Add selinux policy for malpd.sock access; update README.md

README.md

@@ -6,6 +6,8 @@ A lightweight Ruby CGI status page for home server monitoring.
 
 Copy this repository directory to `/var/www`, so `/var/www/malp/cgi-bin` exists.
 
+As root:
+
 ```
 mkdir /var/www/malp/data
 chown apache:apache /var/www/malp/data
@@ -13,15 +15,21 @@ chown apache:apache /var/www/malp/data
 
 ### Install ruby
 
+As root:
+
 ```
 dnf install ruby
 ```
 
 ### If using SELinux (e.g. AlmaLinux)
 
+As root:
+
 ```
 chcon -R -t httpd_sys_script_exec_t /var/www/malp/cgi-bin
 chcon -R -t httpd_sys_rw_content_t /var/www/malp/data
+chcon -t bin_t /var/www/malp/bin/malpd
+semodule -i /var/www/malp/selinux/malp_to_malpd.pp
 ```
 
 ### Example Apache HTTPD Setup
@@ -32,6 +40,8 @@ Replace as desired.
 
 #### Create self-signed TLS certificate
 
+As root:
+
 ```
 mkdir /etc/httpd/tls
 cd /etc/httpd/tls
@@ -80,12 +90,16 @@ openssl req -new -x509 -key anubis.key -out anubis.crt -days 3650 -sha384
 
 ### Set user name and password
 
+As root:
+
 ```
 /var/www/malp/bin/setpasswd
 ```
 
 ### Install systemd units
 
+As root:
+
 ```
 cp /var/www/malp/systemd/* /usr/lib/systemd/system
 systemctl enable --now malpd.socket

selinux/malp_to_malpd.te

@@ -0,0 +1,11 @@
+
+module malp_to_malpd 1.0;
+
+require {
+	type httpd_sys_script_t;
+	type unconfined_service_t;
+	class unix_stream_socket connectto;
+}
+
+#============= httpd_sys_script_t ==============
+allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;