From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1338610-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 9386B158086
	for <garchives@archives.gentoo.org>; Thu, 11 Nov 2021 21:27:47 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BCCA62BC161;
	Thu, 11 Nov 2021 21:27:40 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 83B902BC15F
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:40 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7D3F23431F3
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:39 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id B720C1D8
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:36 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1636666010.525fb46b40e90c3149d8807139a4ed407f069007.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/apache.te policy/modules/services/certbot.if policy/modules/services/dovecot.te policy/modules/services/exim.te policy/modules/services/jabber.te policy/modules/services/postfix.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 525fb46b40e90c3149d8807139a4ed407f069007
X-VCS-Branch: master
Date: Thu, 11 Nov 2021 21:27:36 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 37ef66f4-4ffa-42b3-80b2-7f52fe5d6307
X-Archives-Hash: 3787f77faf7c97de249903a15d8b8ca8

commit:     525fb46b40e90c3149d8807139a4ed407f069007
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:23:18 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=525fb46b

certbot, various: allow various services to read certbot certs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.te  |  4 ++++
 policy/modules/services/certbot.if | 20 ++++++++++++++++++++
 policy/modules/services/dovecot.te |  4 ++++
 policy/modules/services/exim.te    |  4 ++++
 policy/modules/services/jabber.te  |  4 ++++
 policy/modules/services/postfix.te | 12 ++++++++++++
 6 files changed, 48 insertions(+)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 435297c1..79fdf1ae 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -757,6 +757,10 @@ optional_policy(`
 	calamaris_read_www_files(httpd_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(httpd_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_t)
 ')

diff --git a/policy/modules/services/certbot.if b/policy/modules/services/certbot.if
index d2276ef2..3a1141dc 100644
--- a/policy/modules/services/certbot.if
+++ b/policy/modules/services/certbot.if
@@ -44,3 +44,23 @@ interface(`certbot_run',`
 	certbot_domtrans($1)
 	role $2 types certbot_t;
 ')
+
+########################################
+## <summary>
+##	Read TLS certificates and keys
+##	generated by certbot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certbot_read_lib',`
+	gen_require(`
+		type certbot_lib_t;
+	')
+
+	search_dirs_pattern($1, certbot_lib_t, certbot_lib_t)
+	read_files_pattern($1, certbot_lib_t, certbot_lib_t)
+')

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index e6ca365a..b73c2211 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -198,6 +198,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(dovecot_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(dovecot_t)
+')
+
 optional_policy(`
 	kerberos_manage_host_rcache(dovecot_t)
 	kerberos_read_keytab(dovecot_t)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 6e106976..541747ba 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -182,6 +182,10 @@ tunable_policy(`exim_manage_user_files',`
 	userdom_manage_user_tmp_files(exim_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(exim_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(exim_t)
 	clamav_scannable_files(exim_spool_t)

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 16f2d82d..827f9a20 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -121,6 +121,10 @@ sysnet_read_config(jabberd_t)
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 userdom_dontaudit_search_user_home_dirs(jabberd_t)
 
+optional_policy(`
+	certbot_read_lib(jabberd_t)
+')
+
 ########################################
 #
 # Router local policy

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 25e31623..d6e284e4 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -312,6 +312,10 @@ mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
 mta_read_sendmail_bin(postfix_master_t)
 mta_getattr_spool(postfix_master_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -763,6 +767,10 @@ rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildro
 
 corenet_tcp_bind_generic_node(postfix_smtp_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_smtp_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
@@ -800,6 +808,10 @@ fs_getattr_all_fs(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)
 mta_map_aliases(postfix_smtpd_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_smtpd_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_smtp_t)
 	dbus_system_bus_client(postfix_smtp_t)