commit: 8b220a9ced8dbe5449cf443a16b782141d6f4772
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Mar 5 15:18:41 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:01 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c
certbot: Drop execmem.
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/certbot.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/services/certbot.te
b/policy/modules/services/certbot.te
index 9723f7880..6edaac830 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;