Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1478065ybk; Thu, 21 May 2020 07:50:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVX98BWpWmfcrvJNcjWB3C41vE7PJidYf/RRfRWEQhOVRvHwYFDGrIljiRSlNBLXf4hVCw X-Received: by 2002:a17:906:ad4:: with SMTP id z20mr3814549ejf.82.1590072621198; Thu, 21 May 2020 07:50:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590072621; cv=none; d=google.com; s=arc-20160816; b=Jig50hxBZGSLWmlrnb5xVt4/HRqajyPpPFTrxVnKhW7fh2qtNKBb2WOEZQKHtPjKw/ 5Vhync1Im+8iDWX5u9jkxY1QLS2zmYEGOTsKdFeZ0zCF47BFNQ3rmkGPEGrtYngCVqbg 5dr8xlqFpUy1Lp1xaFLB4CRNDGayX/XzPcSra26tNMOiAZiwhOReUiixGudN3CqzsfgO 8vEXK9golTC9SbF2rYOCMOqx2ChIWliR0HyVGX7peqGh1OBRF8IsbnZ9q6ldv0psbr1x LyySMj5OQmLJNw5qP4ItBUSUawFMXv0Us3jONPgMOGCVxKqGTOraA6ChaVTal6fOcT6z UXQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:subject:autocrypt:references:cc:to:from:dkim-signature; bh=0J+KyGVlKZB6pCHoLcvPKQYaSWCd74dazUr39Q1t9Oo=; b=weZST0pXdz9eISrQ7//j1CI7cCAbV5XloWRLCrbuC0KygCKJHfTbE3jA6o1j4wnsCG uQrE8BiTTTj0CYZf2AA0hiIUjSYSC89v9x7xks9KZenci3+dD3t/wVGWSRakbxxIxG7q lBi+38RU3g20LIP+YSWOUHvCLqtUJqNx/sJEN1YUtdfk9k6KGfWvc5AeVqam+3FvhZgL vTcJidR9J3MRCMvE/Ud2ntUVq8yQINAeTIn/3HHrIr2zuTAEQrms5sBxL+9P8Vo4VarW XwZma+1mCqLI0/xBFu+fyMU3TahOAEQt5BsiEvFxRpiGRH0+YPmTfjIu2po78+2yflfz H8Dg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=ACukDOaq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m6si3097290edv.283.2020.05.21.07.50.15; Thu, 21 May 2020 07:50:21 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=ACukDOaq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729512AbgEUOuK (ORCPT + 14 others); Thu, 21 May 2020 10:50:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728229AbgEUOuJ (ORCPT ); Thu, 21 May 2020 10:50:09 -0400 Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 765A7C061A0E for ; Thu, 21 May 2020 07:50:09 -0700 (PDT) Received: by mail-wm1-x344.google.com with SMTP id f13so5788689wmc.5 for ; Thu, 21 May 2020 07:50:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:cc:references:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=0J+KyGVlKZB6pCHoLcvPKQYaSWCd74dazUr39Q1t9Oo=; b=ACukDOaqnioJ3eZegm19oD6WYAfm+HsDGKq/1dBSQ+XhsKTN2w3uRN7S5ZGgg6ff+j 8ZsRnFKixDWtz/UnCf64FfK4gdbjlwGOvpRPP42M/jT+DYaPmwMNMxtWeR0LVpczr/Lu /WWgB2uTQcLJ9YQs248rJr8Yk34V60VIRGDWoEcGFO9fEXaAUEWVVIukoO+A8+dBI+oR EGdpzWdeZW2m6s5xZuy/Dw88ss1to5oZeI4GuBvPcDAmbt/0sH2QFDxrUHIX4Nsua/8b gXPhuYGhjAvVkE/z+LiI5TSPltB28V2ko3WkphET9HlVtK/+obtuVcQv4kuwT2k/8llK YNRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:autocrypt:subject :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding:content-language; bh=0J+KyGVlKZB6pCHoLcvPKQYaSWCd74dazUr39Q1t9Oo=; b=Ul2megTb+oTYKW+RmUpiMmRKMHMs6I/QBJ1Q14LzF1yHIa2UyGrJMXlrYonRi5EOsQ qu718aoFkHLtuMjYnPIGGKORGWpkrk2ykyC7ikev8JNX+CZncpt4n+9nReg9rJ4mq0LQ 2Y8RItcfuSZ5PzVDTpcYSdaxwTbKH2DRTASMbZ3THUCQbUTPI7C5VDz+WXaUWHzNMuJe