Selaa lähdekoodia

Merge branch 'acmetool_updater' of Hoshpak/selinux-policies into master

Helmut Pozimski 7 vuotta sitten
vanhempi
commit
b9923df92b

+ 3 - 0
policy/modules/acme-updater.fc

@@ -0,0 +1,3 @@
+/usr/local/bin/acme-updater	--	gen_context(system_u:object_r:acmeupdater_exec_t,s0)
+/etc/acme-updater.json	--	gen_context(system_u:object_r:acmeupdater_etc_t,s0)
+

+ 117 - 0
policy/modules/acme-updater.te

@@ -0,0 +1,117 @@
+policy_module(acme-updater, 0.1.15)
+
+#################################
+#
+# Declarations
+#
+
+type acmeupdater_t;
+type acmeupdater_exec_t;
+init_system_domain(acmeupdater_t, acmeupdater_exec_t)
+
+type acmeupdater_etc_t;
+files_config_file(acmeupdater_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource };
+allow acmeupdater_t self:process setrlimit;
+allow acmeupdater_t self:tcp_socket accept;
+
+corecmd_exec_bin(acmeupdater_t)
+corecmd_exec_shell(acmeupdater_t)
+
+read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t)
+
+miscfiles_read_localization(acmeupdater_t)
+miscfiles_read_generic_certs(acmeupdater_t)
+miscfiles_manage_generic_cert_files(acmeupdater_t)
+
+sysnet_dns_name_resolve(acmeupdater_t)
+
+files_manage_etc_files(acmeupdater_t)
+files_search_var_lib(acmeupdater_t)
+files_read_all_locks(acmeupdater_t)
+
+kernel_read_system_state(acmeupdater_t)
+
+dev_read_urand(acmeupdater_t)
+
+optional_policy(`
+	gen_require(`
+		type acmetool_var_lib_t;
+	')
+	search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
+	read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
+	read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
+')
+
+apache_manage_config(acmeupdater_t)
+apache_domtrans(acmeupdater_t)
+
+jabber_admin(acmeupdater_t, system_r)
+
+optional_policy(`
+	gen_require(`
+		type jabberd_initrc_exec_t;
+	')
+	init_labeled_script_domtrans(acmeupdater_t, jabberd_initrc_exec_t)
+
+')
+optional_policy(`
+	gen_require(`
+		type httpd_initrc_exec_t;
+	')
+	init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type dovecot_cert_t;
+	')
+	manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type dovecot_initrc_exec_t;
+	')
+	init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t)
+')
+
+optional_policy(`
+	gen_require(`
+        	type postfix_etc_t;
+	')
+	manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t)
+')
+
+optional_policy(`
+	gen_require(`
+        	type postfix_initrc_exec_t;
+	')
+	init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t)
+')
+
+optional_policy(`
+	cron_system_entry(acmeupdater_t, acmeupdater_exec_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type crond_tmp_t;
+	')
+	allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl };
+')
+
+optional_policy(`
+	gen_require(`
+        	type named_var_run_t;
+	')
+	search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
+	read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
+')
+

+ 7 - 0
policy/modules/apache.te

@@ -909,6 +909,13 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+	gen_require(`
+		type phpfpm_tmp_t;
+	')
+	allow httpd_t phpfpm_tmp_t:file { read getattr open };
+')
+
 ########################################
 #
 # Helper local policy

+ 1 - 0
policy/modules/bind.fc

@@ -13,6 +13,7 @@
 /etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/lib/unbound.*\.key --      gen_context(system_u:object_r:dnssec_t,s0)
 
 /lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
 /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)

+ 8 - 1
policy/modules/bind.te

@@ -1,4 +1,4 @@
-policy_module(bind, 1.14.1)
+policy_module(bind, 1.14.6)
 
 ########################################
 #
@@ -83,6 +83,12 @@ allow named_t self:tcp_socket { accept listen };
 
 allow named_t dnssec_t:file read_file_perms;
 
+gen_require(`
+	type var_lib_t;
+	type initrc_t;
+')
+type_transition initrc_t var_lib_t:file dnssec_t;
+
 allow named_t named_conf_t:dir list_dir_perms;
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
@@ -127,6 +133,7 @@ corenet_tcp_sendrecv_generic_node(named_t)
 corenet_udp_sendrecv_generic_node(named_t)
 corenet_tcp_bind_generic_node(named_t)
 corenet_udp_bind_generic_node(named_t)
+corenet_tcp_bind_all_unreserved_ports(named_t)
 
 corenet_sendrecv_all_server_packets(named_t)
 corenet_tcp_bind_dns_port(named_t)