From 046a5e6098cea0b1195734fa55133630f88377ba Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Mon, 13 May 2024 15:38:16 +0200 Subject: [PATCH] selinux --- scripts/install.sh | 4 ++-- scripts/post-install.sh | 4 +++- .../containers/systemd/filebrowser.container | 1 + usr/share/containers/systemd/minio.container | 1 + usr/share/filebrowser/selinux.cil | 17 +++++++++++++++++ usr/share/minio/selinux.cil | 11 +++++++++++ 6 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 usr/share/filebrowser/selinux.cil create mode 100644 usr/share/minio/selinux.cil diff --git a/scripts/install.sh b/scripts/install.sh index 2788541..2bccd04 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -ouex pipefail @@ -20,7 +20,7 @@ rpm-ostree install \ rpm-ostree install "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION#v}.x86_64.rpm" -if [ -x "/usr/sbin/zpool" ]; then +if [[ -x "/usr/sbin/zpool" ]]; then rpm-ostree install \ nfs-utils \ samba diff --git a/scripts/post-install.sh b/scripts/post-install.sh index ca10d35..a4f96f4 100755 --- a/scripts/post-install.sh +++ b/scripts/post-install.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -ouex pipefail @@ -24,4 +24,6 @@ if [[ -x "/usr/sbin/zpool" ]]; then # restorecon -R /mnt/vol1 # firewall-cmd --reload # semanage fcontext --add --type "public_content_rw_t" "/mnt/vol1(/.*)?" + semodule --install /usr/share/minio/selinux.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} + semodule --install /usr/share/filebrowser/selinux.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} fi diff --git a/usr/share/containers/systemd/filebrowser.container b/usr/share/containers/systemd/filebrowser.container index e719990..4d8edcb 100644 --- a/usr/share/containers/systemd/filebrowser.container +++ b/usr/share/containers/systemd/filebrowser.container @@ -18,6 +18,7 @@ Environment=FB_PORT=7000 Image=ghcr.io/auricom/filebrowser:rolling Volume=filebrowser.volume:/config Volume=/var/mnt/vol1:/var/mnt/vol1:bind +SecurityLabelType=filebrowser # Traefik Label=traefik.enable="true" Label=traefik.http.routers.filebrowser.rule=Host'(`filebrowser.feisar.ovh`)' diff --git a/usr/share/containers/systemd/minio.container b/usr/share/containers/systemd/minio.container index 3508ecd..3c6ac0d 100644 --- a/usr/share/containers/systemd/minio.container +++ b/usr/share/containers/systemd/minio.container @@ -19,6 +19,7 @@ Environment=MINIO_UPDATE=off Image=quay.io/minio/minio:latest Exec=server /data --address :9000 --console-address :9001 Volume=/var/mnt/vol1/apps/minio:/data:bind +SecurityLabelType=minio Label=traefik.enable="true" Label=traefik.http.routers.s3.rule=Host'(`s3.feisar.ovh`)' Label=traefik.http.routers.s3.entrypoints="websecure" diff --git a/usr/share/filebrowser/selinux.cil b/usr/share/filebrowser/selinux.cil new file mode 100644 index 0000000..c02b50f --- /dev/null +++ b/usr/share/filebrowser/selinux.cil @@ -0,0 +1,17 @@ +(block filebrowser + (blockinherit container) + (blockinherit restricted_net_container) + (allow process http_cache_port_t ( tcp_socket ( name_bind ))) + (allow process container_file_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process container_file_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process container_file_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process container_file_t ( sock_file ( append getattr open read write ))) + (allow process mnt_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mnt_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mnt_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mnt_t ( sock_file ( append getattr open read write ))) + (allow process unlabeled_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process unlabeled_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process unlabeled_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process unlabeled_t ( sock_file ( append getattr open read write ))) +) \ No newline at end of file diff --git a/usr/share/minio/selinux.cil b/usr/share/minio/selinux.cil new file mode 100644 index 0000000..b4eab0c --- /dev/null +++ b/usr/share/minio/selinux.cil @@ -0,0 +1,11 @@ +(block minio + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process (capability (chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot))) + + (allow process http_port_t (tcp_socket (name_bind))) + (allow process container_file_t (dir (add_name create getattr ioctl lock open read remove_name rmdir search setattr write))) + (allow process container_file_t (file (append create getattr ioctl lock map open read rename setattr unlink write))) + (allow process container_file_t (fifo_file (getattr read write append ioctl lock open))) + (allow process container_file_t (sock_file (append getattr open read write))) +)