.ebextentions/

00_SET_ENFORCE.config

###################################################################################################
#### Copyright 2019 Cristian Tala Sánchez. All Rights Reserved.
####
#### Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file
#### except in compliance with the License. A copy of the License is located at
####
####     http://aws.amazon.com/apache2.0/
####
#### or in the "license" file accompanying this file. This file is distributed on an "AS IS"
#### BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#### License for the specific language governing permissions and limitations under the License.
###################################################################################################

###################################################################################################
#### This config extention for AWS elastic beanstalk activates enforce mode for SELinux on boot.
###################################################################################################
commands:
  setEnforce:
    command: setenforce 1
    ignoreErrors: false

01_HTTPD_SELINUX_POLICY.config

###################################################################################################
#### Copyright 2019 Cristian Tala Sánchez. All Rights Reserved.
####
#### Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file
#### except in compliance with the License. A copy of the License is located at
####
####     http://aws.amazon.com/apache2.0/
####
#### or in the "license" file accompanying this file. This file is distributed on an "AS IS"
#### BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#### License for the specific language governing permissions and limitations under the License.
###################################################################################################

###################################################################################################
#### This config extention for AWS elastic beanstalk generates the policies for PHP to run using SELinux
#### and Amazon Custom AMI for PHP on enforcing mode
###################################################################################################

files:
  "/root/httpd-backend.te":
    content: |
      module httpd-backend 1.0;

      require {
              type var_log_t;
              type httpd_rotatelogs_t;
              type httpd_t;
              type var_t;
              type hugetlbfs_t;
              type initrc_t;
              type http_port_t;
              class tcp_socket name_connect;
              class process signal;
              class file { write read create open getattr };
              class dir { write add_name };
      }

      #============= httpd_rotatelogs_t ==============
      allow httpd_rotatelogs_t var_log_t:dir { write add_name };
      allow httpd_rotatelogs_t var_log_t:file { create open };

      #============= httpd_t ==============
      allow httpd_t http_port_t:tcp_socket name_connect
      allow httpd_t hugetlbfs_t:file { read write };
      allow httpd_t initrc_t:process signal;
      allow httpd_t var_log_t:file open;
      allow httpd_t var_t:file { read open };
      allow httpd_t var_t:file getattr;


commands:
  #Generamos el modulo a partir del código
  01_compile:
    command: checkmodule -M -m -o httpd-backend.mod httpd-backend.te;
    cwd: /root/
    ignoreErrors: false
  #Generamos el paquete
  02_package:
    command: semodule_package -o httpd-backend.pp -m httpd-backend.mod
    cwd: /root/
    ignoreErrors: false
  #instalamos el paquete
  03_package_install:
    command: semodule -i httpd-backend.pp
    cwd: /root/
    ignoreErrors: false