Browse Source

Fix SELinux policy to allow chroot

Looks like SELinux additionally requires dav_override and
dac_read_search in order to be able to chroot. Additionally, we create
postsrsd_var_lib_t, which is what /var/lib/postsrsd should be instead of
the global var_lib_t.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
master^2
Konstantin Ryabitsev 7 years ago
parent
commit
51aea0d39a
No account linked to committer's email address
2 changed files with 11 additions and 10 deletions
  1. 3
    2
      selinux/postsrsd.fc
  2. 8
    8
      selinux/postsrsd.te

+ 3
- 2
selinux/postsrsd.fc View File

@@ -1,2 +1,3 @@
1
-/usr/sbin/postsrsd      gen_context(system_u:object_r:postsrsd_exec_t,s0)
2
-/etc/postsrsd\.secret   gen_context(system_u:object_r:postsrsd_secret_t,s0)
1
+/usr/sbin/postsrsd      -- gen_context(system_u:object_r:postsrsd_exec_t,s0)
2
+/etc/postsrsd\.secret   -- gen_context(system_u:object_r:postsrsd_secret_t,s0)
3
+/var/lib/postsrsd(/.*)?    gen_context(system_u:object_r:postsrsd_var_lib_t,s0)

+ 8
- 8
selinux/postsrsd.te View File

@@ -1,22 +1,22 @@
1
-policy_module(postsrsd, 1.0.0)
2
-
3
-gen_require(`
4
-    type http_cache_port_t;
5
-')
1
+policy_module(postsrsd, 1.1.0)
6 2
 
7 3
 type postsrsd_t;
8 4
 type postsrsd_exec_t;
5
+type postsrsd_var_lib_t;
6
+type postsrsd_secret_t;
7
+
9 8
 init_daemon_domain(postsrsd_t, postsrsd_exec_t)
10 9
 
11
-type postsrsd_secret_t;
12 10
 files_type(postsrsd_secret_t)
11
+files_type(postsrsd_var_lib_t)
13 12
 
14 13
 miscfiles_read_localization(postsrsd_t)
15 14
 auth_use_nsswitch(postsrsd_t)
16 15
 logging_send_syslog_msg(postsrsd_t)
17
-allow postsrsd_t self:capability { setuid sys_chroot };
16
+allow postsrsd_t self:capability { setuid sys_chroot dac_override dac_read_search };
18 17
 # 10001 and 10002 are labelled http_cache_port_t for whatever reason,
19 18
 # no point arguing with that...
20 19
 corenet_tcp_bind_http_cache_port(postsrsd_t)
21 20
 allow postsrsd_t self:tcp_socket server_stream_socket_perms;
22
-allow postsrsd_t postsrsd_secret_t:file read_file_perms;
21
+read_files_pattern(postsrsd_t, postsrsd_secret_t, postsrsd_secret_t)
22
+manage_files_pattern(postsrsd_t, postsrsd_var_lib_t, postsrsd_var_lib_t)

Loading…
Cancel
Save