IPA-tuura: SELinux again

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

roles/ipatuura/files/local-ipatuura.te

@@ -0,0 +1,18 @@
+module local-ipatuura 1.0;
+
+require {
+        type httpd_t;
+        type sssd_conf_t;
+        type realmd_var_lib_t;
+        type systemd_logind_t;
+        class file { read write };
+        class dbus send_msg;
+}
+
+#============= httpd_t ==============
+allow httpd_t sssd_conf_t:file read;
+# Write to /var/lib/ipa-client
+allow httpd_t realmd_var_lib_t:file write;
+# Send messages on DBUS
+allow httpd_t systemd_logind_t:dbus send_msg;
+

roles/ipatuura/tasks/main.yml

@@ -274,8 +274,17 @@
   - ipatuura
   - selinux
 
+- name: Allow HTTPd to run ipa-client-install
+  community.general.sefcontext:
+    target: "/var/log/ipaclient-.*\\.log"
+    setype: httpd_sys_content_rw_t
+    state: present
+  tags:
+  - ipatuura
+  - selinux
+
 - name: Apply SELinux changes
-  ansible.builtin.command: restorecon -irv "/srv/"
+  ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient*
   register: restorecon_output
   changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
   tags:
@@ -295,8 +304,19 @@
   # Allow Apache to remotely connect to PostgreSQL
   - httpd_can_network_connect_db
   # Allow usage of PAM
+  - httpd_mod_auth_pam
+  - httpd_setrlimit
   # - httpd_tmp_exec
-  # - httpd_mod_auth_pam
+  tags:
+  - ipatuura
+  - selinux
+
+- name: Add a SELinux module for other SELinux permissions for IPA-tuura
+  import_role:
+    name: selinux/module
+  vars:
+    policy_file: files/local-ipatuura.te
+    policy_name: local-ipatuura
   tags:
   - ipatuura
   - selinux