Fixes #6517: Add initial SELinux support

rudder-webapp/SPECS/rudder-webapp.spec

@@ -49,7 +49,8 @@
 %define usermod_opt             A
 %endif
 %if 0%{?rhel} == 5 || 0%{?el5}
-%define apache                  httpd
+%define apache                  
+httpd
 %define apache_tools            httpd-tools
 %define apache_group            apache
 %define htpasswd_cmd            htpasswd
@@ -400,6 +401,22 @@ if [ ! -f /opt/rudder/etc/ssl/rudder-webapp.crt ] || [ ! -f /opt/rudder/etc/ssl/
 	echo " Done"
 fi
 
+# SELinux support
+# Check "sestatus" presence, and if here, probe if SELinux
+# is enabled. If so, then tweak our installation to be
+# SELinux compliant
+if type sestatus >/dev/null 2>&1
+  if [ $(sestatus | grep -cE "SELinux status:.*enabled") -ne 0 ]
+  then
+    # Allow Apache to proxy to Jetty
+    setsebool -P httpd_can_network_connect on
+
+    # Adjust the inventory directories SELinux context
+    chcon -Rv --type=httpd_sys_content_t /var/rudder/inventories/incoming
+    chcon -Rv --type=httpd_sys_content_t /var/rudder/inventories/accepted-nodes-updates
+  fi
+fi
+
 echo -n "INFO: Starting Apache HTTPd..."
 service %{apache} start >/dev/null 2>&1
 echo " Done"

rudder-webapp/debian/postinst

@@ -89,6 +89,22 @@ case "$1" in
     echo " Done"
   fi
 
+  # SELinux support
+  # Check "sestatus" presence, and if here, probe if SELinux
+  # is enabled. If so, then tweak our installation to be
+  # SELinux compliant
+  if type sestatus >/dev/null 2>&1
+    if [ $(sestatus | grep -cE "SELinux status:.*enabled") -ne 0 ]
+    then
+      # Allow Apache to proxy to Jetty
+      setsebool -P httpd_can_network_connect on
+
+      # Adjust the inventory directories SELinux context
+      chcon -Rv --type=httpd_sys_content_t /var/rudder/inventories/incoming
+      chcon -Rv --type=httpd_sys_content_t /var/rudder/inventories/accepted-nodes-updates
+    fi
+  fi
+
   echo -n "INFO: Restarting Apache HTTPd..."
   /etc/init.d/apache2 restart >/dev/null 2>&1
   echo " Done"