policy_module(server-custom, 1.0.2) gen_require(` type ping_t, rsync_t, nginx_t, syncthing_t; type ssh_keygen_t, lvm_t, lvm_metadata_t; type portage_t, portage_ebuild_t; type sysadm_t, tmpfiles_t, syslogd_t, hugetlbfs_t; type kmod_t, tracefs_t, postgresql_t, postgresql_tmp_t; type named_t, dovecot_t, dovecot_auth_t, redis_t; type mail_spool_t, exim_t, dovecot_deliver_t, mailserver_delivery; type freshclam_t, phpfpm_t, kernel_t, iptables_t; role sysadm_r; ') ####### Policy # Musl specific requirements for address resolve corenet_udp_bind_generic_node(ping_t) corenet_udp_bind_generic_node(portage_t) corenet_udp_bind_generic_node(rsync_t) corenet_udp_bind_generic_node(nginx_t) corenet_udp_bind_generic_node(exim_t) corenet_udp_bind_generic_node(freshclam_t) # PHP ROUNDCUBE corenet_tcp_connect_sieve_port(phpfpm_t) # NGINX failed to start without additional permissions allow nginx_t self:capability { dac_override dac_read_search }; allow nginx_t self:process getsched; # Syncthing failed to start/stop without additional permissions corecmd_exec_bin(syncthing_t) # WARNING: Failed to lower process priority: set process group: permission denied # WARNING: Failed to lower process priority: set niceness: permission denied allow syncthing_t self:process { signal_perms setpgid setsched }; # Able to run "ip ropute show" to determinate gateway for NAT-PMP # sysnet_domtrans_ifconfig(syncthing_t) # Able to read network state (/proc/*/route) to determinate gateway for NAT-t And to check for cpu capabilities (/proc/cpuinfo). kernel_read_network_state(syncthing_t) files_search_mnt(syncthing_t) # Unbound allow named_t self:capability net_admin; # PostgreSQL allow postgresql_t hugetlbfs_t:file map; allow postgresql_t postgresql_tmp_t:file map; # Exim #allow exim_t self:capability dac_read_search; #allow exim_t self:process getsched; allow dovecot_deliver_t exim_t:unix_stream_socket { read write }; # Redis allow redis_t self:process getsched; files_search_var_lib(redis_t) # DOVECOT # dovecot[28606]: Error: imap: Index (in-memory index): Lost log for seq=1 offset=0: Failed to map file seq=2 offset=40..18446744073709551615 (ret=0): Beginning of the log isn't available (initial_mapped=1, reason=in-memory index) # dovecot[28606]: imap: Warning: fscking index file (in-memory index) # dovecot[28606]: Error: imap: Failed to map transaction log /var/mail/xxx/Maildir/.Drafts/dovecot.index.log at sync_offset=40 after locking: Beginning of the log isn't available # avc: denied { map } for pid=28895 comm="imap" path="/var/spool/mail/xxx/Maildir/.Drafts/dovecot.index.cache" dev="dm-0" ino=187521031 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 allow dovecot_t mail_spool_t:file map; # Dovecot SMTP Submission corenet_sendrecv_smtp_server_packets(dovecot_t) corenet_tcp_bind_smtp_port(dovecot_t) corenet_sendrecv_smtp_client_packets(dovecot_t) corenet_tcp_connect_smtp_port(dovecot_t) # Dovecot DB connect corenet_tcp_connect_postgresql_port(dovecot_auth_t) # NSD failed to work properly without additional permissions #allow nsd_t self:capability { dac_read_search net_admin }; #allow nsd_t self:capability { dac_read_search net_admin }; #allow nsd_t nsd_zone_t:file { map }; #allow nsd_t nsd_db_t:file { map }; #allow lvm_t lvm_metadata_t:file map; # comm="modprobe" name="events" dev="tracefs" allow kmod_t tracefs_t:dir search; # avc: denied { dac_read_search } for pid=9036 comm="checkpath" capability=2 # avc: denied { dac_override } for pid=9036 comm="checkpath" capability=1 allow tmpfiles_t self:capability { dac_read_search }; # avc: denied { sendto } for pid=9036 comm="checkpath" path="/dev/log" logging_send_syslog_msg(tmpfiles_t) # type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0 allow portage_t self:dir write; # type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0 allow portage_t portage_ebuild_t:file map; #optional_policy(` # nsd_admin(sysadm_t, sysadm_r) #') # ssh_keygen_t failed to work with terminal userdom_use_user_ptys(ssh_keygen_t)