Home Explore Help
Sign In
Hoshpak
/
gentoo-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

acme-updater: add policy module

Helmut Pozimski 4 years ago
parent
9a663b4502
commit
26a4d454c4
2 changed files with 114 additions and 0 deletions
Split View Show Diff Stats
  1. 4 0
      acme-updater.fc
  2. 110 0
      acme-updater.te

+ 4 - 0
acme-updater.fc
View File 

@@ -0,0 +1,4 @@
 
+/usr/local/bin/acme-updater	--	gen_context(system_u:object_r:acmeupdater_exec_t,s0)
 
+/usr/bin/acme-updater	--	gen_context(system_u:object_r:acmeupdater_exec_t,s0)
 
+/etc/acme-updater.json	--	gen_context(system_u:object_r:acmeupdater_etc_t,s0)
 
+

+ 110 - 0
acme-updater.te
View File 

@@ -0,0 +1,110 @@
 
+policy_module(acme-updater, 0.1.17)
 
+
 
+#################################
 
+#
 
+# Declarations
 
+#
 
+
 
+type acmeupdater_t;
 
+type acmeupdater_exec_t;
 
+init_system_domain(acmeupdater_t, acmeupdater_exec_t)
 
+
 
+type acmeupdater_etc_t;
 
+files_config_file(acmeupdater_etc_t)
 
+
 
+########################################
 
+#
 
+# Local policy
 
+#
 
+
 
+allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource };
 
+allow acmeupdater_t self:process setrlimit;
 
+allow acmeupdater_t self:tcp_socket accept;
 
+
 
+corecmd_exec_bin(acmeupdater_t)
 
+corecmd_exec_shell(acmeupdater_t)
 
+
 
+read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t)
 
+
 
+miscfiles_read_localization(acmeupdater_t)
 
+miscfiles_read_generic_certs(acmeupdater_t)
 
+miscfiles_manage_generic_cert_files(acmeupdater_t)
 
+
 
+sysnet_dns_name_resolve(acmeupdater_t)
 
+
 
+files_manage_etc_files(acmeupdater_t)
 
+files_search_var_lib(acmeupdater_t)
 
+files_read_all_locks(acmeupdater_t)
 
+
 
+kernel_read_system_state(acmeupdater_t)
 
+
 
+dev_read_urand(acmeupdater_t)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type acmetool_var_lib_t;
 
+	')
 
+	search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+	read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+	read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
 
+')
 
+
 
+apache_manage_config(acmeupdater_t)
 
+apache_domtrans(acmeupdater_t)
 
+
 
+jabber_admin(acmeupdater_t, system_r)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type httpd_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type dovecot_cert_t;
 
+	')
 
+	manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type dovecot_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type postfix_etc_t;
 
+	')
 
+	manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type postfix_initrc_exec_t;
 
+	')
 
+	init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	cron_system_entry(acmeupdater_t, acmeupdater_exec_t)
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type crond_tmp_t;
 
+	')
 
+	allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl };
 
+')
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+        	type named_var_run_t;
 
+	')
 
+	search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
 
+	read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
 
+')
 
+