From e44a60ba1a44c856575e562194961c0cb58e430f Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 18:22:55 +0300 Subject: [PATCH 01/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'README.md'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d588c5..c3d449c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,11 @@ # globus-selinux-policy +## install globux selinux policy + +``` curl -o globus.te https://gitea.alecksey.com/alecksey/globux-selinux-policy/master/globus.te checkmodule -M -m -o globus.mod globus.te sudo semodule_package -o globus.pp -m globus.mod sudo semodule -i globus.pp -rm -f globus.* \ No newline at end of file +rm -f globus.* +``` \ No newline at end of file From 0c2d5558a9053a4d0d86d7228e8d0febdc52268a Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 18:23:05 +0300 Subject: [PATCH 02/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'README.md'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c3d449c..ead02b0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # globus-selinux-policy -## install globux selinux policy +## install globus-server selinux policy ``` curl -o globus.te https://gitea.alecksey.com/alecksey/globux-selinux-policy/master/globus.te From 1ef7a213c05782d28a0773e816cad60021c958c0 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 18:24:53 +0300 Subject: [PATCH 03/14] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 globus.te diff --git a/globus.te b/globus.te new file mode 100644 index 0000000..c656fa7 --- /dev/null +++ b/globus.te @@ -0,0 +1,18 @@ +module globus 1.0; + +require { + type mysqld_port_t; + type user_home_t; + type tmp_t; + type init_t; + class tcp_socket name_connect; + class dir { create rename reparent rmdir }; + class file { append create execute execute_no_trans lock open read setattr unlink write }; +} + +#============= init_t ============== + +allow init_t mysqld_port_t:tcp_socket name_connect; +allow init_t tmp_t:file unlink; +allow init_t user_home_t:dir { create rename reparent rmdir }; +allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; \ No newline at end of file From 17ee554bbdbe5ae530b81076ba071954c0a8efba Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 19:32:59 +0300 Subject: [PATCH 04/14] =?UTF-8?q?=D0=97=D0=B0=D0=B3=D1=80=D1=83=D0=B7?= =?UTF-8?q?=D0=B8=D1=82=D1=8C=20=D1=84=D0=B0=D0=B9=D0=BB=D1=8B=20''?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- globus.te | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ead02b0..baeddcd 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ## install globus-server selinux policy ``` -curl -o globus.te https://gitea.alecksey.com/alecksey/globux-selinux-policy/master/globus.te +curl -o globus.te https://gitea.alecksey.com/alecksey/globus-selinux-policy/master/globus.te checkmodule -M -m -o globus.mod globus.te sudo semodule_package -o globus.pp -m globus.mod sudo semodule -i globus.pp diff --git a/globus.te b/globus.te index c656fa7..e7bbec8 100644 --- a/globus.te +++ b/globus.te @@ -1,3 +1,4 @@ + module globus 1.0; require { @@ -15,4 +16,4 @@ require { allow init_t mysqld_port_t:tcp_socket name_connect; allow init_t tmp_t:file unlink; allow init_t user_home_t:dir { create rename reparent rmdir }; -allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; \ No newline at end of file +allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; From 120827c4b82d1fcb29e69c52acd55130bd38720b Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 19:38:58 +0300 Subject: [PATCH 05/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'README.md'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index baeddcd..6dbd3f6 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ## install globus-server selinux policy ``` -curl -o globus.te https://gitea.alecksey.com/alecksey/globus-selinux-policy/master/globus.te +curl -o globus.te https://gitea.alecksey.com/alecksey/globus-selinux-policy/raw/branch/master/globus.te checkmodule -M -m -o globus.mod globus.te sudo semodule_package -o globus.pp -m globus.mod sudo semodule -i globus.pp From 8c743e94dc4ef33382e82290e9e54c9e2650c3f8 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:05:35 +0300 Subject: [PATCH 06/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/globus.te b/globus.te index e7bbec8..a91925b 100644 --- a/globus.te +++ b/globus.te @@ -11,9 +11,19 @@ require { class file { append create execute execute_no_trans lock open read setattr unlink write }; } +#============= httpd_t ============= +allow httpd_t http_port_t:tcp_socket name_connect; +allow httpd_t httpd_config_t:dir add_name; +allow httpd_t httpd_config_t:file {append create}; + +allow httpd_t smtp_port_t:tcp_socket name_connect; + +allow httpd_t unreserved_port_t:tcp_socket name_connect; + #============= init_t ============== allow init_t mysqld_port_t:tcp_socket name_connect; allow init_t tmp_t:file unlink; allow init_t user_home_t:dir { create rename reparent rmdir }; allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; +allow init_t public_content_rw_t:file execute; From 929101387f3768b303ccc83e7358e5b4838bbeb4 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:07:39 +0300 Subject: [PATCH 07/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 1 + 1 file changed, 1 insertion(+) diff --git a/globus.te b/globus.te index a91925b..59b7496 100644 --- a/globus.te +++ b/globus.te @@ -6,6 +6,7 @@ require { type user_home_t; type tmp_t; type init_t; + type httpd_t; class tcp_socket name_connect; class dir { create rename reparent rmdir }; class file { append create execute execute_no_trans lock open read setattr unlink write }; From 72edae112ad59a613a9f3bc9a3a5ad84dfff118b Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:16:50 +0300 Subject: [PATCH 08/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/globus.te b/globus.te index 59b7496..952412e 100644 --- a/globus.te +++ b/globus.te @@ -7,6 +7,10 @@ require { type tmp_t; type init_t; type httpd_t; + type httpd_config_t; + type smtp_port_t; + type http_port_t; + type public_content_rw_t; class tcp_socket name_connect; class dir { create rename reparent rmdir }; class file { append create execute execute_no_trans lock open read setattr unlink write }; @@ -14,7 +18,7 @@ require { #============= httpd_t ============= allow httpd_t http_port_t:tcp_socket name_connect; -allow httpd_t httpd_config_t:dir add_name; +#allow httpd_t httpd_config_t:dir add_name; allow httpd_t httpd_config_t:file {append create}; allow httpd_t smtp_port_t:tcp_socket name_connect; From 972aeff9d03a6455d17d54649940bbb1baef7076 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:17:19 +0300 Subject: [PATCH 09/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 1 + 1 file changed, 1 insertion(+) diff --git a/globus.te b/globus.te index 952412e..4c292af 100644 --- a/globus.te +++ b/globus.te @@ -11,6 +11,7 @@ require { type smtp_port_t; type http_port_t; type public_content_rw_t; + type unreserved_port_t; class tcp_socket name_connect; class dir { create rename reparent rmdir }; class file { append create execute execute_no_trans lock open read setattr unlink write }; From d5ff7ea3a4bb1100b5d8edcfefec5b68173bb39f Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:27:30 +0300 Subject: [PATCH 10/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 1 + 1 file changed, 1 insertion(+) diff --git a/globus.te b/globus.te index 4c292af..310a828 100644 --- a/globus.te +++ b/globus.te @@ -33,3 +33,4 @@ allow init_t tmp_t:file unlink; allow init_t user_home_t:dir { create rename reparent rmdir }; allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; allow init_t public_content_rw_t:file execute; +allow init_t public_content_rw_t:file { append create execute open read setattr unlink write }; From 7c3e06881f84694dd2dd44de12cab8c47ba686c5 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:31:33 +0300 Subject: [PATCH 11/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/globus.te b/globus.te index 310a828..895ef9e 100644 --- a/globus.te +++ b/globus.te @@ -13,13 +13,13 @@ require { type public_content_rw_t; type unreserved_port_t; class tcp_socket name_connect; - class dir { create rename reparent rmdir }; + class dir { add_name create rename reparent rmdir }; class file { append create execute execute_no_trans lock open read setattr unlink write }; } #============= httpd_t ============= allow httpd_t http_port_t:tcp_socket name_connect; -#allow httpd_t httpd_config_t:dir add_name; +allow httpd_t httpd_config_t:dir add_name; allow httpd_t httpd_config_t:file {append create}; allow httpd_t smtp_port_t:tcp_socket name_connect; From 8d82709b23dfbb34713b48ebd7e0d73b78c2c860 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 20:37:02 +0300 Subject: [PATCH 12/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'globus.te'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- globus.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/globus.te b/globus.te index 895ef9e..1c3a2c5 100644 --- a/globus.te +++ b/globus.te @@ -33,4 +33,4 @@ allow init_t tmp_t:file unlink; allow init_t user_home_t:dir { create rename reparent rmdir }; allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; allow init_t public_content_rw_t:file execute; -allow init_t public_content_rw_t:file { append create execute open read setattr unlink write }; +allow init_t public_content_rw_t:file { append create execute execute_no_trans lock open read setattr unlink write }; From 85c713c9f40bd5885efb48f3c0f89798bfdff5f6 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 21:20:15 +0300 Subject: [PATCH 13/14] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B8?= =?UTF-8?q?=D1=82=D1=8C=20'README.md'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6dbd3f6..74083b2 100644 --- a/README.md +++ b/README.md @@ -8,4 +8,5 @@ checkmodule -M -m -o globus.mod globus.te sudo semodule_package -o globus.pp -m globus.mod sudo semodule -i globus.pp rm -f globus.* +setsebool -P domain_can_mmap_files 1 ``` \ No newline at end of file From bdbf5bd8504676f7b066190978457c29b7a6bf62 Mon Sep 17 00:00:00 2001 From: Logvinov Alecksey Date: Sun, 28 Jun 2020 21:29:50 +0300 Subject: [PATCH 14/14] 'fix' --- README.md | 1 + globus.te | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6dbd3f6..74083b2 100644 --- a/README.md +++ b/README.md @@ -8,4 +8,5 @@ checkmodule -M -m -o globus.mod globus.te sudo semodule_package -o globus.pp -m globus.mod sudo semodule -i globus.pp rm -f globus.* +setsebool -P domain_can_mmap_files 1 ``` \ No newline at end of file diff --git a/globus.te b/globus.te index 310a828..1c3a2c5 100644 --- a/globus.te +++ b/globus.te @@ -13,13 +13,13 @@ require { type public_content_rw_t; type unreserved_port_t; class tcp_socket name_connect; - class dir { create rename reparent rmdir }; + class dir { add_name create rename reparent rmdir }; class file { append create execute execute_no_trans lock open read setattr unlink write }; } #============= httpd_t ============= allow httpd_t http_port_t:tcp_socket name_connect; -#allow httpd_t httpd_config_t:dir add_name; +allow httpd_t httpd_config_t:dir add_name; allow httpd_t httpd_config_t:file {append create}; allow httpd_t smtp_port_t:tcp_socket name_connect; @@ -33,4 +33,4 @@ allow init_t tmp_t:file unlink; allow init_t user_home_t:dir { create rename reparent rmdir }; allow init_t user_home_t:file { append create execute execute_no_trans lock open read setattr unlink write }; allow init_t public_content_rw_t:file execute; -allow init_t public_content_rw_t:file { append create execute open read setattr unlink write }; +allow init_t public_content_rw_t:file { append create execute execute_no_trans lock open read setattr unlink write };