From 7569c9da0d1e1253b778f87c8e3a80abeae4b7e0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 27 Jan 2024 20:28:06 -0600
Subject: [PATCH] r/squid: Fix SELinux AVC denial after cache init

Running `squid -z` as *root* leaves behind temporary files in
`/dev/shm`.  When *squid.service* starts squid, in the proper SELinux
domain, it is unable to access these files and crashes.  To avoid this,
we mount a private *tmpfs* so no existing files are accessible in the
service's namespace.
---
 roles/squid/handlers/main.yml |  4 ++++
 roles/squid/tasks/main.yml    | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml
index 5d4119b..851ca55 100644
--- a/roles/squid/handlers/main.yml
+++ b/roles/squid/handlers/main.yml
@@ -1,3 +1,7 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
 - name: initialize squid cache directories
   command:
     /usr/sbin/squid -N -z -F -f /etc/squid/squid.conf
diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml
index 2bc8530..451f7e8 100644
--- a/roles/squid/tasks/main.yml
+++ b/roles/squid/tasks/main.yml
@@ -29,6 +29,27 @@
   - initialize squid cache directories
   - reload squid
 
+- name: ensure squid systemd unit drop-in directory exists
+  file:
+    path: /etc/systemd/system/squid.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure squid private tmp is configured
+  copy:
+    src: private-tmp.conf
+    dest: /etc/systemd/system/squid.service.d/private-tmp.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
 - meta: flush_handlers
 - name: ensure squid service starts at boot
   service: