Enable SELinux Boolean `httpd_setrlimit` when nginx is configured to set the rlimit.

[marshallwp]

Feature Overview

One of the nginx configurations this role lets you set is the worker rlimit. You can change this by setting the property: nginx_config_main_template['config']['main']['worker_rlimit_nofile']. Unfortunately, the setup-selinux.yml tasks do not not enable the httpd_setrlimit seboolean to permit nginx to do this, resulting in setrlimit(RLIMIT_NOFILE, 4096) failed (13: Permission denied) errors on systems with SELinux enabled.

I request the setup-selinux.yml script be updated to permit nginx to perform the configured operation. Possibly via:

- name: Allow SELinux rlimit configuration
  ansible.posix.seboolean:
    name: httpd_setrlimit
    state: "{{ nginx_config_main_template['config']['main']['worker_rlimit_nofile'] is defined }}"

Which would enable this seboolean only when this role configures nginx to modify it and disable it otherwise.

Alternatives Considered

A less opinionated way would be to only run the task when this role configures nginx to set the rlimit, but skip it otherwise.

- name: Allow SELinux rlimit configuration
  when: nginx_config_main_template['config']['main']['worker_rlimit_nofile'] is defined
  ansible.posix.seboolean:
    name: httpd_setrlimit
    state: true

This has the benefit of preserving the httpd_setrlimit value if it had been set to true via means outside of this role.

Finally, we could edit the list of sebooleans enabled by the "Allow SELinux HTTP network connections" task to include httpd_setrlimit.

ansible-role-nginx-config/tasks/prerequisites/setup-selinux.yml

Lines 16 to 23 in 2df2160

	- name: Allow SELinux HTTP network connections
	ansible.posix.seboolean:
	name: "{{ item }}"
	state: true
	persistent: true
	loop:
	- httpd_can_network_connect
	- httpd_can_network_relay

Downside to this being it would always be enabled, which may not be desired.

Additional Context

No response