selinux-refpolicy/policy/modules/services/certbot.if
Kenton Groombridge 2d33258db7 certbot, various: allow various services to read certbot certs
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:44 -05:00

67 lines
1.3 KiB
Plaintext

## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
########################################
## <summary>
## Execute certbot/letsencrypt in the certbot
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`certbot_domtrans',`
gen_require(`
type certbot_t, certbot_exec_t;
')
domtrans_pattern($1, certbot_exec_t, certbot_t)
')
########################################
## <summary>
## Execute certbot/letsencrypt in the certbot
## domain, and allow the specified role
## the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`certbot_run',`
gen_require(`
type certbot_t;
')
certbot_domtrans($1)
role $2 types certbot_t;
')
########################################
## <summary>
## Read TLS certificates and keys
## generated by certbot.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`certbot_read_lib',`
gen_require(`
type certbot_lib_t;
')
search_dirs_pattern($1, certbot_lib_t, certbot_lib_t)
read_files_pattern($1, certbot_lib_t, certbot_lib_t)
')