From 220e18a83a11d73d5a36a3abaa1be74750729f3d Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon, 30 Aug 2021 18:00:08 +0200
Subject: [PATCH] Update to 2021-08-30 18:00

---
 roles/samba/files/samba-dc.te | 11 +++++++++++
 roles/samba/tasks/selinux.yml | 16 +++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 roles/samba/files/samba-dc.te

diff --git a/roles/samba/files/samba-dc.te b/roles/samba/files/samba-dc.te
new file mode 100644
index 0000000..fe1fa57
--- /dev/null
+++ b/roles/samba/files/samba-dc.te
@@ -0,0 +1,11 @@
+module samba-dc 1.0;
+
+require {
+        type ntpd_var_run_t;
+        type chronyd_t;
+        class sock_file write;
+}
+
+#============= chronyd_t ==============
+allow chronyd_t ntpd_var_run_t:sock_file write;
+
diff --git a/roles/samba/tasks/selinux.yml b/roles/samba/tasks/selinux.yml
index 0bb2dca..d7bce6c 100644
--- a/roles/samba/tasks/selinux.yml
+++ b/roles/samba/tasks/selinux.yml
@@ -11,7 +11,7 @@
 
 - name: Restore SELinux context
   command: restorecon -R /var/lib/samba/
-  when: samba_ntp_selinux.changed
+  when: samba_ntp_selinux is defined and samba_ntp_selinux.changed
   tags: samba
 
 - name: Set SEbool
@@ -20,3 +20,17 @@
   with_items:
     - samba_domain_controller
   tags: samba
+
+- name: Copy custom policy
+  copy: src=samba-dc.te dest=/etc/selinux/targeted/local/
+  register: samba_dc_selinux
+  tags: samba
+
+- name: Compile and load SELinux policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o samba-dc.mod samba-dc.te
+    semodule_package -o samba-dc.pp -m samba-dc.mod
+    semodule -i /etc/selinux/targeted/local/samba-dc.pp
+  when: samba_dc_selinux is defined and samba_dc_selinux.changed
+  tags: samba