1 |
commit: 0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Fri Jan 29 16:22:30 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 20:54:11 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b6c2d46 |
7 |
|
8 |
certbot: add support for acme.sh |
9 |
|
10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/certbot.fc | 2 ++ |
14 |
policy/modules/services/certbot.te | 13 +++++++++++++ |
15 |
2 files changed, 15 insertions(+) |
16 |
|
17 |
diff --git a/policy/modules/services/certbot.fc b/policy/modules/services/certbot.fc |
18 |
index 508f9862..d1bc3f64 100644 |
19 |
--- a/policy/modules/services/certbot.fc |
20 |
+++ b/policy/modules/services/certbot.fc |
21 |
@@ -1,4 +1,6 @@ |
22 |
/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0) |
23 |
/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0) |
24 |
+/usr/share/acme\.sh/acme\.sh -- gen_context(system_u:object_r:certbot_exec_t,s0) |
25 |
/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0) |
26 |
/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0) |
27 |
+/var/lib/acme\.sh(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0) |
28 |
|
29 |
diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te |
30 |
index 5f3b155f..62a59478 100644 |
31 |
--- a/policy/modules/services/certbot.te |
32 |
+++ b/policy/modules/services/certbot.te |
33 |
@@ -1,5 +1,13 @@ |
34 |
policy_module(certbot, 1.0.0) |
35 |
|
36 |
+## <desc> |
37 |
+## <p> |
38 |
+## Determine whether additional rules |
39 |
+## should be enabled to support acme.sh |
40 |
+## </p> |
41 |
+## </desc> |
42 |
+gen_tunable(certbot_acmesh, false) |
43 |
+ |
44 |
######################################## |
45 |
# |
46 |
# Declarations |
47 |
@@ -93,6 +101,11 @@ sysnet_read_config(certbot_t) |
48 |
userdom_dontaudit_search_user_home_dirs(certbot_t) |
49 |
userdom_use_user_ptys(certbot_t) |
50 |
|
51 |
+tunable_policy(`certbot_acmesh',` |
52 |
+ corecmd_exec_bin(certbot_t) |
53 |
+ corecmd_exec_shell(certbot_t) |
54 |
+') |
55 |
+ |
56 |
optional_policy(` |
57 |
# for writing to webroot |
58 |
apache_manage_sys_content(certbot_t) |