Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1147065pxb; Thu, 24 Mar 2022 13:45:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+xaCi/bG47+5zM2BaD9pHXG2VOoPFT9OHdPN/D90xiBmYwz/XfFQGhPusbZQbUV7/i72v X-Received: by 2002:a17:902:a714:b0:154:6dfe:bba9 with SMTP id w20-20020a170902a71400b001546dfebba9mr7893847plq.124.1648154717562; Thu, 24 Mar 2022 13:45:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648154717; cv=none; d=google.com; s=arc-20160816; b=VQbZobmlV5wd7JsJQVdFqP94Oh84Kjnwgt6Dwxyw3nRh3gs1Tix4WOY4NmwDKojzUh UzLgCN3RkbIfNMBQhjhNm4m2c207ZTcPny4cb6rrzByqIN/Dz0EkDvTGDrt42QNtlnbL rRrAvCJqMVYlPzX2wQE1WCEFEhoPH74bws/zeK+T07wmVR58cUp58+0jVcpjX1ltreDb IvTEUjuCFO2qG9YmBbftudNC2yu/1nE+RZRyx1F4KTxxpeULDi+utiqh/UM/FpsX288k H0gui3nloZUnHspC1xm58Xcjo3h0S4hFfVj1cLn+GtVHuUNVAv206TD4M2k3q+c6N0Vl AU/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=/TLY/Es9cy+hk2/agxpQ02O5yxFNLzm7GsPpgTGeSwE=; b=mPTHtaZyk/ENmDuwu0HItXxqbotolX64cS3T8UC2/ZJ5I9nIJcQa8Ud1yBT/D3UgI3 /Nfuzv/d5/zaarENzU8Y+ln77eVT8dQ4jnmxmKiZxQHcFmTJoNzlojCnBwC6oKsTkCBd +iXk/0yU3NyWQVKeJCSmVqdbMWRVTN0aAiufI/tB0NU9sQtlgPHp+Z0aKXd591stHxaI XRLrTftoucHg5K37TB7w/rSpz9EsaRWLQRAWxGigNISMzR1vfCXO4PcEw3MJDYfFCJN4 XdiNDZXB+f4TYfurLkP++E5Uj5E2thrQjDY0jo2Rh0muTqvycsGM1BWDGqJ07gc54aC8 dTuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OBZTa1bu; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z186-20020a6265c3000000b004fa7cbb60ccsi571772pfb.284.2022.03.24.13.45.11; Thu, 24 Mar 2022 13:45:16 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OBZTa1bu; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349229AbiCXOga (ORCPT + 23 others); Thu, 24 Mar 2022 10:36:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348570AbiCXOga (ORCPT ); Thu, 24 Mar 2022 10:36:30 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3C29BAE for ; Thu, 24 Mar 2022 07:34:57 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 7E0601043C for ; Fri, 25 Mar 2022 01:34:54 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1648132494; bh=/TLY/Es9cy+hk2/agxpQ02O5yxFNLzm7GsPpgTGeSwE=; l=3442; h=Date:From:To:Subject:From; b=OBZTa1buaZ35yNT/whmGaUYVNH3x+6nSOMFyW8Q6VwCVwRGGbCk6UsjTcZotwdzyQ VclwP3RTINt7Hp8biXFu8C2i5pjqArc/O0HWsj4pQq/x4bNyduwYwvA1tgNxMPnBm1 ORKWK6rJmTk4Sv5EhD7sCVchX0eBIWU2B0c9Uvp4= Received: by xev.coker.com.au (Postfix, from userid 1001) id 079DA1794B42; Fri, 25 Mar 2022 01:34:50 +1100 (AEDT) Date: Fri, 25 Mar 2022 01:34:49 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] certbot V3 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Same as the last one but with the directory names for the auto trans rules removed. I think it's ready for merging. Signed-off-by: Russell Coker Index: refpolicy-2.20220309/policy/modules/services/apache.if =================================================================== --- refpolicy-2.20220309.orig/policy/modules/services/apache.if +++ refpolicy-2.20220309/policy/modules/services/apache.if @@ -238,6 +238,24 @@ interface(`apache_domtrans',` ######################################## ## +## Execute httpd +## +## +## +## Domain allowed to execute it. +## +## +# +interface(`apache_exec',` + gen_require(` + type httpd_t, httpd_exec_t; + ') + + can_exec($1, httpd_exec_t) +') + +######################################## +## ## Execute httpd server in the httpd domain. ## ## @@ -1430,3 +1448,21 @@ interface(`apache_admin',` apache_run_all_scripts($1, $2) apache_run_helper($1, $2) ') + +######################################## +## +## rw httpd_runtime_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_rw_runtime_files',` + gen_require(` + type httpd_runtime_t; + ') + + allow $1 httpd_runtime_t:file rw_file_perms; +') Index: refpolicy-2.20220309/policy/modules/services/certbot.te =================================================================== --- refpolicy-2.20220309.orig/policy/modules/services/certbot.te +++ refpolicy-2.20220309/policy/modules/services/certbot.te @@ -43,7 +43,7 @@ allow certbot_t self:udp_socket all_udp_ allow certbot_t self:tcp_socket all_tcp_socket_perms; allow certbot_t self:netlink_route_socket create_netlink_socket_perms; -files_search_var_lib(certbot_t) +files_var_lib_filetrans(certbot_t, certbot_lib_t, dir) manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t) manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t) @@ -62,7 +62,7 @@ allow certbot_t certbot_tmp_t:file mmap_ allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms; allow certbot_t certbot_runtime_t:file mmap_exec_file_perms; -logging_search_logs(certbot_t) +logging_log_filetrans(certbot_t, certbot_log_t, dir) allow certbot_t certbot_log_t:dir manage_dir_perms; allow certbot_t certbot_log_t:file manage_file_perms; @@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t) # bind to http port for standalone mode corenet_tcp_bind_http_port(certbot_t) +dev_read_urand(certbot_t) + domain_use_interactive_fds(certbot_t) files_read_etc_files(certbot_t) files_read_usr_files(certbot_t) +# dontaudit for attempts to write python cache files +libs_dontaudit_write_lib_dirs(certbot_t) libs_exec_ldconfig(certbot_t) # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 libs_exec_lib_files(certbot_t) @@ -110,5 +114,17 @@ optional_policy(` # for writing to webroot apache_manage_sys_content(certbot_t) - apache_search_config(certbot_t) + apache_append_log(certbot_t) + apache_exec(certbot_t) + apache_exec_modules(certbot_t) + + # for certbot to create nginx config + apache_manage_config(certbot_t) + + apache_rw_runtime_files(certbot_t) + apache_signal(certbot_t) +') + +optional_policy(` + xdg_search_config_dirs(certbot_t) ')