D11035.id26496.diff
No OneTemporary
Actions

Size

7 KB

Referenced Files

None

Subscribers

None

D11035.id26496.diff
View Options

	diff --git a/resources/selinux/.gitignore b/resources/selinux/.gitignore
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/.gitignore
	@@ -0,0 +1,2 @@
	+tmp/
	+*.pp
	diff --git a/resources/selinux/README b/resources/selinux/README
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/README
	@@ -0,0 +1,27 @@
	+There are systems with selinux alwasys-on policy - really!
	+
	+So phabricator needs a selinux policy.
	+
	+Default paths for file contexts:
	+/opt/phacility/{libphutil,arcanist,phabricator}
	+
	+Compile SELinux modules
	+
	+make -f /usr/share/selinux/devel/Makefile libphutil.pp
	+make -f /usr/share/selinux/devel/Makefile arcanist.pp
	+make -f /usr/share/selinux/devel/Makefile phabricator.pp
	+
	+
	+Enable SELinux modules
	+
	+semodule -i libphutil.pp
	+semodule -i arcanist.pp
	+semodule -i phabricator.pp
	+
	+
	+Relabel phabricator files:
	+
	+restorecon -R /opt/phacility
	+
	+# if you use the https://github.com/vinzent/phabricator/tree/master/resources/rhel rpm:
	+restorecon -R /etc/init.d/phabricator
	diff --git a/resources/selinux/arcanist.fc b/resources/selinux/arcanist.fc
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/arcanist.fc
	@@ -0,0 +1,2 @@
	+/opt/phacility/arcanist(/.*)? gen_context(system_u:object_r:arcanist_t,s0)
	+/opt/phacility/arcanist/bin/.* -- gen_context(system_u:object_r:arcanist_exec_t,s0)
	diff --git a/resources/selinux/arcanist.if b/resources/selinux/arcanist.if
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/arcanist.if
	@@ -0,0 +1,35 @@
	+## <summary>arcanist policy</summary>
	+## <desc>
	+## <p>
	+## More descriptive text about myapp. The desc
	+## tag can also use p, ul, and ol
	+## html tags for formatting.
	+## </p>
	+## <p>
	+## This policy supports the following myapp features:
	+## <ul>
	+## <li>Feature A</li>
	+## <li>Feature B</li>
	+## <li>Feature C</li>
	+## </ul>
	+## </p>
	+## </desc>
	+
	+########################################
	+## <summary>
	+## Execute a domain transition to run arcanist.
	+## </summary>
	+## <param name="domain">
	+## <summary>
	+## Domain allowed to transition.
	+## </summary>
	+## </param>
	+#
	+interface(`arcanist_domtrans',`
	+ gen_requires(`
	+ type arcanist_t, arcanist_exec_t;
	+ ')
	+
	+ domtrans_pattern($1,arcanist_exec_t,arcanist_t)
	+')
	+
	diff --git a/resources/selinux/arcanist.te b/resources/selinux/arcanist.te
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/arcanist.te
	@@ -0,0 +1,24 @@
	+policy_module(arcanist,0.3)
	+
	+gen_require(`
	+ type libphutil_t;
	+ type unconfined_t;
	+')
	+
	+
	+# Private type declarations
	+type arcanist_t;
	+type arcanist_exec_t;
	+
	+type arcanist_etc_t;
	+files_config_file(arcanist_etc_t)
	+
	+type arcanist_log_t;
	+logging_log_file(arcanist_log_t)
	+
	+# ----
	+
	+# access libphutil
	+read_files_pattern(arcanist_t,libphutil_t,libphutil_t)
	+
	+can_exec(unconfined_t, arcanist_t)
	diff --git a/resources/selinux/libphutil.fc b/resources/selinux/libphutil.fc
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/libphutil.fc
	@@ -0,0 +1 @@
	+/opt/phacility/libphutil(/.*)? gen_context(system_u:object_r:libphutil_t,s0)
	diff --git a/resources/selinux/libphutil.if b/resources/selinux/libphutil.if
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/libphutil.if
	@@ -0,0 +1,17 @@
	+## <summary>libphutil policy</summary>
	+## <desc>
	+## <p>
	+## More descriptive text about myapp. The desc
	+## tag can also use p, ul, and ol
	+## html tags for formatting.
	+## </p>
	+## <p>
	+## This policy supports the following myapp features:
	+## <ul>
	+## <li>Feature A</li>
	+## <li>Feature B</li>
	+## <li>Feature C</li>
	+## </ul>
	+## </p>
	+## </desc>
	+
	diff --git a/resources/selinux/libphutil.te b/resources/selinux/libphutil.te
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/libphutil.te
	@@ -0,0 +1,7 @@
	+policy_module(libphutil,0.1)
	+
	+# Private type declarations
