manager: repair production mode for Red Hat distros:

* add selinux module for nginx
* fix configurations: selinux booleans, systemd private temp
* fix sudoers file
* remove /doc url from nginx config

salt/manager/files/nginx-default-site.conf

@@ -14,9 +14,6 @@ server {
         alias /home/{{ pillar['user'] }}/circle/circle/static_collected; # your Django project's static files
         alias /home/{{ pillar['user'] }}/circle/circle/static_collected; # your Django project's static files
     }
     }
 {% endif %}
 {% endif %}
-    location /doc {
-        alias /home/cloud/circle-website/_build/html;
-    }
 
 
     location / {
     location / {
 {% if pillar['deployment_type'] == "production" %}
 {% if pillar['deployment_type'] == "production" %}

salt/manager/files/nginx.te

+
+module nginx 1.0;
+
+require {
+	type initrc_tmp_t;
+	type httpd_t;
+	type initrc_t;
+	class sock_file write;
+	class unix_stream_socket connectto;
+}
+
+#============= httpd_t ==============
+allow httpd_t initrc_t:unix_stream_socket connectto;
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t initrc_tmp_t:sock_file write;

salt/manager/nginx.sls

@@ -7,6 +7,7 @@ nginx:
        - file: nginxdefault
        - file: nginxdefault
        {% if grains['os_family'] == 'RedHat' %}
        {% if grains['os_family'] == 'RedHat' %}
        - file: nginxconf
        - file: nginxconf
+       - cmd: nginx_no_private_temp
        {% endif %}
        {% endif %}
   pkg:
   pkg:
    - installed
    - installed
@@ -22,17 +23,50 @@ circlecert:
     - creates: /etc/ssl/certs/circle.pem
     - creates: /etc/ssl/certs/circle.pem
 
 
 {% if grains['os_family'] == 'RedHat' %}
 {% if grains['os_family'] == 'RedHat' %}
-nginx_selinux:
+nginx_selinux_pkgs:
   pkg.installed:
   pkg.installed:
     - pkgs:
     - pkgs:
       - policycoreutils
       - policycoreutils
       - policycoreutils-python
       - policycoreutils-python
+
+nginx_httpd_can_network_connect:
   selinux.boolean:
   selinux.boolean:
     - name: httpd_can_network_connect
     - name: httpd_can_network_connect
     - value: True
     - value: True
     - persist: True
     - persist: True
     - require:
     - require:
-      - pkg: nginx_selinux
+      - pkg: nginx_selinux_pkgs
+
+nginx_httpd_read_user_content:
+  selinux.boolean:
+    - name: httpd_read_user_content
+    - value: True
+    - persist: True
+    - require:
+      - pkg: nginx_selinux_pkgs
+
+/root/nginx.te:
+  file.managed:
+    - source: salt://manager/files/nginx.te
+    - template: jinja
+    - mode: 644
+
+nginx_semodule:
+  cmd.run:
+    - cwd: /root
+    - user: root
+    - name: checkmodule -M -m -o nginx.mod nginx.te; semodule_package -o nginx.pp -m nginx.mod; semodule -i nginx.pp
+    - unless: semodule -l |grep -qs ^nginx
+    - require:
+      - file: /root/nginx.te
+      - pkg: nginx_selinux_pkgs
+
+nginx_no_private_temp:
+  cmd.run:
+    - user: root
+    - name: sed -i "/PrivateTmp/d" /usr/lib/systemd/system/nginx.service
+    - require:
+      - pkg: nginx
 {% endif %}
 {% endif %}
 
 
 nginxdefault:
 nginxdefault:

salt/vmdriver/files/sudoers

 {{ pillar['user'] }}	ALL = (ALL) NOPASSWD: /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /sbin/ip link set *
 {{ pillar['user'] }}	ALL = (ALL) NOPASSWD: /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /sbin/ip link set *
-Defaults: cloud !requiretty
+Defaults: {{ pillar['user'] }} !requiretty