Browse Source

Fix SELinux policy to allow chroot

Looks like SELinux additionally requires dav_override and
dac_read_search in order to be able to chroot. Additionally, we create
postsrsd_var_lib_t, which is what /var/lib/postsrsd should be instead of
the global var_lib_t.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
master^2
Konstantin Ryabitsev 7 years ago
parent
commit
51aea0d39a
No account linked to committer's email address
2 changed files with 11 additions and 10 deletions
  1. 3
    2
      selinux/postsrsd.fc
  2. 8
    8
      selinux/postsrsd.te

+ 3
- 2
selinux/postsrsd.fc View File

1
-/usr/sbin/postsrsd      gen_context(system_u:object_r:postsrsd_exec_t,s0)
2
-/etc/postsrsd\.secret   gen_context(system_u:object_r:postsrsd_secret_t,s0)
1
+/usr/sbin/postsrsd      -- gen_context(system_u:object_r:postsrsd_exec_t,s0)
2
+/etc/postsrsd\.secret   -- gen_context(system_u:object_r:postsrsd_secret_t,s0)
3
+/var/lib/postsrsd(/.*)?    gen_context(system_u:object_r:postsrsd_var_lib_t,s0)

+ 8
- 8
selinux/postsrsd.te View File

1
-policy_module(postsrsd, 1.0.0)
2
-
3
-gen_require(`
4
-    type http_cache_port_t;
5
-')
1
+policy_module(postsrsd, 1.1.0)
6
 
2
 
7
 type postsrsd_t;
3
 type postsrsd_t;
8
 type postsrsd_exec_t;
4
 type postsrsd_exec_t;
5
+type postsrsd_var_lib_t;
6
+type postsrsd_secret_t;
7
+
9
 init_daemon_domain(postsrsd_t, postsrsd_exec_t)
8
 init_daemon_domain(postsrsd_t, postsrsd_exec_t)
10
 
9
 
11
-type postsrsd_secret_t;
12
 files_type(postsrsd_secret_t)
10
 files_type(postsrsd_secret_t)
11
+files_type(postsrsd_var_lib_t)
13
 
12
 
14
 miscfiles_read_localization(postsrsd_t)
13
 miscfiles_read_localization(postsrsd_t)
15
 auth_use_nsswitch(postsrsd_t)
14
 auth_use_nsswitch(postsrsd_t)
16
 logging_send_syslog_msg(postsrsd_t)
15
 logging_send_syslog_msg(postsrsd_t)
17
-allow postsrsd_t self:capability { setuid sys_chroot };
16
+allow postsrsd_t self:capability { setuid sys_chroot dac_override dac_read_search };
18
 # 10001 and 10002 are labelled http_cache_port_t for whatever reason,
17
 # 10001 and 10002 are labelled http_cache_port_t for whatever reason,
19
 # no point arguing with that...
18
 # no point arguing with that...
20
 corenet_tcp_bind_http_cache_port(postsrsd_t)
19
 corenet_tcp_bind_http_cache_port(postsrsd_t)
21
 allow postsrsd_t self:tcp_socket server_stream_socket_perms;
20
 allow postsrsd_t self:tcp_socket server_stream_socket_perms;
22
-allow postsrsd_t postsrsd_secret_t:file read_file_perms;
21
+read_files_pattern(postsrsd_t, postsrsd_secret_t, postsrsd_secret_t)
22
+manage_files_pattern(postsrsd_t, postsrsd_var_lib_t, postsrsd_var_lib_t)

Loading…
Cancel
Save