinux
 
-- name: Apply selinux type to the wsgi file
-  ansible.builtin.file:
-    dest: /srv/wsgi.py
-    setype: httpd_sys_content_t
-  tags:
-  - ipsilon
-  - selinux
-
-
 - name: Copy the domain template file
   ansible.builtin.template:
     src: domain.json.j2