	+type libphutil_t;
	+
	+# ----
	+
	diff --git a/resources/selinux/phabricator.fc b/resources/selinux/phabricator.fc
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/phabricator.fc
	@@ -0,0 +1,6 @@
	+/etc/rc\.d/init\.d/phabricator gen_context(system_u:object_r:phabricator_initrc_exec_t,s0)
	+/opt/phacility/phabricator(/.*)? gen_context(system_u:object_r:phabricator_t,s0)
	+/opt/phacility/phabricator/bin/.* gen_context(system_u:object_r:phabricator_exec_t,s0)
	+/opt/phacility/phabricator/conf/local(/.*)? gen_context(system_u:object_r:phabricator_etc_t,s0)
	+/var/lib/phabricator(/.*)? gen_context(system_u:object_r:phabricator_var_lib_t,s0)
	+/var/log/phabricator(/.*)? gen_context(system_u:object_r:phabricator_log_t,s0)
	diff --git a/resources/selinux/phabricator.if b/resources/selinux/phabricator.if
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/phabricator.if
	@@ -0,0 +1,35 @@
	+## <summary>Phabricator policy</summary>
	+## <desc>
	+## <p>
	+## More descriptive text about myapp. The desc
	+## tag can also use p, ul, and ol
	+## html tags for formatting.
	+## </p>
	+## <p>
	+## This policy supports the following myapp features:
	+## <ul>
	+## <li>Feature A</li>
	+## <li>Feature B</li>
	+## <li>Feature C</li>
	+## </ul>
	+## </p>
	+## </desc>
	+
	+########################################
	+## <summary>
	+## Execute a domain transition to run phabricator.
	+## </summary>
	+## <param name="domain">
	+## <summary>
	+## Domain allowed to transition.
	+## </summary>
	+## </param>
	+#
	+interface(`phabricator_domtrans',`
	+ gen_requires(`
	+ type phabricator_t, phabricator_exec_t;
	+ ')
	+
	+ domtrans_pattern($1,phabricator_exec_t,phabricator_t)
	+')
	+
	diff --git a/resources/selinux/phabricator.te b/resources/selinux/phabricator.te
	new file mode 100644
	--- /dev/null
	+++ b/resources/selinux/phabricator.te
	@@ -0,0 +1,63 @@
	+policy_module(phabricator,0.9)
	+
	+gen_require(`
	+ type libphutil_t;
	+ type arcanist_t;
	+ type httpd_t;
	+')
	+
	+
	+# Private type declarations
	+type phabricator_t;
	+type phabricator_exec_t;
	+
	+type phabricator_etc_t;
	+files_config_file(phabricator_etc_t)
	+
	+type phabricator_initrc_exec_t;
	+
	+type phabricator_log_t;
	+logging_log_file(phabricator_log_t)
	+
	+type phabricator_tmp_t;
	+files_tmp_file(phabricator_tmp_t)
	+
	+type phabricator_var_lib_t;
	+files_type(phabricator_var_lib_t)
	+
	+type phabricator_var_run_t;
	+files_pid_file(phabricator_var_run_t)
	+
	+# ----
	+
	+# Init scripts
	+init_daemon_domain(phabricator_t, phabricator_exec_t)
	+init_script_file(phabricator_initrc_exec_t)
	+init_all_labeled_script_domtrans(phabricator_t)
	+init_domtrans_script(phabricator_t)
	+init_read_utmp(phabricator_t)
	+init_signull_script(phabricator_t)
	+
	+
	+# access libphutil
	+read_files_pattern(phabricator_t,libphutil_t,libphutil_t)
	+
	+# read configs
	+read_files_pattern(phabricator_t,phabricator_etc_t,phabricator_etc_t)
	+
	+# create/read logfiles
	+create_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
	+append_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
	+read_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
	+logging_log_filetrans(phabricator_t,phabricator_log_t, { file dir })
	+
	+# allow httpd
	+read_files_pattern(httpd_t,arcanist_t,arcanist_t)
	+read_files_pattern(httpd_t,libphutil_t,libphutil_t)
	+read_files_pattern(httpd_t,phabricator_t,phabricator_t)
	+read_files_pattern(httpd_t,phabricator_var_lib_t,phabricator_var_lib_t)
	+allow httpd_t arcanist_t:dir read;
	+allow httpd_t libphutil_t:dir read;
	+allow httpd_t phabricator_t:dir read;
	+allow httpd_t phabricator_var_lib_t:dir read;
	+

File Metadata

Mime Type: text/plain
Expires: Mar 20 2025, 7:56 AM (4 w, 6 d ago)
Storage Engine: blob
Storage Format: Encrypted (AES-256-CBC)
Storage Handle: 7709550
Default Alt Text: D11035.id26496.diff (7 KB)

D11035.id26496.diffNo OneTemporaryActions

D11035.id26496.diffView Options

File Metadata

Event Timeline

D11035.id26496.diff
No OneTemporary
Actions

D11035.id26496.diff
View Options