roles/selinux_policy/README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

SELinux Policy
==============

Description
-----------

The `selinux_policy` role builds and installs a custom SELinux policy module.


Variables
---------

This role **accepts** the following variables:

Variable                 | Default | Description
-------------------------|---------|------------
`selinux_policy_name`    | &nbsp;  | Module name
`selinux_policy_version` | `1.0`   | Module version
`selinux_policy_te`      | &nbsp;  | SELinux Type Enforcement policy content


Usage
-----

Example task:

````yaml
- name: create SELinux policy for dovecot to access gssproxy
  include_role:
    name: selinux_policy
    apply:
      tags: selinux
  vars:
    selinux_policy_name: dovecot_gssproxy
    selinux_policy_te: |
      require {
        type autofs_t;
        type dovecot_t;
        type dovecot_auth_t;
        type dovecot_auth_exec_t;
        type dovecot_deliver_exec_t;
        type gssd_t;
        type gssproxy_t;
        type gssproxy_var_lib_t;
        class dir search;
        class sock_file write;
        class unix_stream_socket connectto;
        class process noatsecure;
        class file { read execute open getattr execute_no_trans map };
        class dir search;
        class key { read write };
      }

      ### The following rules are needed for dovecot to access gssproxy:
      #============= dovecot_auth_t ==============
      allow dovecot_auth_t gssproxy_t:unix_stream_socket connectto;
      allow dovecot_auth_t gssproxy_var_lib_t:dir search;
      allow dovecot_auth_t gssproxy_var_lib_t:sock_file write;
      allow dovecot_auth_t autofs_t:dir search;
      allow dovecot_auth_t gssd_t:key { read write };

      #============= dovecot_t ==============
      allow dovecot_t dovecot_auth_t:process noatsecure;
      allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans };

      #============= gssproxy_t ==============
      allow gssproxy_t dovecot_auth_exec_t:file getattr;

      ### The following rules are needed for the delivery process to exec quota warning scripts:
      #============= dovecot_t ==============
      allow dovecot_t dovecot_deliver_exec_t:file { read execute open getattr execute_no_trans map };
````