From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 614DE1382C5 for ; Sun, 7 Feb 2021 03:20:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 46831E087F; Sun, 7 Feb 2021 03:20:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2CB6CE087F for ; Sun, 7 Feb 2021 03:20:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id EF7D734143E for ; Sun, 7 Feb 2021 03:20:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 395E54CD for ; Sun, 7 Feb 2021 03:20:05 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612644851.0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/certbot.fc policy/modules/services/certbot.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5 X-VCS-Branch: master Date: Sun, 7 Feb 2021 03:20:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9f5b508d-4508-4ed2-bd40-7c0a28d9fcd8 X-Archives-Hash: f32859849275c87cc7c4add53a4622fc commit: 0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5 Author: Kenton Groombridge concord sh> AuthorDate: Fri Jan 29 16:22:30 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 20:54:11 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b6c2d46 certbot: add support for acme.sh Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/certbot.fc | 2 ++ policy/modules/services/certbot.te | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/policy/modules/services/certbot.fc b/policy/modules/services/certbot.fc index 508f9862..d1bc3f64 100644 --- a/policy/modules/services/certbot.fc +++ b/policy/modules/services/certbot.fc @@ -1,4 +1,6 @@ /usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0) /usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0) +/usr/share/acme\.sh/acme\.sh -- gen_context(system_u:object_r:certbot_exec_t,s0) /var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0) /var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0) +/var/lib/acme\.sh(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0) diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index 5f3b155f..62a59478 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -1,5 +1,13 @@ policy_module(certbot, 1.0.0) +## +##

+## Determine whether additional rules +## should be enabled to support acme.sh +##

+## +gen_tunable(certbot_acmesh, false) + ######################################## # # Declarations @@ -93,6 +101,11 @@ sysnet_read_config(certbot_t) userdom_dontaudit_search_user_home_dirs(certbot_t) userdom_use_user_ptys(certbot_t) +tunable_policy(`certbot_acmesh',` + corecmd_exec_bin(certbot_t) + corecmd_exec_shell(certbot_t) +') + optional_policy(` # for writing to webroot apache_manage_sys_content(certbot_t)