From 7d9769f4c6f25b45bbc24606a3bed586fffd020f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Thu, 17 Aug 2023 13:55:02 -0400
Subject: [PATCH] Add selinux module for caddy

---
 site/profile/files/reverse_proxy/caddy.pp | Bin 0 -> 945 bytes
 site/profile/files/reverse_proxy/caddy.te |  11 +++++++++++
 site/profile/manifests/reverse_proxy.pp   |   6 ++++++
 3 files changed, 17 insertions(+)
 create mode 100644 site/profile/files/reverse_proxy/caddy.pp
 create mode 100644 site/profile/files/reverse_proxy/caddy.te

diff --git a/site/profile/files/reverse_proxy/caddy.pp b/site/profile/files/reverse_proxy/caddy.pp
new file mode 100644
index 0000000000000000000000000000000000000000..22ad9b288616200eb16a3ab6b859fe87475e2ba6
GIT binary patch
literal 945
zcmbu7!AiqW5Jh9F=%S$D5A+K}|6n%mbma$xnmn-*lG46{1%E;OUROG&=Hd{|su%8?
zJ9FpF3uHdN-ae0tqJS69chAo~KHSdlmhJX+e&5yGCQZC_>7?z<2~M2VqONyS7dKbe
z=3xkpKJE>2W<l_@Y!V*%IxT86J>4p`y32cL&^^ASDwk{9XFtc7R!j8t_Nkj_y+N;W
z^mxvBRhN0@sao_2rXG)*-KNS-*`{3PQ2tjA=g_1Y+Is38J`dRb{5{B_`V^@}Xf}Um
z2nz)?)Eq@>g1Lb5G?SWO5+27i_wnGNvzQ^6gvT)*S`LzYH*3o3q9a*Vt>`3pXjZOY
Pt9XSKi)$1;xBlQ84O}!i

literal 0
HcmV?d00001

diff --git a/site/profile/files/reverse_proxy/caddy.te b/site/profile/files/reverse_proxy/caddy.te
new file mode 100644
index 000000000..52cfddbe0
--- /dev/null
+++ b/site/profile/files/reverse_proxy/caddy.te
@@ -0,0 +1,11 @@
+
+module caddy 1.0;
+
+require {
+	type sysctl_net_t;
+	type httpd_t;
+	class file { open read };
+}
+
+#============= httpd_t ==============
+allow httpd_t sysctl_net_t:file { open read };
diff --git a/site/profile/manifests/reverse_proxy.pp b/site/profile/manifests/reverse_proxy.pp
index 679198456..3e3906793 100644
--- a/site/profile/manifests/reverse_proxy.pp
+++ b/site/profile/manifests/reverse_proxy.pp
@@ -5,6 +5,11 @@
 ) {
   selinux::boolean { 'httpd_can_network_connect': }
 
+  selinux::module { 'caddy_somaxconn':
+    ensure    => 'present',
+    source_pp => 'puppet:///modules/profile/reverse_proxy/caddy.pp',
+  }
+
   firewall { '200 httpd public':
     chain  => 'INPUT',
     dport  => [80, 443],
@@ -131,6 +136,7 @@
     enable    => true,
     require   => [
       Package['caddy'],
+      Selinux::Module['caddy_somaxconn'],
     ],
     subscribe => [
       File['/etc/caddy/Caddyfile'],