michailw/nginx_socket_write.te

## nginx_socket_write.te
module nginx_socket_write 1.0;

require {
        type httpd_t;
        type var_t;
        type http_cache_port_t;
        class sock_file write;
        class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t http_cache_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t var_t:sock_file write;

## nginx_socket_write.yml
---
- name: "SELinux - allow nginx write to socket - check if module was loaded"
  shell: "semodule --list-modules | grep nginx_socket_write"
  register: nginx_socket_write_loaded
  ignore_errors: true

- name: "SELinux - allow nginx write to socket - copy type enforcement file"
  template:
      src: nginx_socket_write.te
      dest: /root/nginx_socket_write.te
      mode: 0644
  when: nginx_socket_write_loaded|failed

- name: "SELinux - allow nginx write to socket - checkmodule"
  command: "checkmodule -M -m -o nginx_socket_write.mod nginx_socket_write.te"
  args:
      chdir: /root
      creates: nginx_socket_write.mod
  when: nginx_socket_write_loaded|failed

- name: "SELinux - allow nginx write to socket - semodule_package"
  command: "semodule_package -o nginx_socket_write.pp -m nginx_socket_write.mod"
  args:
      chdir: /root
      creates: nginx_socket_write.pp
  when: nginx_socket_write_loaded|failed

- name: "SELinux - allow nginx write to socket - semodule install"
  command: "semodule -i nginx_socket_write.pp"
  when: nginx_socket_write_loaded|failed
	module nginx_socket_write 1.0;

	require {
	type httpd_t;
	type var_t;
	type http_cache_port_t;
	class sock_file write;
	class tcp_socket name_connect;
	}

	#============= httpd_t ==============

	#!!!! This avc is allowed in the current policy
	allow httpd_t http_cache_port_t:tcp_socket name_connect;

	#!!!! This avc is allowed in the current policy
	allow httpd_t var_t:sock_file write;
	---
	- name: "SELinux - allow nginx write to socket - check if module was loaded"
	shell: "semodule --list-modules \| grep nginx_socket_write"
	register: nginx_socket_write_loaded
	ignore_errors: true

	- name: "SELinux - allow nginx write to socket - copy type enforcement file"
	template:
	src: nginx_socket_write.te
	dest: /root/nginx_socket_write.te
	mode: 0644
	when: nginx_socket_write_loaded\|failed

	- name: "SELinux - allow nginx write to socket - checkmodule"
	command: "checkmodule -M -m -o nginx_socket_write.mod nginx_socket_write.te"
	args:
	chdir: /root
	creates: nginx_socket_write.mod
	when: nginx_socket_write_loaded\|failed

	- name: "SELinux - allow nginx write to socket - semodule_package"
	command: "semodule_package -o nginx_socket_write.pp -m nginx_socket_write.mod"
	args:
	chdir: /root
	creates: nginx_socket_write.pp
	when: nginx_socket_write_loaded\|failed

	- name: "SELinux - allow nginx write to socket - semodule install"
	command: "semodule -i nginx_socket_write.pp"
	when: nginx_socket_write_loaded\|failed