From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id C5A5C1F42D; Wed, 30 May 2018 03:15:24 +0000 (UTC) Date: Wed, 30 May 2018 03:15:24 +0000 From: Eric Wong To: Konstantin Ryabitsev Cc: meta@public-inbox.org Subject: Re: [PATCH] Contribute SELinux policy for EL7 Message-ID: <20180530031524.GA28636@dcvr> References: <20180524190306.GA23233@work> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180524190306.GA23233@work> List-Id: Konstantin Ryabitsev wrote: > This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the > following: I'm not familiar with SELinux myself, but I'm inclined to accept a version of this if it helps people who use it. Some questions, below... > - public-inbox-httpd and public-inbox-nntpd are running via systemd > on sane ports (119 and 80/8080) > - /var/lib/public-inbox is the location for mainrepos > - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY > - /var/log/public-inbox is the location for logs > - mail delivery is done via postfix-pipe (if you're using > public-inbox-watch, you shouldn't need to worry about this) So nothing is needed for public-inbox-watch at all? > --- /dev/null > +++ b/contrib/selinux/el7/publicinbox.fc > @@ -0,0 +1,7 @@ > +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) > +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) > +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) Is it possible to use "\" or similar to wrap long lines? (same comments applies to the .te file; I need to use a gigantic font) > --- /dev/null > +++ b/contrib/selinux/el7/publicinbox.te > @@ -0,0 +1,101 @@ > +################## > +# This policy allows running public-inbox-httpd and public-inbox-nntpd > +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) > +# > +# It also allows delivering mail via postfix-pipe to public-inbox-mda > +# > +# Author: Konstantin Ryabitsev > +# > +policy_module(publicinbox, 1.0.0) Is that 1.0.0 tied to public-inbox versions itself or independent of public-inbox versioning? > +# Need to be able to manage and exec runtime files for inline::c correct capitalization should be: "Inline::C" > +# Run on http/httpcache and innd ports innd?