Parcourir la source

add SELinux policy module

master
Dan Callaghan il y a 8 ans
Parent
révision
70f1ff08b7
3 fichiers modifiés avec 34 ajouts et 0 suppressions
  1. 10
    0
      CMakeLists.txt
  2. 2
    0
      selinux/postsrsd.fc
  3. 22
    0
      selinux/postsrsd.te

+ 10
- 0
CMakeLists.txt Voir le fichier

@@ -4,6 +4,7 @@ include(CheckIncludeFile)
4 4
 
5 5
 option(GENERATE_SRS_SECRET "Generate a random SRS secret if none exists during install" ON)
6 6
 option(USE_APPARMOR "Enable AppArmor profile" OFF)
7
+option(USE_SELINUX "Enable SELinux policy module" OFF)
7 8
 
8 9
 set(CHROOT_DIR "${CMAKE_INSTALL_PREFIX}/lib/${PROJECT_NAME}" CACHE PATH "Chroot jail for daemon")
9 10
 set(SYSCONF_DIR "/etc" CACHE PATH "Global system configuration folder")
@@ -107,6 +108,15 @@ if(USE_APPARMOR)
107 108
 	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.apparmor DESTINATION "${SYSCONF_DIR}/apparmor.d" RENAME "${APPARMOR_PROFILE}")
108 109
 endif()
109 110
 
111
+if(USE_SELINUX)
112
+	file(COPY selinux/${PROJECT_NAME}.te selinux/${PROJECT_NAME}.fc DESTINATION selinux)
113
+	add_custom_command(TARGET ${PROJECT_NAME} POST_BUILD
114
+		WORKING_DIRECTORY selinux
115
+		COMMAND make -f /usr/share/selinux/devel/Makefile)
116
+	install(FILES ${CMAKE_CURRENT_BINARY_DIR}/selinux/${PROJECT_NAME}.pp
117
+		DESTINATION /usr/share/selinux/packages/${PROJECT_NAME})
118
+endif()
119
+
110 120
 install(TARGETS ${PROJECT_NAME} DESTINATION "sbin")
111 121
 install(FILES README.md README_UPGRADE.md main.cf.ex DESTINATION "${DOC_DIR}")
112 122
 install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/postinstall.cmake")

+ 2
- 0
selinux/postsrsd.fc Voir le fichier

@@ -0,0 +1,2 @@
1
+/usr/sbin/postsrsd      gen_context(system_u:object_r:postsrsd_exec_t,s0)
2
+/etc/postsrsd\.secret   gen_context(system_u:object_r:postsrsd_secret_t,s0)

+ 22
- 0
selinux/postsrsd.te Voir le fichier

@@ -0,0 +1,22 @@
1
+policy_module(postsrsd, 1.0.0)
2
+
3
+gen_require(`
4
+    type http_cache_port_t;
5
+')
6
+
7
+type postsrsd_t;
8
+type postsrsd_exec_t;
9
+init_daemon_domain(postsrsd_t, postsrsd_exec_t)
10
+
11
+type postsrsd_secret_t;
12
+files_type(postsrsd_secret_t)
13
+
14
+miscfiles_read_localization(postsrsd_t)
15
+auth_use_nsswitch(postsrsd_t)
16
+logging_send_syslog_msg(postsrsd_t)
17
+allow postsrsd_t self:capability { setuid sys_chroot };
18
+# 10001 and 10002 are labelled http_cache_port_t for whatever reason,
19
+# no point arguing with that...
20
+corenet_tcp_bind_http_cache_port(postsrsd_t)
21
+allow postsrsd_t self:tcp_socket server_stream_socket_perms;
22
+allow postsrsd_t postsrsd_secret_t:file read_file_perms;

Chargement…
Annuler
Enregistrer