openid_provider: Disable SELinux and enable persistant Journal

Default SELinux policy seems to prevent the uWSGI process from reading
stuff in /srv and raises a bunch of errors for Cherokee trying to
connect() to its socket, too. It'd be possible to fix this but I'd
rather not bother, and since we don't use SELinux in Baserock it's not
super important anyway.

If you did want to fix this I'd suggest installing 'setroubleshoot' and
reading <https://fedoraproject.org/wiki/SELinux_FAQ> as a starting
point.

2 files changed, 9 insertions, 1 deletions

diff --git a/baserock_openid_provider/local.yml b/baserock_openid_provider/local.yml
index ea468399..e1e69809 100644
--- a/baserock_openid_provider/local.yml
+++ b/baserock_openid_provider/local.yml
@@ -1,6 +1,11 @@
 ---
 - hosts: localhost
   tasks:
+  - name: enable persistant journal
+    shell: mkdir /var/log/journal
+    args:
+      creates: /var/log/journal
+
   - name: install Cherokee web server
     yum: name=cherokee state=latest
 
diff --git a/baserock_openid_provider/packer_template.json b/baserock_openid_provider/packer_template.json
index 97333a16..bb8c8b20 100644
--- a/baserock_openid_provider/packer_template.json
+++ b/baserock_openid_provider/packer_template.json
@@ -31,7 +31,7 @@
         },
         {
             "type": "shell",
-            "inline": [ "sudo yum install -y ansible"]
+            "inline": [ "sudo yum install -y ansible libselinux-python"]
         },
         {
             "type": "ansible-local",
@@ -47,6 +47,9 @@
         {
             "type": "shell",
             "inline": [
+                "sudo yum install libselinux-python",
+                "sudo ansible localhost -m selinux -a state=disabled",
+                "sudo setenforce 0",
                 "sudo systemctl enable cherokee",
                 "sudo systemctl start cherokee"
             ],