Add selinux module for caddy

ComputeCanada · Aug 17, 2023 · 7d9769f · 7d9769f
1 parent ef275f6
commit 7d9769f
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/site/profile/files/reverse_proxy/caddy.pp b/site/profile/files/reverse_proxy/caddy.pp
diff --git a/site/profile/files/reverse_proxy/caddy.te b/site/profile/files/reverse_proxy/caddy.te
@@ -0,0 +1,11 @@
+
+module caddy 1.0;
+
+require {
+	type sysctl_net_t;
+	type httpd_t;
+	class file { open read };
+}
+
+#============= httpd_t ==============
+allow httpd_t sysctl_net_t:file { open read };
diff --git a/site/profile/manifests/reverse_proxy.pp b/site/profile/manifests/reverse_proxy.pp
@@ -5,6 +5,11 @@
 ) {
   selinux::boolean { 'httpd_can_network_connect': }
 
+  selinux::module { 'caddy_somaxconn':
+    ensure    => 'present',
+    source_pp => 'puppet:///modules/profile/reverse_proxy/caddy.pp',
+  }
+
   firewall { '200 httpd public':
     chain  => 'INPUT',
     dport  => [80, 443],
@@ -131,6 +136,7 @@
     enable    => true,
     require   => [
       Package['caddy'],
+      Selinux::Module['caddy_somaxconn'],
     ],
     subscribe => [
       File['/etc/caddy/Caddyfile'],