From b02c5e8db7f7932b20b3be02024e543db79fcf3f Mon Sep 17 00:00:00 2001
From: Guillaume Abrioux <gabrioux@redhat.com>
Date: Thu, 1 Apr 2021 09:50:54 +0200
Subject: [PATCH] rgw-loadbalancers: add all rgw_ports to http_port_t type

This adds all rgw ports to the http_port_t selinux type so it
allows haproxy to connect to those ports in order to avoid AVC.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1923890

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 6bbb90198b600b460a34faf322a9e36646b3689e)
---
 .../ceph-rgw-loadbalancer/tasks/pre_requisite.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
index 0a5ffd1ebc..1468fae32f 100644
--- a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
+++ b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
@@ -33,3 +33,18 @@
     mode: "0644"
   notify:
     - restart keepalived
+
+- name: selinux related tasks
+  when: ansible_facts['os_family'] == 'RedHat'
+  block:
+    - name: set_fact rgw_ports
+      set_fact:
+        rgw_ports: "{{ rgw_ports | default([]) + [hostvars[item]['rgw_instances']['radosgw_frontend_port']] | unique }}"
+      with_items: "{{ groups.get(rgw_group_name, []) }}"
+
+    - name: add selinux rules
+      seport:
+        ports: "{{ rgw_ports }}"
+        proto: tcp
+        setype: http_port_t
+        state: present