RsPogH3KTgEekhius4bSEJmk9bJ9XxYbSMZ8qoDyCNz/yF2iKkczLLAhvhYisYbQF7GD 7/WyyTU/rNZa3LKTQFJaqfAworulgGWbaq8xWRVDISfI+9oulLE2YOBAKgZX1vwOxviQ aLTw== X-Gm-Message-State: AOAM532AMFAHVwOt6antJ5ePRqc3AY8FCcXd0N9ForiPc+13mXah8pXj WM62V/LJSHLxGDQmhgtbgJa6MIJyFm4= X-Received: by 2002:a1c:8a:: with SMTP id 132mr3109807wma.172.1590072607466; Thu, 21 May 2020 07:50:07 -0700 (PDT) Received: from ?IPv6:2a02:810d:4bc0:8098:78d9:64c7:b7ab:1b3a? ([2a02:810d:4bc0:8098:78d9:64c7:b7ab:1b3a]) by smtp.gmail.com with ESMTPSA id q5sm7222235wra.36.2020.05.21.07.50.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 May 2020 07:50:06 -0700 (PDT) From: bauen1 X-Google-Original-From: bauen1 To: Chris PeBenito , Dominick Grift , Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <20200410060231.GA35896@xev> Autocrypt: addr=j2468h@gmail.com; keydata= mQINBFhYO0UBEADB9FOvBFPceReJkioc/Wpgb+4jquqgLaYFCq30wMRlbbxRE6W5piQdJBS9 1nHgehc1wKlpoX34I0fDYKmzhxU/wn7kPQqyIJ/x4Xc0un8rgLr6AB9J45+xYDAjTEP6wfzA DyCokyypi7knVSraYAUgmgBk+jEB/B1VpUxsE6X/tilqOLyPEkDX4dKUR/J2nPyfir3pYRFs siohNGbTOmwzwkA+rZClsUl9hO5n3oGAl3gJ352wIDJTDPd0YvyCTrHRpSTP9msKrFh3rILL aNgUNBr44QurGvxDuIrX6CIyqWUKO1tdnA1XOqsZDTEAa7IL6K7yoYRIzGZ+HmxemBhE/dxW qe4+nSru1QoucSNP6xa8F2HLeqvypD+xGerR4MELkBwa2XiGvS5OwF3XjevWcLQDztlXE1cW hK6fnK8XiXNcffG8YIhStSoW3dH3twPpEduqDAooLaCznxfNZFNcRU7iaoAk30xLv885jjga /FKs+jwlkzX/Xf6gvaLZhyIuF7x5yMFYZYKl/kA0XfY9x/d9YJe9MeBE5USZnssSGCgZXSt8 +tikDjEWAw43ANOG5Au/4wEoMI9eQmRRrQ9AfIb6MS1irfUwU0yGgHCkFX7nN54+2Zunvy9u YBk55oGh1MbVlIU/rEs+te0Syb8faX53oAMFPljqnqtS71AOLQARAQABtBliYXVlbjEgPGoy NDY4aEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE XtbYJqzUP47Z1Puy/wqvXggSupwFAl6R95kFCQgZO9sACgkQ/wqvXggSupxmvBAAuf5OKd70 GGvwtg0IF0oZ5/ZomZuj/ULJo2wYXIfuWd6TVmJSPyGaWxkVZu+C4rQc43bCXigF9m7Ab8Sr 7PH5O3ZKbrYiFwgASjL62osCleoEeUBWOnXquB/SfA//KumtUeNfGoMv45xlP3YiEEqYtYLd Q1JWtkdxbf2n2fxhD25YUheZvRxZPCMnOZ0t8OVHmiq2G9go935UW96ogp5TuT/VmRFTd5+L nWKNOmXh6kLTwkc5pbYX+6DagNI0b8b9AwNInZ7A4Dc3tKR5cdb4FtJ6d4UZgq9l7sSbP38j P7LXBHU1JBmALomN1WD1jtLJa1i19BTscuxvtlfVYyNw1WJVERFQYMR0EBonv1jDIjpNIz+Q I4Ectri3Ac0d4FTB2wb7SHShZq+pYe1+jNiGaayaL14CvapGar1mTfEYnA1JMhhM5Vd/myRx mxUvred8BVijHgLWPSLX4FOaNDyQzgqBMkF/nugfDpqqIU/pxQ65AjVDnmxUFxNrWbeMYxUx rUgS9c+k7840Z8BHr8Cd0DfzJRv7k5YfSjK5POLB+rWf6ibL9Mg1QzxGRFZRWnQTrtLSH9dy RG27cUX7fn43onkRkB8TSlAovDpP/jnk52TL44s05acvw2rEOa4/ygU53Pud8i2870naMaHu n7ZHUJrGZ0BcCGwQ98HsSRm06BC5Ag0EWFg7RQEQANuS3Qmbp63gCD7WHWWedBAY5t/FVrPR mf426pq2xAbms1WBHUeQB9r7F4fUMBFU03WNk8JWi4nSl8p0z4rZaZD1TEsenbYx2IohTxi0 qtZ/eaTydVzPfBIY3awBxaS3GuV8xUgR/8VdJATpEUF2BnDKGihXBl9pPM8l46vG6HsqWpeZ /hw/zwaGi8cSXY6PlFRL/fcpiGLR5RefH5VhDwZ5YrwDCYNhWYDKXL++IkDja0NW3s2yRUJM bRib0r8hq87lA7N+HHwgOOYd/sJbCZObZzL/n+lR+VTHLxGmJHbk+JRdagFH1l+x+Vp1zhVM XJDUci7Wcx/kCzCWu08t5t4Lef7rWvYJCf9JQaKJQcKyXr6ky3d4mYfV8AcA/9fat9NzQB6e 