diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-20 12:06:33 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-20 12:06:33 -0500 |
commit | f29466033dd249f995797b177c944d16253409e5 (patch) | |
tree | 491d1e4cb5587fdb3fa93c6b5fc67c1f9688dfe7 /roles | |
parent | 8ed0e55d777c3fd019aade94a68e4aaf33aab7f6 (diff) | |
download | selfhosted-f29466033dd249f995797b177c944d16253409e5.tar.gz selfhosted-f29466033dd249f995797b177c944d16253409e5.zip |
selinux_policy: add docs
Diffstat (limited to 'roles')
-rw-r--r-- | roles/selinux_policy/README.md | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/roles/selinux_policy/README.md b/roles/selinux_policy/README.md new file mode 100644 index 0000000..2e0bf12 --- /dev/null +++ b/roles/selinux_policy/README.md @@ -0,0 +1,72 @@ +SELinux Policy +============== + +Description +----------- + +The `selinux_policy` role builds and installs a custom SELinux policy module. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +-------------------------|---------|------------ +`selinux_policy_name` | | Module name +`selinux_policy_version` | `1.0` | Module version +`selinux_policy_te` | | SELinux Type Enforcement policy content + + +Usage +----- + +Example task: + +````yaml +- name: create SELinux policy for dovecot to access gssproxy + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: dovecot_gssproxy + selinux_policy_te: | + require { + type autofs_t; + type dovecot_t; + type dovecot_auth_t; + type dovecot_auth_exec_t; + type dovecot_deliver_exec_t; + type gssd_t; + type gssproxy_t; + type gssproxy_var_lib_t; + class dir search; + class sock_file write; + class unix_stream_socket connectto; + class process noatsecure; + class file { read execute open getattr execute_no_trans map }; + class dir search; + class key { read write }; + } + + ### The following rules are needed for dovecot to access gssproxy: + #============= dovecot_auth_t ============== + allow dovecot_auth_t gssproxy_t:unix_stream_socket connectto; + allow dovecot_auth_t gssproxy_var_lib_t:dir search; + allow dovecot_auth_t gssproxy_var_lib_t:sock_file write; + allow dovecot_auth_t autofs_t:dir search; + allow dovecot_auth_t gssd_t:key { read write }; + + #============= dovecot_t ============== + allow dovecot_t dovecot_auth_t:process noatsecure; + allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans }; + + #============= gssproxy_t ============== + allow gssproxy_t dovecot_auth_exec_t:file getattr; + + ### The following rules are needed for the delivery process to exec quota warning scripts: + #============= dovecot_t ============== + allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans map }; +```` |