vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-05 03:59:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[WIP] Fix SELinux permissions

Browse source
This commit is contained in:
Vladimir Stoilov 2024-08-27 14:30:04 +03:00
parent 9bae1afd73
commit f7abb700bf
No known key found for this signature in database
GPG key ID: 2F190B67A43A81AF
4 changed files with 26 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
packaging/linux/portmaster.service
View file

@ -34,8 +34,9 @@ AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_ne
CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
StateDirectory=portmaster StateDirectory=portmaster
# TODO(ppacher): add --disable-software-updates once it's merged and the release process changed. # TODO(ppacher): add --disable-software-updates once it's merged and the release process changed.
ExecStart=/usr/bin/portmaster-core --data /opt/safing/portmaster -- $PORTMASTER_ARGS WorkingDirectory=/var/lib/portmaster/data
ExecStopPost=-/usr/bin/portmaster-core recover-iptables ExecStart=/usr/lib/portmaster/portmaster-core --data /var/lib/portmaster/data -devmode -- $PORTMASTER_ARGS
ExecStopPost=-/usr/bin/portmaster/portmaster-core recover-iptables
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

11
packaging/linux/postinst
View file

@ -1,5 +1,16 @@
#!/bin/bash #!/bin/bash
chmod +x /usr/lib/portmaster/portmaster-core
#
# Fix selinux permissions for portmaster-core if we have semanage
# available.
#
if command -V semanage >/dev/null 2>&1; then
semanage fcontext -a -t bin_t -s system_u $(realpath /usr/lib)'/portmaster/portmaster-core' || :
restorecon -R /usr/lib/portmaster/portmaster-core 2>/dev/null >&2 || :
fi
systemctl daemon-reload systemctl daemon-reload
systemctl enable portmaster.service systemctl enable portmaster.service

9
packaging/linux/postrm
View file

@ -1 +1,10 @@
#!/bin/bash #!/bin/bash
#
# Remove selinux permissions for portmaster-core if we have semanage
# available.
#
if command -V semanage >/dev/null 2>&1; then
semanage fcontext --delete $(realpath /usr/lib)'/portmaster/portmaster-core' || :
restorecon -R /usr/lib/portmaster/portmaster-core 2>/dev/null >&2 || :
fi

6
service/updates/module.go
View file

@ -63,7 +63,7 @@ func New(instance instance) (*Updates, error) {
binIndex := registry.UpdateIndex{ binIndex := registry.UpdateIndex{
Directory: "/usr/lib/portmaster", Directory: "/usr/lib/portmaster",
DownloadDirectory: "/var/portmaster/new_bin", DownloadDirectory: "/var/lib/portmaster/new_bin",
Ignore: []string{"databases", "intel", "config.json"}, Ignore: []string{"databases", "intel", "config.json"},
IndexURLs: []string{"http://localhost:8000/test-binary.json"}, IndexURLs: []string{"http://localhost:8000/test-binary.json"},
IndexFile: "bin-index.json", IndexFile: "bin-index.json",
@ -71,8 +71,8 @@ func New(instance instance) (*Updates, error) {
} }
intelIndex := registry.UpdateIndex{ intelIndex := registry.UpdateIndex{
Directory: "/var/portmaster/intel", Directory: "/var/lib/portmaster/intel",
DownloadDirectory: "/var/portmaster/new_intel", DownloadDirectory: "/var/lib/portmaster/new_intel",
IndexURLs: []string{"http://localhost:8000/test-intel.json"}, IndexURLs: []string{"http://localhost:8000/test-intel.json"},
IndexFile: "intel-index.json", IndexFile: "intel-index.json",
AutoApply: true, AutoApply: true,