From d593ea82b08018c05dea0fa725907de323988ef9 Mon Sep 17 00:00:00 2001
From: Francesco Di Nucci <francesco.dinucci@na.infn.it>
Date: Thu, 4 Apr 2024 14:57:30 +0200
Subject: [PATCH] fix: add proper SELinux context and enable httpd_enable_cgi

* Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
* Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: #336, #365
---
 manifests/init.pp | 71 ++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 61 insertions(+), 10 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 62f300d6..9d542244 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -274,17 +274,68 @@
   }
 
   if $manage_selinux {
-    selboolean { 'httpd_can_network_relay':
-      persistent => true,
-      value      => 'on',
+    # Include puppet/selinux
+    include selinux
+    # Set SELinux booleans required for httpd proper functioning
+    # https://linux.die.net/man/8/httpd_selinux
+    selinux::boolean {
+      default:
+        ensure     => 'on',
+        persistent => true,
+        ;
+      # allow httpd scripts to connect to network: Puppetboard connects
+      # to PuppetDB
+      'httpd_can_network_connect':
+        ;
+      # allow httpd script to connect to database servers: PuppetDB relies
+      # on PostgreSQL
+      'httpd_can_network_connect_db':
+        ;
+      # allow httpd to be used as a forward/reverse proxy
+      'httpd_can_network_relay':
+        ;
+      # enable cgi support
+      'httpd_enable_cgi':
+        ;
     }
-    selboolean { 'httpd_can_network_connect':
-      persistent => true,
-      value      => 'on',
+    # Set context for wsgi and settings
+    selinux::fcontext {
+      default:
+        ensure => present,
+        notify => Selinux::Exec_restorecon["${basedir}/puppetboard"],
+        ;
+      "${basedir}/puppetboard/wsgi.py":
+        seltype  => 'httpd_sys_script_exec_t',
+        ;
+      $settings_file :
+        require => File[$settings_file],
+        seltype => 'httpd_sys_content_t',
+        ;
     }
-    selboolean { 'httpd_can_network_connect_db':
-      persistent => true,
-      value      => 'on',
+    # Apply changes above
+    selinux::exec_restorecon { "${basedir}/puppetboard":
+    }
+
+    if $manage_virtualenv {
+      # Set context for venv files
+      selinux::fcontext {
+        default:
+          ensure  => present,
+          require => Python::Pyvenv[$virtualenv_dir],
+          notify  => Selinux::Exec_restorecon[$virtualenv_dir],
+          ;
+        "${virtualenv_dir}(/.*\.(cfg|css|html|ico|js|pem|png|svg|ttf|txt|woff|woff2|xml))?":
+          seltype  => 'httpd_sys_content_t',
+          ;
+        "${virtualenv_dir}(/.*/METADATA)?":
+          seltype  => 'httpd_sys_content_t',
+          ;
+        "${virtualenv_dir}(/.*\.(pth|py|pyc|pyi|so))?":
+          seltype  => 'httpd_sys_script_exec_t',
+          ;
+      }
+      # Apply changes above
+      selinux::exec_restorecon { $virtualenv_dir :
+      }
     }
   }
-}