From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.4 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C83D11FD4F for ; Wed, 30 May 2018 17:13:22 +0000 (UTC) Received: by mail-io0-x242.google.com with SMTP id d73-v6so22509461iog.3 for ; Wed, 30 May 2018 10:13:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=XU8/MeIUbccR230h3p0IUNk9TRdnwD+Er2fOQVkFiaY=; b=TAZ3A7z3d9ev87Mo+0SQ6RHpaMpTj3GEq6vKEanpeC0v9G3O8/f4votSUj4bwsgQqH hvqpsshepqh/xKLgIGh6rh9ZYDv5Qk9I1Ntht+QmUI5NmKAivtsFQxVJZwsUEjpwntuR tfHmtu1a0Af3ehLufvzPpOi6fJhoELSRmqlHo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=XU8/MeIUbccR230h3p0IUNk9TRdnwD+Er2fOQVkFiaY=; b=Wa5GCPDVSrNPjlHIADOR8Z+k81Wpxm1uAIulhOlZEGxrweFk4hOTsthlm5kTOVTzIV R+kPxJCsTfmXg21V+aGZLUz02Sg5JR8SvsMoDnO3PieJYg9Hc8cDGtATtpQxgtmsvom2 KcOUB6Qz6LK7GsOrKaUNuJg/c12pEY1Mr+97btM5CtGiTpbfGcgzsdQ3hOXRANfWGnEj G93FMSHLUhHBT38SZU91czX4iVbnHuEElyMOOkOlKGiB5Z7TQiLVDQfZokffpgsfo6sU zbeR0VU0FuEDv+0omaoqiAxoEmxZ4ZAF3m7nZwhvOYT6widxO3EIayYPvdOk0h0niB9H pMkg== X-Gm-Message-State: APt69E39vG+vpUagx0wqa4AHnLLSgkmNKc08l251sBJ1Reao+9NN9g44 4S+kjbM9tDnAHJpRs8Rt5yrijQ== X-Google-Smtp-Source: ADUXVKJOuFz+Q9H/AqPnSm+PWCMprZCLI+7o67pFDdvCBHPDoPCBMDShrTNRsGL4YS1KMHHcVwr/kA== X-Received: by 2002:a6b:c585:: with SMTP id v127-v6mr3261635iof.85.1527700401970; Wed, 30 May 2018 10:13:21 -0700 (PDT) Received: from chatter (ca2x.mullvad.net. [162.219.176.251]) by smtp.gmail.com with ESMTPSA id r6-v6sm12778705iog.16.2018.05.30.10.13.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 30 May 2018 10:13:21 -0700 (PDT) Date: Wed, 30 May 2018 13:13:18 -0400 From: Konstantin Ryabitsev To: Eric Wong Cc: meta@public-inbox.org Subject: Re: [PATCH] Contribute SELinux policy for EL7 Message-ID: <20180530171318.GA13730@chatter> References: <20180524190306.GA23233@work> <20180530031524.GA28636@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <20180530031524.GA28636@dcvr> User-Agent: Mutt/1.9.5 (2018-04-13) List-Id: On Wed, May 30, 2018 at 03:15:24AM +0000, Eric Wong wrote: >> - public-inbox-httpd and public-inbox-nntpd are running via systemd >> on sane ports (119 and 80/8080) >> - /var/lib/public-inbox is the location for mainrepos >> - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY >> - /var/log/public-inbox is the location for logs >> - mail delivery is done via postfix-pipe (if you're using >> public-inbox-watch, you shouldn't need to worry about this) > >So nothing is needed for public-inbox-watch at all? I'd considered writing something for it, but decided to limit myself to what I can actually cover via personal experience. In addition, my assumption is that people who are most likely to be running public-inbox-watch are not going to be running it as a system-level daemon (since in that case they are more likely to set up public-inbox-mda), but as a regular user inside screen -- and therefore wouldn't benefit from SELinux anyway. The priority was to cover network-listening daemons, since they are the most exposed and running them unconfined should be avoided on an SELinux system. >> --- /dev/null >> +++ b/contrib/selinux/el7/publicinbox.fc >> @@ -0,0 +1,7 @@ >> +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) >> +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) >> +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) > >Is it possible to use "\" or similar to wrap long lines? > >(same comments applies to the .te file; I need to use a gigantic font) I know what you mean, but I'm trying to stick with the upstream policy style, which doesn't use such approach (e.g. see https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/system). Theoretically, m4 supports doing that, but if the ultimate goal is to include it into the upstream policy, then I feel we should stick to the formatting style used there. >> +policy_module(publicinbox, 1.0.0) > >Is that 1.0.0 tied to public-inbox versions itself or >independent of public-inbox versioning? Fully independent. >> +# Run on http/httpcache and innd ports > >innd? Innd is the nntp daemon, and the 119/tcp port is labeled as innd_port_t, so just sticking with that nomenclature here. I'll send a second patch iteration in the near future, as I've missed a thing or two in the current one. -K