rgw-loadbalancers: add all rgw_ports to http_port_t type

This adds all rgw ports to the http_port_t selinux type so it
allows haproxy to connect to those ports in order to avoid AVC.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1923890
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 6bbb90198b600b460a34faf322a9e36646b3689e)

diff --git a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
index 0d6d87aa4936b897023f236b551a058a67a52faa..98d7333d80ca56320b433b5083ee17e619224e23 100644 (file)
--- a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
+++ b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
@@ -33,3 +33,18 @@
     mode: "0644"
   notify:
     - restart keepalived
+
+- name: selinux related tasks
+  when: ansible_facts['os_family'] == 'RedHat'
+  block:
+    - name: set_fact rgw_ports
+      set_fact:
+        rgw_ports: "{{ rgw_ports | default([]) + [hostvars[item]['rgw_instances']['radosgw_frontend_port']] | unique }}"
+      with_items: "{{ groups.get(rgw_group_name, []) }}"
+
+    - name: add selinux rules
+      seport:
+        ports: "{{ rgw_ports }}"
+        proto: tcp
+        setype: http_port_t
+        state: present