Home Explore Help
Sign In
Hoshpak
/
debian-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'acmetool_updater' of Hoshpak/selinux-policies into master

Helmut Pozimski 7 years ago
parent
1632ea18a5 12ec32fceb
commit
b9923df92b
5 changed files with 136 additions and 1 deletions
Unified View Show Diff Stats
  1. 3 0
      policy/modules/acme-updater.fc
  2. 117 0
      policy/modules/acme-updater.te
  3. 7 0
      policy/modules/apache.te
  4. 1 0
      policy/modules/bind.fc
  5. 8 1
      policy/modules/bind.te

+ 3 - 0
policy/modules/acme-updater.fc
View File 

@@ -0,0 +1,3 @@
 
+/usr/local/bin/acme-updater	--	gen_context(system_u:object_r:acmeupdater_exec_t,s0)
 
+/etc/acme-updater.json	--	gen_context(system_u:object_r:acmeupdater_etc_t,s0)
 
+

+ 117 - 0
policy/modules/acme-updater.te
View File 

@@ -0,0 +1,117 @@
 
+policy_module(acme-updater, 0.1.15)
 
+
 
+#################################
 
+#
 
+# Declarations
 
+#
 
+
 
+type acmeupdater_t;
 
+type acmeupdater_exec_t;
 
+init_system_domain(acmeupdater_t, acmeupdater_exec_t)
 
+
 
+type acmeupdater_etc_t;
 
+files_config_file(acmeupdater_etc_t)
 
+
 
+########################################
 
+#
 
+# Local policy
 
+#
 
+
 
+allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource };
 
+allow acmeupdater_t self:process setrlimit;
 
+allow acmeupdater_t self:tcp_socket accept;
 
+
 
+corecmd_exec_bin(acmeupdater_t)
 
+corecmd_exec_shell(acmeupdater_t)
 
+
 
+read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t)
 
+
 
+miscfiles_read_localization(acmeupdater_t)
 
+miscfiles_read_generic_certs(acmeupdater_t)
 
+miscfiles_manage_generic_cert_files(acmeupdater_t)
 
+
 
+sysnet_dns_name_resolve(acmeupdater_t)
 
+
 
+files_manage_etc_files(acmeupdater_t)
 
+files_search_var_lib(acmeupdater_t)
 
+files_read_all_locks(acmeupdater_t)
 
+
 
+kernel_read_system_state(acmeupdater_t)
 
+
 
+dev_read_urand(acmeupdater_t)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type acmetool_var_lib_t;
 
+	')
 
+	search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+	read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+	read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+')
 
+
 
+apache_manage_config(acmeupdater_t)
 
+apache_domtrans(acmeupdater_t)
 
+
 
+jabber_admin(acmeupdater_t, system_r)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type jabberd_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, jabberd_initrc_exec_t)
 
+
 
+')
 
+optional_policy(`
 
+	gen_require(`
 
+		type httpd_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type dovecot_cert_t;
 
+	')
 
+	manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type dovecot_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type postfix_etc_t;
 
+	')
 
+	manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type postfix_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	cron_system_entry(acmeupdater_t, acmeupdater_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type crond_tmp_t;
 
+	')
 
+	allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl };
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type named_var_run_t;
 
+	')
 
+	search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
 
+	read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
 
+')
 
+

+ 7 - 0
policy/modules/apache.te
View File 

@@ -909,6 +909,13 @@ optional_policy(`
 
 	yam_read_content(httpd_t)
 
 	yam_read_content(httpd_t)
 
 ')
 
 ')
 
 
 
+optional_policy(`
 
+	gen_require(`
 
+		type phpfpm_tmp_t;
 
+	')
 
+	allow httpd_t phpfpm_tmp_t:file { read getattr open };
 
+')
 
+
 
 ########################################
 
 ########################################
 
 #
 
 #
 
 # Helper local policy
 
 # Helper local policy

+ 1 - 0
policy/modules/bind.fc
View File 

@@ -13,6 +13,7 @@
 
 /etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 
 /etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 
 /etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
 
 /etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
 
 /etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 
 /etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 
+/var/lib/unbound.*\.key --      gen_context(system_u:object_r:dnssec_t,s0)
 
 
 
 /lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)

+ 8 - 1
policy/modules/bind.te
View File 

@@ -1,4 +1,4 @@
 
-policy_module(bind, 1.14.1)
 
+policy_module(bind, 1.14.6)
 
 
 
 ########################################
 
 ########################################
 
 #
 
 #
 
@@ -83,6 +83,12 @@ allow named_t self:tcp_socket { accept listen };
 
 
 
 allow named_t dnssec_t:file read_file_perms;
 
 allow named_t dnssec_t:file read_file_perms;
 
 
 
+gen_require(`
 
+	type var_lib_t;
 
+	type initrc_t;
 
+')
 
+type_transition initrc_t var_lib_t:file dnssec_t;
 
+
 
 allow named_t named_conf_t:dir list_dir_perms;
 
 allow named_t named_conf_t:dir list_dir_perms;
 
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
 
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
 
@@ -127,6 +133,7 @@ corenet_tcp_sendrecv_generic_node(named_t)
 
 corenet_udp_sendrecv_generic_node(named_t)
 
 corenet_udp_sendrecv_generic_node(named_t)
 
 corenet_tcp_bind_generic_node(named_t)
 
 corenet_tcp_bind_generic_node(named_t)
 
 corenet_udp_bind_generic_node(named_t)
 
 corenet_udp_bind_generic_node(named_t)
 
+corenet_tcp_bind_all_unreserved_ports(named_t)
 
 
 
 corenet_sendrecv_all_server_packets(named_t)
 
 corenet_sendrecv_all_server_packets(named_t)
 
 corenet_tcp_bind_dns_port(named_t)
 
 corenet_tcp_bind_dns_port(named_t)