7cHw8yOc/1e4xN/h3cGNLWiGb8HCAR0SH22Gb2epyfq+txdn3cwm2ot2lhOXK3l48T081x/q kWOw86ig9dIVxi0RUv3CUaV0/N4SVumVD3GwzMSI0rfwuUb7tOqMGQFxe/k9Fc9uFPP7LfTe ZTOayuZg9oHO6Ju3x+KSXPwYcXAfuy0elZQPyqMZwshC3l1sfwG7Di+98sPzsbVUm9eTjTfN x2r7N/a958W0h+1SuE172qfuabLu8vMMWIuo8RaQG/OVF2bRR8yEPSyUTqS7Aj2osSX5CFB/ 4TVLABEBAAGJAjwEGAEKACYCGwwWIQRe1tgmrNQ/jtnU+7L/Cq9eCBK6nAUCXpH3lAUJCBk7 2wAKCRD/Cq9eCBK6nIS9EACIMM/w9yai6OzWr/8yGAFvTGb3eAXTt0W1af2u0wuKpZwLT6mb lSdmy+6Unw0g5V/pa9ckKor4qzz+Bt8TAyV/bTvcdT8UrTOLmYOnD9EzaQ4HmgDK84Tsvlix 0JgAh62udn9obUvId5m/HaKKTg0zwP/RWS+L8kr9kDWPf3la4DPQ8Ni2wyIcwXyKdi0Fasl4 fO4jEEM00XZPFwin5yfAU42fmePKt9dtFd6jxOV9WjeyMTaxYr85viXo9YI1tvvErDMmqCjl uw+cAXP0bTKd4CAXTZ6lEUemPBo1A/UE2rxh+BOgfkKtZWxmOdiRj58n6F1lTKArS09DxNCP piqv8vG6cp+C5I7+XQSy8L21e5ZWCqBH5t/PXFFS8zoCS+OB0sdMfK6ytLA3U1e7UoOdC8cp la3N25xMXged7+1Dr3xliQKIDNAi/Y5EWCokshhwSoFTbcZoJyjo35HLQnQFcYXA14R/B3hd WA31VJlJxdzof4SuMElt4mAoaPzEkQovYzRU8+AKdk0gqjXth3BABvT403wj8Dt2Y73H1JaI 1gJO/cb9LHsB6DkhbQQZ5Dtir+L6t5Fy7u74xb7XDu4gXTJcE3zRSZJUy9dplxXLBj2s8S8v QatWOE7bzVfc5o1YqTJcchLqRbMDoKRPaf+GAmldrTM02RAJtebsBcauurkCDQRYWDtFARAA 25LdCZunreAIPtYdZZ50EBjm38VWs9GZ/jbqmrbEBuazVYEdR5AH2vsXh9QwEVTTdY2TwlaL idKXynTPitlpkPVMSx6dtjHYiiFPGLSq1n95pPJ1XM98EhjdrAHFpLca5XzFSBH/xV0kBOkR QXYGcMoaKFcGX2k8zyXjq8boeypal5n+HD/PBoaLxxJdjo+UVEv99ymIYtHlF58flWEPBnli vAMJg2FZgMpcv74iQONrQ1bezbJFQkxtGJvSvyGrzuUDs34cfCA45h3+wlsJk5tnMv+f6VH5 VMcvEaYkduT4lF1qAUfWX7H5WnXOFUxckNRyLtZzH+QLMJa7Ty3m3gt5/uta9gkJ/0lBoolB wrJevqTLd3iZh9XwBwD/19q303NAHp7twfDzI5z/V7jE3+HdwY0taIZvwcIBHRIfbYZvZ6nJ +r63F2fdzCbai3aWE5creXjxPTzXH+qRY7DzqKD10hXGLRFS/cJRpXT83hJW6ZUPcbDMxIjS t/C5Rvu06owZAXF7+T0Vz24U8/st9N5lM5rK5mD2gc7om7fH4pJc/BhxcB+7LR6VlA/KoxnC yELeXWx/AbsOL73yw/OxtVSb15ONN83Havs39r3nxbSH7VK4TXvap+5psu7y8wxYi6jxFpAb 85UXZtFHzIQ9LJROpLsCPaixJfkIUH/hNUsAEQEAAYkCPAQYAQoAJgIbDBYhBF7W2Cas1D+O 2dT7sv8Kr14IErqcBQJekfeUBQkIGTvbAAoJEP8Kr14IErqchL0QAIgwz/D3JqLo7Nav/zIY AW9MZvd4BdO3RbVp/a7TC4qlnAtPqZuVJ2bL7pSfDSDlX+lr1yQqivirPP4G3xMDJX9tO9x1 PxStM4uZg6cP0TNpDgeaAMrzhOy+WLHQmACHra52f2htS8h3mb8doopODTPA/9FZL4vySv2Q NY9/eVrgM9Dw2LbDIhzBfIp2LQVqyXh87iMQQzTRdk8XCKfnJ8BTjZ+Z48q3120V3qPE5X1a N7IxNrFivzm+Jej1gjW2+8SsMyaoKOW7D5wBc/RtMp3gIBdNnqURR6Y8GjUD9QTavGH4E6B+ Qq1lbGY52JGPnyfoXWVMoCtLT0PE0I+mKq/y8bpyn4Lkjv5dBLLwvbV7llYKoEfm389cUVLz OgJL44HSx0x8rrK0sDdTV7tSg50LxymVrc3bnExeB53v7UOvfGWJAogM0CL9jkRYKiSyGHBK gVNtxmgnKOjfkctCdAVxhcDXhH8HeF1YDfVUmUnF3Oh/hK4wSW3iYCho/MSRCi9jNFTz4Ap2 TSCqNe2HcEAG9PjTfCPwO3ZjvcfUlojWAk79xv0sewHoOSFtBBnkO2Kv4vq3kXLu7vjFvtcO 7iBdMlwTfNFJklTL12mXFcsGPazxLy9Bq1Y4TtvNV9zmjVipMlxyEupFswOgpE9p/4YCaV2t MzTZEAm15uwFxq66 Subject: Re: another certbot patch Message-ID: <6351f07d-5c19-7ae7-77af-a8d24779340a@gmail.com> Date: Thu, 21 May 2020 16:50:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi, I've now used this for some time and have a couple of things to add. On 4/14/20 4:54 PM, Chris PeBenito wrote: > On 4/10/20 4:07 AM, Dominick Grift wrote: >> Russell Coker writes: >> >>> Signed-off-by: Russell Coker >>> >>> I think this addresses all the issues Chris raised. > > > I don't have any comments beyond Dominick's. > >>> Index: refpolicy-2.20200410/policy/modules/services/certbot.fc >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- /dev/null >>> +++ refpolicy-2.20200410/policy/modules/services/certbot.fc >>> @@ -0,0 +1,4 @@ >>> +/usr/bin/certbot=C2=A0=C2=A0=C2=A0 --=C2=A0=C2=A0=C2=A0 >>> gen_context(system_u:object_r:certbot_exec_t,s0) >>> +/usr/bin/letsencrypt=C2=A0=C2=A0=C2=A0 --=C2=A0=C2=A0=C2=A0 >>> gen_context(system_u:object_r:certbot_exec_t,s0) >>> +/var/log/letsencrypt(/.*)?=C2=A0=C2=A0=C2=A0 >>> gen_context(system_u:object_r:certbot_log_t,s0) >>> +/var/lib/letsencrypt(/.*)?=C2=A0=C2=A0=C2=A0 >>> gen_context(system_u:object_r:certbot_lib_t,s0) On my debian system certbot puts private certificates into /etc/letsencrypt hence I labeled it certbot_lib_t too but that probably isn't right. >>> Index: refpolicy-2.20200410/policy/modules/services/certbot.if >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- /dev/null >>> +++ refpolicy-2.20200410/policy/modules/services/certbot.if >>> @@ -0,0 +1,46 @@ >>> +## SSL certificate requesting tool certbot AKA >>> letsencrypt. >>> + >>> +######################################## >>> +## >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Execute certbot/letsencrypt in the = certbot >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 domain. >>> +## >>> +## >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Domain allowed to transition. >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +## >>> +# >>> +interface(`certbot_domtrans',` >>> +=C2=A0=C2=A0=C2=A0 gen_require(` >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 type certbot_t, certbot_e= xec_t; >>> +=C2=A0=C2=A0=C2=A0 ') >>> + >>> +=C2=A0=C2=A0=C2=A0 domtrans_pattern($1, certbot_exec_t, certbot_t) >>> +') >>> + >>> +######################################## >>> +## >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Execute certbot/letsencrypt in the = certbot >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 domain, and allow the specified rol= e >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the firstboot domain. >>> +## >>> +## >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Role allowed access. >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +## >>> +## >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Domain allowed to transition. >>> +##=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 >>> +## >>> +# >>> +interface(`certbot_run',` >>> +=C2=A0=C2=A0=C2=A0 gen_require(` >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 type certbot_t; >>> +=C2=A0=C2=A0=C2=A0 ') >>> + >>> +=C2=A0=C2=A0=C2=A0 certbot_domtrans($2) >>> +=C2=A0=C2=A0=C2=A0 