certbot: various fixes

Allow acme-sh to send syslog msgs and dontaudit reading /proc.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-05-17 13:47:20 -04:00
parent 308ab9f69a
commit 06319896b3

View File

@ -69,6 +69,7 @@ allow certbot_t certbot_log_t:file manage_file_perms;
manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
files_runtime_filetrans(certbot_t, certbot_runtime_t, file)
kernel_dontaudit_read_system_state(certbot_t)
kernel_search_fs_sysctls(certbot_t)
corecmd_list_bin(certbot_t)
@ -108,6 +109,8 @@ userdom_use_user_ptys(certbot_t)
tunable_policy(`certbot_acmesh',`
corecmd_exec_bin(certbot_t)
corecmd_exec_shell(certbot_t)
logging_send_syslog_msg(certbot_t)
')
optional_policy(`