On Wed, May 30, 2018 at 03:15:24AM +0000, Eric Wong wrote:
- public-inbox-httpd and public-inbox-nntpd are running via systemd
on sane ports (119 and 80/8080)
- /var/lib/public-inbox is the location for mainrepos
- /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
- /var/log/public-inbox is the location for logs
- mail delivery is done via postfix-pipe (if you're using
public-inbox-watch, you shouldn't need to worry about this)
So nothing is needed for public-inbox-watch at all?
I'd considered writing something for it, but decided to limit myself to
what I can actually cover via personal experience. In addition, my
assumption is that people who are most likely to be running
public-inbox-watch are not going to be running it as a system-level
daemon (since in that case they are more likely to set up
public-inbox-mda), but as a regular user inside screen -- and therefore
wouldn't benefit from SELinux anyway.
The priority was to cover network-listening daemons, since they are the
most exposed and running them unconfined should be avoided on an SELinux
system.
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.fc
@@ -0,0 +1,7 @@
+/usr/(local/)?bin/public-inbox-httpd --
gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-nntpd --
gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-mda --
gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)
Is it possible to use "\" or similar to wrap long lines?
(same comments applies to the .te file; I need to use a gigantic font)
I know what you mean, but I'm trying to stick with the upstream policy
style, which doesn't use such approach (e.g. see
https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/system).
Theoretically, m4 supports doing that, but if the ultimate goal is to
include it into the upstream policy, then I feel we should stick to the
formatting style used there.
+policy_module(publicinbox, 1.0.0)
Is that 1.0.0 tied to public-inbox versions itself or
independent of public-inbox versioning?
Fully independent.
+# Run on http/httpcache and innd ports
innd?
Innd is the nntp daemon, and the 119/tcp port is labeled as innd_port_t,
so just sticking with that nomenclature here.
I'll send a second patch iteration in the near future, as I've missed a
thing or two in the current one.
-K