robin.thoni
/
roehling-postsrsd
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 5 Wiki Activity
Browse Source

Fix SELinux policy to allow chroot 

Looks like SELinux additionally requires dav_override and
dac_read_search in order to be able to chroot. Additionally, we create
postsrsd_var_lib_t, which is what /var/lib/postsrsd should be instead of
the global var_lib_t.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
master^2
Konstantin Ryabitsev 7 years ago
parent
908f96bcdc
commit
51aea0d39a
No account linked to committer's email address
2 changed files with 11 additions and 10 deletions
Unified View Show Diff Stats
  1. 3
    2
      selinux/postsrsd.fc
  2. 8
    8
      selinux/postsrsd.te

+ 3
- 2
selinux/postsrsd.fc View File

1 
-/usr/sbin/postsrsd      gen_context(system_u:object_r:postsrsd_exec_t,s0)
2 
-/etc/postsrsd\.secret   gen_context(system_u:object_r:postsrsd_secret_t,s0)
1 
+/usr/sbin/postsrsd      -- gen_context(system_u:object_r:postsrsd_exec_t,s0)
2 
+/etc/postsrsd\.secret   -- gen_context(system_u:object_r:postsrsd_secret_t,s0)
3 
+/var/lib/postsrsd(/.*)?    gen_context(system_u:object_r:postsrsd_var_lib_t,s0)

+ 8
- 8
selinux/postsrsd.te View File

1 
-policy_module(postsrsd, 1.0.0)
2 
-
3 
-gen_require(`
4 
-    type http_cache_port_t;
5 
-')
1 
+policy_module(postsrsd, 1.1.0)
6
2
7 
 type postsrsd_t;
 3 
 type postsrsd_t;
8 
 type postsrsd_exec_t;
 4 
 type postsrsd_exec_t;
5 
+type postsrsd_var_lib_t;
6 
+type postsrsd_secret_t;
7 
+
9 
 init_daemon_domain(postsrsd_t, postsrsd_exec_t)
 8 
 init_daemon_domain(postsrsd_t, postsrsd_exec_t)
10
9
11 
-type postsrsd_secret_t;
12 
 files_type(postsrsd_secret_t)
 10 
 files_type(postsrsd_secret_t)
11 
+files_type(postsrsd_var_lib_t)
13
12
14 
 miscfiles_read_localization(postsrsd_t)
 13 
 miscfiles_read_localization(postsrsd_t)
15 
 auth_use_nsswitch(postsrsd_t)
 14 
 auth_use_nsswitch(postsrsd_t)
16 
 logging_send_syslog_msg(postsrsd_t)
 15 
 logging_send_syslog_msg(postsrsd_t)
17 
-allow postsrsd_t self:capability { setuid sys_chroot };
16 
+allow postsrsd_t self:capability { setuid sys_chroot dac_override dac_read_search };
18 
 # 10001 and 10002 are labelled http_cache_port_t for whatever reason,
 17 
 # 10001 and 10002 are labelled http_cache_port_t for whatever reason,
19 
 # no point arguing with that...
 18 
 # no point arguing with that...
20 
 corenet_tcp_bind_http_cache_port(postsrsd_t)
 19 
 corenet_tcp_bind_http_cache_port(postsrsd_t)
21 
 allow postsrsd_t self:tcp_socket server_stream_socket_perms;
 20 
 allow postsrsd_t self:tcp_socket server_stream_socket_perms;
22 
-allow postsrsd_t postsrsd_secret_t:file read_file_perms;
21 
+read_files_pattern(postsrsd_t, postsrsd_secret_t, postsrsd_secret_t)
22 
+manage_files_pattern(postsrsd_t, postsrsd_var_lib_t, postsrsd_var_lib_t)

Write Preview
Loading…
Cancel
Save