X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=contrib%2Fselinux%2Fel7%2Fpublicinbox.te;fp=contrib%2Fselinux%2Fel7%2Fpublicinbox.te;h=ef5c1204c20c60e8f76e231354f224f19cd52b6f;hb=5f91aae26b6b0e02c9fabcc5dcf9f4b3e9eedbfe;hp=0000000000000000000000000000000000000000;hpb=930ed478cc8fd29f39d4fff473a7ff40fb8251dc;p=public-inbox.git

diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publicinbox.te
new file mode 100644
index 00000000..ef5c1204
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.te
@@ -0,0 +1,112 @@
+##################
+# This policy allows running public-inbox-httpd and public-inbox-nntpd
+# on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
+#
+# It also allows delivering mail via postfix-pipe to public-inbox-mda
+#
+# Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
+#
+policy_module(publicinbox, 1.0.3)
+
+require {
+    type postfix_pipe_t;
+    type spamc_t;
+    type spamd_t;
+}
+
+##################
+# Declarations
+
+type publicinbox_daemon_t;
+type publicinbox_daemon_exec_t;
+init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t)
+
+type publicinbox_var_lib_t;
+files_type(publicinbox_var_lib_t)
+
+type publicinbox_log_t;
+logging_log_file(publicinbox_log_t)
+
+type publicinbox_var_run_t;
+files_tmp_file(publicinbox_var_run_t)
+
+type publicinbox_tmp_t;
+files_tmp_file(publicinbox_tmp_t)
+
+type publicinbox_deliver_t;
+type publicinbox_deliver_exec_t;
+init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t)
+
+# Uncomment to put these domains into permissive mode
+#permissive publicinbox_daemon_t;
+#permissive publicinbox_deliver_t;
+
+##################
+# Daemons policy
+
+domain_use_interactive_fds(publicinbox_daemon_t)
+files_read_etc_files(publicinbox_daemon_t)
+miscfiles_read_localization(publicinbox_daemon_t)
+allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms;
+allow publicinbox_daemon_t self:tcp_socket { accept listen };
+
+# Need to be able to manage and exec them for Inline::C
+manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+
+# Logging
+append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir })
+
+# Run on httpd and nntp ports (called innd_port_t)
+corenet_tcp_bind_generic_node(publicinbox_daemon_t)
+corenet_tcp_bind_http_port(publicinbox_daemon_t)
+corenet_tcp_bind_http_cache_port(publicinbox_daemon_t)
+corenet_tcp_bind_innd_port(publicinbox_daemon_t)
+
+# Allow reading anything publicinbox_var_lib_t
+list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# The daemon doesn't need to write to this dir
+dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write;
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_daemon_t)
+
+# Manage our tmp files
+manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
+manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
+files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir })
+
+##################
+# mda/watch policy
+#
+# Allow transitioning to deliver_t from postfix pipe
+domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t)
+postfix_rw_inherited_master_pipes(publicinbox_deliver_t)
+postfix_read_spool_files(publicinbox_deliver_t)
+
+files_read_etc_files(publicinbox_deliver_t)
+
+# Allow managing anything in publicinbox_var_lib_t
+manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_deliver_t)
+
+# git-fast-import wants to access system state and other bits
+kernel_dontaudit_read_system_state(publicinbox_deliver_t)
+
+# Allow using spamc
+spamassassin_domtrans_client(publicinbox_deliver_t)
+manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# Manage our tmp files
+manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
+manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
+files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir })