add content
This commit is contained in:
4
sec-policy/selinux-server-custom/Manifest
Normal file
4
sec-policy/selinux-server-custom/Manifest
Normal file
@@ -0,0 +1,4 @@
|
||||
AUX server-custom.te 4534 BLAKE2B 5cda8ae24fdff6101c505139f3b9f2c5003cf5e7231ee2144f8ed04311e5ee2c83ae7a8ba5f33b2d09423077d624b9490c7683f117e6d43f81edddd89022d47a SHA512 699a67ef140ca9cf9f950731e0a788f793a8c2dc11f804967bf5c4cb9760090e6aa631d5e329d1a71d4153dfdbaf9ba39dfe6bf2a7fa2ecc47843813d6b6f161
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-server-custom-2.20180701-r1.ebuild 388 BLAKE2B 7967baa6b3ffbd099510af5cb138a3b309fe70266100aae1f7c34072f2f6fdd1918fb0e8edd24f693b1bedee2c8a47c80e81208f5ad762693add2eba918c1c82 SHA512 da5bde5eb21ab5aa097e9ca8638697af92985774fbe0b91cea5fe1097b24b3703255c3af987ecac2f2d32ae6f894c64dcf54fb99c81ff2fdc230c8a89a3dcdee
|
||||
101
sec-policy/selinux-server-custom/files/server-custom.te
Normal file
101
sec-policy/selinux-server-custom/files/server-custom.te
Normal file
@@ -0,0 +1,101 @@
|
||||
policy_module(server-custom, 1.0.2)
|
||||
|
||||
gen_require(`
|
||||
type ping_t, rsync_t, nginx_t, syncthing_t;
|
||||
type ssh_keygen_t, lvm_t, lvm_metadata_t;
|
||||
type portage_t, portage_ebuild_t;
|
||||
type sysadm_t, tmpfiles_t, syslogd_t, hugetlbfs_t;
|
||||
type kmod_t, tracefs_t, postgresql_t, postgresql_tmp_t;
|
||||
type named_t, dovecot_t, dovecot_auth_t, redis_t;
|
||||
type mail_spool_t, exim_t, dovecot_deliver_t, mailserver_delivery;
|
||||
type freshclam_t, phpfpm_t, kernel_t, iptables_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
|
||||
####### Policy
|
||||
|
||||
# Musl specific requirements for address resolve
|
||||
corenet_udp_bind_generic_node(ping_t)
|
||||
corenet_udp_bind_generic_node(portage_t)
|
||||
corenet_udp_bind_generic_node(rsync_t)
|
||||
corenet_udp_bind_generic_node(nginx_t)
|
||||
corenet_udp_bind_generic_node(exim_t)
|
||||
corenet_udp_bind_generic_node(freshclam_t)
|
||||
|
||||
# PHP ROUNDCUBE
|
||||
corenet_tcp_connect_sieve_port(phpfpm_t)
|
||||
|
||||
# NGINX failed to start without additional permissions
|
||||
allow nginx_t self:capability { dac_override dac_read_search };
|
||||
allow nginx_t self:process getsched;
|
||||
|
||||
# Syncthing failed to start/stop without additional permissions
|
||||
corecmd_exec_bin(syncthing_t)
|
||||
# WARNING: Failed to lower process priority: set process group: permission denied
|
||||
# WARNING: Failed to lower process priority: set niceness: permission denied
|
||||
allow syncthing_t self:process { signal_perms setpgid setsched };
|
||||
# Able to run "ip ropute show" to determinate gateway for NAT-PMP
|
||||
# sysnet_domtrans_ifconfig(syncthing_t)
|
||||
# Able to read network state (/proc/*/route) to determinate gateway for NAT-t And to check for cpu capabilities (/proc/cpuinfo).
|
||||
kernel_read_network_state(syncthing_t)
|
||||
files_search_mnt(syncthing_t)
|
||||
|
||||
# Unbound
|
||||
allow named_t self:capability net_admin;
|
||||
|
||||
# PostgreSQL
|
||||
allow postgresql_t hugetlbfs_t:file map;
|
||||
allow postgresql_t postgresql_tmp_t:file map;
|
||||
|
||||
# Exim
|
||||
#allow exim_t self:capability dac_read_search;
|
||||
#allow exim_t self:process getsched;
|
||||
allow dovecot_deliver_t exim_t:unix_stream_socket { read write };
|
||||
|
||||
# Redis
|
||||
allow redis_t self:process getsched;
|
||||
files_search_var_lib(redis_t)
|
||||
|
||||
# DOVECOT
|
||||
# dovecot[28606]: Error: imap: Index (in-memory index): Lost log for seq=1 offset=0: Failed to map file seq=2 offset=40..18446744073709551615 (ret=0): Beginning of the log isn't available (initial_mapped=1, reason=in-memory index)
|
||||
# dovecot[28606]: imap: Warning: fscking index file (in-memory index)
|
||||
# dovecot[28606]: Error: imap: Failed to map transaction log /var/mail/xxx/Maildir/.Drafts/dovecot.index.log at sync_offset=40 after locking: Beginning of the log isn't available
|
||||
# avc: denied { map } for pid=28895 comm="imap" path="/var/spool/mail/xxx/Maildir/.Drafts/dovecot.index.cache" dev="dm-0" ino=187521031 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
|
||||
allow dovecot_t mail_spool_t:file map;
|
||||
# Dovecot SMTP Submission
|
||||
corenet_sendrecv_smtp_server_packets(dovecot_t)
|
||||
corenet_tcp_bind_smtp_port(dovecot_t)
|
||||
corenet_sendrecv_smtp_client_packets(dovecot_t)
|
||||
corenet_tcp_connect_smtp_port(dovecot_t)
|
||||
# Dovecot DB connect
|
||||
corenet_tcp_connect_postgresql_port(dovecot_auth_t)
|
||||
|
||||
# NSD failed to work properly without additional permissions
|
||||
#allow nsd_t self:capability { dac_read_search net_admin };
|
||||
#allow nsd_t self:capability { dac_read_search net_admin };
|
||||
#allow nsd_t nsd_zone_t:file { map };
|
||||
#allow nsd_t nsd_db_t:file { map };
|
||||
|
||||
#allow lvm_t lvm_metadata_t:file map;
|
||||
|
||||
# comm="modprobe" name="events" dev="tracefs"
|
||||
allow kmod_t tracefs_t:dir search;
|
||||
|
||||
# avc: denied { dac_read_search } for pid=9036 comm="checkpath" capability=2
|
||||
# avc: denied { dac_override } for pid=9036 comm="checkpath" capability=1
|
||||
allow tmpfiles_t self:capability { dac_read_search };
|
||||
|
||||
# avc: denied { sendto } for pid=9036 comm="checkpath" path="/dev/log"
|
||||
logging_send_syslog_msg(tmpfiles_t)
|
||||
|
||||
# type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
|
||||
allow portage_t self:dir write;
|
||||
# type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
|
||||
allow portage_t portage_ebuild_t:file map;
|
||||
|
||||
#optional_policy(`
|
||||
# nsd_admin(sysadm_t, sysadm_r)
|
||||
#')
|
||||
|
||||
# ssh_keygen_t failed to work with terminal
|
||||
userdom_use_user_ptys(ssh_keygen_t)
|
||||
@@ -0,0 +1,20 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="server-custom"
|
||||
POLICY_FILES="server-custom.te"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for custom things"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
||||
Reference in New Issue
Block a user