commit:     8b220a9ced8dbe5449cf443a16b782141d6f4772
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Mar  5 15:18:41 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:01 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c

certbot: Drop execmem.

This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/certbot.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/certbot.te 
b/policy/modules/services/certbot.te
index 9723f7880..6edaac830 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
 manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
 fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
 
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
 allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;

Reply via email to