foreman-selinux-enable

#!/bin/bash
set +e

TMP_EXEC_BEFORE=$(mktemp -t foreman-selinux-enable.XXXXX)
TMP_EXEC_AFTER=$(mktemp -t foreman-selinux-enable.XXXXX)
TMP_PORTS=$(mktemp -t foreman-selinux-enable.XXXXX)
LOG=/var/log/foreman-selinux-install.log
trap "rm -rf '$TMP_EXEC_BEFORE' '$TMP_EXEC_AFTER' '$TMP_PORTS'" EXIT INT TERM
LIBEXEC_DIR=/usr/libexec/foreman-selinux

# Run hooks
if [[ -d $LIBEXEC_DIR ]] ; then
	find ${LIBEXEC_DIR} -name \*-before-disable.sh -type f -executable -exec /usr/bin/bash '{}' \;
fi

# Load or upgrade foreman policy and set booleans.
#
# Dependant booleans must be managed in a separate transaction.
# Do not forget to edit counterpart file (disable) when updating this script.
# Remember this will be run on upgrade too.
#
selinuxvariant=targeted
if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
  # Create port list cache
  /usr/sbin/semanage port -E > $TMP_PORTS

  # Remove previously defined container port
  # We need to remove the port first before we stop assigning it
  grep -E 'foreman_container_port_t' $TMP_PORTS | sed s/-a/-d/g >> $TMP_EXEC_BEFORE

  # Commit changes of deleting the ports
  test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE

  # Load new policy
  /usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2

  # Create port list cache
  /usr/sbin/semanage port -E > $TMP_PORTS

  # Assign base policy ports
  grep -qE 'tcp 19090' $TMP_PORTS || \
    echo "port -a -t websm_port_t -p tcp 19090" >> $TMP_EXEC_AFTER

  # Commit changes
  test -s $TMP_EXEC_AFTER && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_AFTER

  # Append to log file
  echo "$(date) $0" >> $LOG
  cat $TMP_EXEC_BEFORE >> $LOG
  cat $TMP_EXEC_AFTER >> $LOG
fi

# Run hooks
if [[ -d $LIBEXEC_DIR ]] ; then
	find ${LIBEXEC_DIR} -name \*-after-enable.sh -type f -executable -exec /usr/bin/bash '{}' \;
fi

exit 0