Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Sun, 07 Feb 2021 03:20:11
Message-Id: 1612644851.0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5.perfinion@gentoo
1 commit: 0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5
2 Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3 AuthorDate: Fri Jan 29 16:22:30 2021 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sat Feb 6 20:54:11 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b6c2d46
7
8 certbot: add support for acme.sh
9
10 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
11 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13 policy/modules/services/certbot.fc | 2 ++
14 policy/modules/services/certbot.te | 13 +++++++++++++
15 2 files changed, 15 insertions(+)
16
17 diff --git a/policy/modules/services/certbot.fc b/policy/modules/services/certbot.fc
18 index 508f9862..d1bc3f64 100644
19 --- a/policy/modules/services/certbot.fc
20 +++ b/policy/modules/services/certbot.fc
21 @@ -1,4 +1,6 @@
22 /usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0)
23 /usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0)
24 +/usr/share/acme\.sh/acme\.sh -- gen_context(system_u:object_r:certbot_exec_t,s0)
25 /var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0)
26 /var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0)
27 +/var/lib/acme\.sh(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0)
28
29 diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
30 index 5f3b155f..62a59478 100644
31 --- a/policy/modules/services/certbot.te
32 +++ b/policy/modules/services/certbot.te
33 @@ -1,5 +1,13 @@
34 policy_module(certbot, 1.0.0)
35
36 +## <desc>
37 +## <p>
38 +## Determine whether additional rules
39 +## should be enabled to support acme.sh
40 +## </p>
41 +## </desc>
42 +gen_tunable(certbot_acmesh, false)
43 +
44 ########################################
45 #
46 # Declarations
47 @@ -93,6 +101,11 @@ sysnet_read_config(certbot_t)
48 userdom_dontaudit_search_user_home_dirs(certbot_t)
49 userdom_use_user_ptys(certbot_t)
50
51 +tunable_policy(`certbot_acmesh',`
52 + corecmd_exec_bin(certbot_t)
53 + corecmd_exec_shell(certbot_t)
54 +')
55 +
56 optional_policy(`
57 # for writing to webroot
58 apache_manage_sys_content(certbot_t)
Report Message
Find on MARC Find on Google Groups