role $1 types certbot_t; >> >> might want to call this: certbot_run(sysadm_r, sysadm_t) >> Swapping the argument order here would be better in line with the rest of refpolicy. Calling this for sysadm would also be a good idea since it is usually used for obtaining the first certificate. >>> +') >>> Index: refpolicy-2.20200410/policy/modules/services/certbot.te >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- /dev/null >>> +++ refpolicy-2.20200410/policy/modules/services/certbot.te >>> @@ -0,0 +1,99 @@ >>> +policy_module(certbot, 1.0.0) >>> + >>> +######################################## >>> +# >>> +# Declarations >>> +# >>> + >>> +type certbot_t; >>> +type certbot_exec_t; >>> +init_daemon_domain(certbot_t, certbot_exec_t) >>> + >>> +type certbot_log_t; >>> +logging_log_file(certbot_log_t) >>> + >>> +type certbot_runtime_t alias certbot_var_run_t; >>> +files_pid_file(certbot_runtime_t) >>> + >>> +type certbot_tmp_t; >>> +files_tmp_file(certbot_tmp_t) >>> + >>> +type certbot_tmpfs_t; >>> +files_tmpfs_file(certbot_tmpfs_t) >>> + >>> +type certbot_lib_t alias certbot_var_lib_t; >>> +files_type(certbot_lib_t) >> >> I would have used certbot_state_t here so that "lib" can be used for >> private library types >> >>> + >>> +######################################## >>> +# >>> +# Local policy >>> +# >>> + >>> +allow certbot_t self:fifo_file { getattr ioctl read write }; >>> +allow certbot_t self:capability { chown dac_override sys_resource };= >>> +allow certbot_t self:udp_socket all_udp_socket_perms; >>> +allow certbot_t self:tcp_socket all_tcp_socket_perms; >>> +allow certbot_t self:netlink_route_socket create_netlink_socket_perm= s; >>> + >>> +files_search_var_lib(certbot_t) >>> +manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t) >>> +manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t) >>> + >>> +manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t) >>> +files_tmp_filetrans(certbot_t, certbot_tmp_t, { file }) >>> + >>> +manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t) >>> +fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file }) >>> + >>> +# this is for certbot to have write-exec memory, I know it is bad >>> +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D913544 >>> +# the Debian bug report has background about python-acme and >>> python3-openssl >>> +allow certbot_t self:process execmem; >>> +allow certbot_t certbot_tmp_t:file { map execute }; >>> +allow certbot_t certbot_tmpfs_t:file { map execute }; >>> +allow certbot_t certbot_runtime_t:file { map execute }; >>> + >>> +logging_search_logs(certbot_t) >>> +allow certbot_t certbot_log_t:dir manage_dir_perms; >>> +allow certbot_t certbot_log_t:file manage_file_perms; >>> + I've found that this is missing a filetrans since certbot might try to create its own log directory. Removing 'remove_name