CentOS/RHEL 6 SELinux permissions.

2025-01-29 15:43:52 +00:00 · 2022-02-16 12:56:17 -05:00 · 2022-02-16 12:56:17 -05:00 · ed74ed6ed2
commit ed74ed6ed2
parent 26e684eb0e
3 changed files with 27 additions and 0 deletions
--- a/ext/installfiles/linux/zerotier-one.te
+++ b/ext/installfiles/linux/zerotier-one.te
@ -0,0 +1,14 @@
+
+module zerotier-one 1.0;
+
+require {
+	type unconfined_t;
+	type initrc_t;
+	class memprotect mmap_zero;
+}
+
+#============= initrc_t ==============
+allow initrc_t self:memprotect mmap_zero;
+
+#============= unconfined_t ==============
+allow unconfined_t self:memprotect mmap_zero;
--- a/make-linux.mk
+++ b/make-linux.mk
@ -418,6 +418,7 @@ install:	FORCE
 	rm -f $(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz
 	cat doc/zerotier-cli.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz
 	cat doc/zerotier-idtool.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-idtool.1.gz
+	cp ext/installfiles/linux/zerotier-one.te /var/lib/zerotier-one/zerotier-one.te

 # Uninstall preserves identity.public and identity.secret since the user might
 # want to save these. These are your ZeroTier address.
--- a/zerotier-one.spec
+++ b/zerotier-one.spec
@ -121,6 +121,18 @@ case "$1" in
    chkconfig --add zerotier-one
  ;;
 esac
+if [ -x /usr/bin/checkmodule -a -x /usr/bin/semodule_package -a -x /usr/bin/semodule ]; then
+  rm -f /var/lib/zerotier-one/zerotier-one.mod
+  /usr/bin/checkmodule -M -m -o /var/lib/zerotier-one/zerotier-one.mod /var/lib/zerotier-one/zerotier-one.te
+  if [ -f /var/lib/zerotier-one/zerotier-one.pp ]; then
+    rm -f /var/lib/zerotier-one/zerotier-one.pp
+    /usr/bin/semodule_package -o /var/lib/zerotier-one/zerotier-one.pp -m /var/lib/zerotier-one/zerotier-one.mod
+    /usr/bin/semodule -u /var/lib/zerotier-one/zerotier-one.pp
+  else
+    /usr/bin/semodule_package -o /var/lib/zerotier-one/zerotier-one.pp -m /var/lib/zerotier-one/zerotier-one.mod
+    /usr/bin/semodule -i /var/lib/zerotier-one/zerotier-one.pp
+  fi
+fi
 %endif

 %preun