commit: 0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Jan 29 16:22:30 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b6c2d46
certbot: add support for acme.sh
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/certbot.fc | 2 ++
policy/modules/services/certbot.te | 13 +++++++++++++
2 files changed, 15 insertions(+)
diff --git a/policy/modules/services/certbot.fc
b/policy/modules/services/certbot.fc
index 508f9862..d1bc3f64 100644
--- a/policy/modules/services/certbot.fc
+++ b/policy/modules/services/certbot.fc
@@ -1,4 +1,6 @@
/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0)
/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0)
+/usr/share/acme\.sh/acme\.sh --
gen_context(system_u:object_r:certbot_exec_t,s0)
/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0)
/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0)
+/var/lib/acme\.sh(/.*)?
gen_context(system_u:object_r:certbot_lib_t,s0)
diff --git a/policy/modules/services/certbot.te
b/policy/modules/services/certbot.te
index 5f3b155f..62a59478 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -1,5 +1,13 @@
policy_module(certbot, 1.0.0)
+## <desc>
+## <p>
+## Determine whether additional rules
+## should be enabled to support acme.sh
+## </p>
+## </desc>
+gen_tunable(certbot_acmesh, false)
+
########################################
#
# Declarations
@@ -93,6 +101,11 @@ sysnet_read_config(certbot_t)
userdom_dontaudit_search_user_home_dirs(certbot_t)
userdom_use_user_ptys(certbot_t)
+tunable_policy(`certbot_acmesh',`
+ corecmd_exec_bin(certbot_t)
+ corecmd_exec_shell(certbot_t)
+')
+
optional_policy(`
# for writing to webroot
apache_manage_sys_content(certbot_t)
