#!/bin/bash
set +e

TMP_EXEC_BEFORE=$(mktemp -t foreman-selinux-enable.XXXXX)
TMP_EXEC_AFTER=$(mktemp -t foreman-selinux-enable.XXXXX)
TMP_PORTS=$(mktemp -t foreman-selinux-enable.XXXXX)
trap "rm -rf '$TMP_EXEC_BEFORE' '$TMP_EXEC_AFTER' '$TMP_PORTS'" EXIT INT TERM

is_redhat_6() {
  test x$(rpm -q --whatprovides redhat-release --qf '%{version}') = x6
}

# Load or upgrade foreman policy and set booleans.
#
# Dependant booleans must be managed in a separate transaction.
# Do not forget to edit counterpart file (disable) when updating this script.
# Remember this will be run on upgrade too.
#
for selinuxvariant in targeted
do
  if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
    /usr/sbin/semanage port -E > $TMP_PORTS

    # Remove previously defined elasticsearch_port_t
    # (this can be removed in future release)
    grep elasticsearch_port_t $TMP_PORTS | sed s/-a/-d/g >> $TMP_EXEC_BEFORE

    echo "boolean -m --on httpd_setrlimit" >> $TMP_EXEC_AFTER

    grep -q docker_port_t $TMP_PORTS || echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP_EXEC_AFTER

    if is_redhat_6; then
      grep -q foreman_osapi_compute_port_t $TMP_PORTS || \
        echo "port -a -t foreman_osapi_compute_port_t -p tcp 8774" >> $TMP_EXEC_AFTER
    fi

    # Execute port management commands and load policy
    test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE
    /usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
    test -s $TMP_EXEC_AFTER && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_AFTER
  fi
done
