From 351577103fbc2847552e8f6ae5b3856e9b0ea40c Mon Sep 17 00:00:00 2001
From: Florian Eitel <eitel@amazon.com>
Date: Wed, 17 Jun 2015 15:06:47 +0200
Subject: [PATCH] Enable selinux httpd_var_run_t target for unicorn socket.

---
 deploy/definitions/opsworks_deploy_dir.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/deploy/definitions/opsworks_deploy_dir.rb b/deploy/definitions/opsworks_deploy_dir.rb
index ad85db3a9a..553d8a7d2a 100644
--- a/deploy/definitions/opsworks_deploy_dir.rb
+++ b/deploy/definitions/opsworks_deploy_dir.rb
@@ -19,4 +19,15 @@
     end
   end
 
+  bash "Enable selinux httpd_var_run_t target for unicorn socket" do
+    dir_path_socket = "#{params[:path]}/shared/sockets"
+    context = "httpd_var_run_t"
+
+    user "root"
+    code <<-EOH
+    semanage fcontext --add --type #{context} "#{dir_path_socket}(/.*)?" && restorecon -rv "#{dir_path_socket}"
+    EOH
+    not_if { OpsWorks::ShellOut.shellout("/usr/sbin/semanage fcontext -l") =~ /^#{Regexp.escape("#{dir_path_socket}(/.*)?")}\s.*\ssystem_u:object_r:#{context}:s0/ }
+    only_if { platform_family?("rhel") && ::File.exist?("/usr/sbin/getenforce") && OpsWorks::ShellOut.shellout("/usr/sbin/getenforce").strip == "Enforcing" }
+  end
 end