Konstantin Ryabitsev <konstan...@linuxfoundation.org> wrote: > This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the > following:
I'm not familiar with SELinux myself, but I'm inclined to accept a version of this if it helps people who use it. Some questions, below... > - public-inbox-httpd and public-inbox-nntpd are running via systemd > on sane ports (119 and 80/8080) > - /var/lib/public-inbox is the location for mainrepos > - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY > - /var/log/public-inbox is the location for logs > - mail delivery is done via postfix-pipe (if you're using > public-inbox-watch, you shouldn't need to worry about this) So nothing is needed for public-inbox-watch at all? > --- /dev/null > +++ b/contrib/selinux/el7/publicinbox.fc > @@ -0,0 +1,7 @@ > +/usr/(local/)?bin/public-inbox-httpd -- > gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) > +/usr/(local/)?bin/public-inbox-nntpd -- > gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) > +/usr/(local/)?bin/public-inbox-mda -- > gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) Is it possible to use "\" or similar to wrap long lines? (same comments applies to the .te file; I need to use a gigantic font) <snip> > --- /dev/null > +++ b/contrib/selinux/el7/publicinbox.te > @@ -0,0 +1,101 @@ > +################## > +# This policy allows running public-inbox-httpd and public-inbox-nntpd > +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) > +# > +# It also allows delivering mail via postfix-pipe to public-inbox-mda > +# > +# Author: Konstantin Ryabitsev <konstan...@linuxfoundation.org> > +# > +policy_module(publicinbox, 1.0.0) Is that 1.0.0 tied to public-inbox versions itself or independent of public-inbox versioning? > +# Need to be able to manage and exec runtime files for inline::c correct capitalization should be: "Inline::C" <snip> > +# Run on http/httpcache and innd ports innd? -- unsubscribe: meta+unsubscr...@public-inbox.org archive: https://public-inbox.org/meta/