From f29466033dd249f995797b177c944d16253409e5 Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Mon, 20 Feb 2023 12:06:33 -0500
Subject: selinux_policy: add docs

---
 roles/selinux_policy/README.md | 72 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 roles/selinux_policy/README.md

(limited to 'roles')

diff --git a/roles/selinux_policy/README.md b/roles/selinux_policy/README.md
new file mode 100644
index 0000000..2e0bf12
--- /dev/null
+++ b/roles/selinux_policy/README.md
@@ -0,0 +1,72 @@
+SELinux Policy
+==============
+
+Description
+-----------
+
+The `selinux_policy` role builds and installs a custom SELinux policy module.
+
+
+Variables
+---------
+
+This role **accepts** the following variables:
+
+Variable                 | Default | Description
+-------------------------|---------|------------
+`selinux_policy_name`    | &nbsp;  | Module name
+`selinux_policy_version` | `1.0`   | Module version
+`selinux_policy_te`      | &nbsp;  | SELinux Type Enforcement policy content
+
+
+Usage
+-----
+
+Example task:
+
+````yaml
+- name: create SELinux policy for dovecot to access gssproxy
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: dovecot_gssproxy
+    selinux_policy_te: |
+      require {
+        type autofs_t;
+        type dovecot_t;
+        type dovecot_auth_t;
+        type dovecot_auth_exec_t;
+        type dovecot_deliver_exec_t;
+        type gssd_t;
+        type gssproxy_t;
+        type gssproxy_var_lib_t;
+        class dir search;
+        class sock_file write;
+        class unix_stream_socket connectto;
+        class process noatsecure;
+        class file { read execute open getattr execute_no_trans map };
+        class dir search;
+        class key { read write };
+      }
+
+      ### The following rules are needed for dovecot to access gssproxy:
+      #============= dovecot_auth_t ==============
+      allow dovecot_auth_t gssproxy_t:unix_stream_socket connectto;
+      allow dovecot_auth_t gssproxy_var_lib_t:dir search;
+      allow dovecot_auth_t gssproxy_var_lib_t:sock_file write;
+      allow dovecot_auth_t autofs_t:dir search;
+      allow dovecot_auth_t gssd_t:key { read write };
+
+      #============= dovecot_t ==============
+      allow dovecot_t dovecot_auth_t:process noatsecure;
+      allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans };
+
+      #============= gssproxy_t ==============
+      allow gssproxy_t dovecot_auth_exec_t:file getattr;
+
+      ### The following rules are needed for the delivery process to exec quota warning scripts:
+      #============= dovecot_t ==============
+      allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans map };
+````
-- 
cgit