reparent rmdir' from the permissions granted on certbot_log_t is also possible since imho domains normally shouldn't delete their own but it might be better to keep ':dir manage_dir_perms' +manage_files_pattern(certbot_t, certbot_log_t, certbot_log_t) +allow certbot_t certbot_log_t:dir { create_dir_perms search_dir_perms add_entry_dir_perms }; +logging_log_filetrans(certbot_t, certbot_log_t, dir) >>> +manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t= ) >>> +files_pid_filetrans(certbot_t, certbot_runtime_t, file) >>> + >>> +kernel_search_fs_sysctls(certbot_t) >>> + >>> +corecmd_exec_bin(certbot_t) >>> +corecmd_list_bin(certbot_t) >>> +corecmd_mmap_bin_files(certbot_t) >> >> redundant: exec implies mmap >> >>> + >>> +corenet_tcp_bind_generic_node(certbot_t) >>> +corenet_tcp_connect_http_port(certbot_t) >>> + >>> +# bind to http port for standalone mode >>> +corenet_tcp_bind_http_port(certbot_t) >>> + >>> +domain_use_interactive_fds(certbot_t) >>> +files_read_etc_files(certbot_t) >>> + >>> +libs_exec_ldconfig(certbot_t) >>> +# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 >>> +libs_exec_lib_files(certbot_t) >>> + >>> +miscfiles_read_localization(certbot_t) >>> + >>> +miscfiles_read_generic_certs(certbot_t) >>> +miscfiles_manage_generic_tls_privkey_dirs(certbot_t) >>> +miscfiles_manage_generic_tls_privkey_files(certbot_t) >>> +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t) >>> + >>> +sysnet_read_config(certbot_t) >>> + >>> +userdom_dontaudit_search_user_home_dirs(certbot_t) >>> +userdom_use_user_ptys(certbot_t) >>> + >>> +optional_policy(` >>> +=C2=A0=C2=A0=C2=A0 # for writing to webroot >>> +=C2=A0=C2=A0=C2=A0 apache_manage_sys_content(certbot_t) >>> + >>> +=C2=A0=C2=A0=C2=A0 apache_search_config(certbot_t) >>> +') >>> Index: refpolicy-2.20200410/policy/modules/system/miscfiles.if >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- refpolicy-2.20200410.orig/policy/modules/system/miscfiles.if >>> +++ refpolicy-2.20200410/policy/modules/system/miscfiles.if >>> @@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_ >>> =C2=A0 =C2=A0 ######################################## >>> =C2=A0 ## >>> +##=C2=A0=C2=A0=C2=A0 Manage generic SSL/TLS private >>> +##=C2=A0=C2=A0=C2=A0 keys. >>> +## >>> +## >>> +##=C2=A0=C2=A0=C2=A0 >>> +##=C2=A0=C2=A0=C2=A0 Domain allowed access. >>> +##=C2=A0=C2=A0=C2=A0 >>> +## >>> +## >>> +# >>> +interface(`miscfiles_manage_generic_tls_privkey_lnk_files',` >>> +=C2=A0=C2=A0=C2=A0 gen_require(` >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 type tls_privkey_t; >>> +=C2=A0=C2=A0=C2=A0 ') >>> + >>> +=C2=A0=C2=A0=C2=A0 manage_lnk_files_pattern($1, tls_privkey_t, tls_p= rivkey_t) >>> +') >>> + >>> +######################################## >>> +## >>> =C2=A0 ##=C2=A0=C2=A0=C2=A0 Read fonts. >>> =C2=A0 ## >>> =C2=A0 ## >> > > Thanks, bauen1