add SELinux policy module

8 years ago · 2844500aef
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,6 +4,7 @@ include(CheckIncludeFile)
 
				
				 
			
 
				
				 option(GENERATE_SRS_SECRET "Generate a random SRS secret if none exists during install" ON)
			
 
				
				 option(USE_APPARMOR "Enable AppArmor profile" OFF)
			
 
				
				+option(USE_SELINUX "Enable SELinux policy module" OFF)
			
 
				
				 
			
 
				
				 set(CHROOT_DIR "${CMAKE_INSTALL_PREFIX}/lib/${PROJECT_NAME}" CACHE PATH "Chroot jail for daemon")
			
 
				
				 set(SYSCONF_DIR "/etc" CACHE PATH "Global system configuration folder")
			
@@ -107,6 +108,15 @@ if(USE_APPARMOR)
 
				
				 	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.apparmor DESTINATION "${SYSCONF_DIR}/apparmor.d" RENAME "${APPARMOR_PROFILE}")
			
 
				
				 endif()
			
 
				
				 
			
 
				
				+if(USE_SELINUX)
			
 
				
				+	file(COPY selinux/${PROJECT_NAME}.te selinux/${PROJECT_NAME}.fc DESTINATION selinux)
			
 
				
				+	add_custom_command(TARGET ${PROJECT_NAME} POST_BUILD
			
 
				
				+		WORKING_DIRECTORY selinux
			
 
				
				+		COMMAND make -f /usr/share/selinux/devel/Makefile)
			
 
				
				+	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/selinux/${PROJECT_NAME}.pp
			
 
				
				+		DESTINATION /usr/share/selinux/packages/${PROJECT_NAME})
			
 
				
				+endif()
			
 
				
				+
			
 
				
				 install(TARGETS ${PROJECT_NAME} DESTINATION "sbin")
			
 
				
				 install(FILES README.md README_UPGRADE.md main.cf.ex DESTINATION "${DOC_DIR}")
			
 
				
				 install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/postinstall.cmake")
			
--- a/selinux/postsrsd.fc
+++ b/selinux/postsrsd.fc
@@ -0,0 +1,2 @@
 
				
				+/usr/sbin/postsrsd      gen_context(system_u:object_r:postsrsd_exec_t,s0)
			
 
				
				+/etc/postsrsd\.secret   gen_context(system_u:object_r:postsrsd_secret_t,s0)
			
--- a/selinux/postsrsd.te
+++ b/selinux/postsrsd.te
@@ -0,0 +1,22 @@
 
				
				+policy_module(postsrsd, 1.0.0)
			
 
				
				+
			
 
				
				+gen_require(`
			
 
				
				+    type http_cache_port_t;
			
 
				
				+')
			
 
				
				+
			
 
				
				+type postsrsd_t;
			
 
				
				+type postsrsd_exec_t;
			
 
				
				+init_daemon_domain(postsrsd_t, postsrsd_exec_t)
			
 
				
				+
			
 
				
				+type postsrsd_secret_t;
			
 
				
				+files_type(postsrsd_secret_t)
			
 
				
				+
			
 
				
				+miscfiles_read_localization(postsrsd_t)
			
 
				
				+auth_use_nsswitch(postsrsd_t)
			
 
				
				+logging_send_syslog_msg(postsrsd_t)
			
 
				
				+allow postsrsd_t self:capability { setuid sys_chroot };
			
 
				
				+# 10001 and 10002 are labelled http_cache_port_t for whatever reason,
			
 
				
				+# no point arguing with that...
			
 
				
				+corenet_tcp_bind_http_cache_port(postsrsd_t)
			
 
				
				+allow postsrsd_t self:tcp_socket server_stream_socket_perms;
			
 
				
				+allow postsrsd_t postsrsd_secret_t:file read_file_perms;