From 80cae3568864fed622297fe51fa5e8d92161d3ba Mon Sep 17 00:00:00 2001
From: Josh Holtrop <jholtrop@gmail.com>
Date: Wed, 1 Apr 2026 22:59:46 -0400
Subject: [PATCH] Add selinux policy for malpd.sock access; update README.md

---
 README.md                |  14 ++++++++++++++
 selinux/malp_to_malpd.pp | Bin 0 -> 1012 bytes
 selinux/malp_to_malpd.te |  11 +++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 selinux/malp_to_malpd.pp
 create mode 100644 selinux/malp_to_malpd.te

diff --git a/README.md b/README.md
index 977aed1..a256ea6 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,8 @@ A lightweight Ruby CGI status page for home server monitoring.
 
 Copy this repository directory to `/var/www`, so `/var/www/malp/cgi-bin` exists.
 
+As root:
+
 ```
 mkdir /var/www/malp/data
 chown apache:apache /var/www/malp/data
@@ -13,15 +15,21 @@ chown apache:apache /var/www/malp/data
 
 ### Install ruby
 
+As root:
+
 ```
 dnf install ruby
 ```
 
 ### If using SELinux (e.g. AlmaLinux)
 
+As root:
+
 ```
 chcon -R -t httpd_sys_script_exec_t /var/www/malp/cgi-bin
 chcon -R -t httpd_sys_rw_content_t /var/www/malp/data
+chcon -t bin_t /var/www/malp/bin/malpd
+semodule -i /var/www/malp/selinux/malp_to_malpd.pp
 ```
 
 ### Example Apache HTTPD Setup
@@ -32,6 +40,8 @@ Replace as desired.
 
 #### Create self-signed TLS certificate
 
+As root:
+
 ```
 mkdir /etc/httpd/tls
 cd /etc/httpd/tls
@@ -80,12 +90,16 @@ openssl req -new -x509 -key anubis.key -out anubis.crt -days 3650 -sha384
 
 ### Set user name and password
 
+As root:
+
 ```
 /var/www/malp/bin/setpasswd
 ```
 
 ### Install systemd units
 
+As root:
+
 ```
 cp /var/www/malp/systemd/* /usr/lib/systemd/system
 systemctl enable --now malpd.socket
diff --git a/selinux/malp_to_malpd.pp b/selinux/malp_to_malpd.pp
new file mode 100644
index 0000000000000000000000000000000000000000..07a1c6011c7a289a3af3821bea4aaa54a17a4922
GIT binary patch
literal 1012
zcmb_aK}rNM5FFQw9z+qr>%Ktr2f29DlMe`MCgQle$uP;t3VuO+uP3cqr`W6`B4|OS
zJJr=a8R*yd=eM1zs>mbo1@}Y5o6G4{6Z+NkI@bNdPavIwwC#b!0l1tkTAQO~tal+?
zoShqluh1ushl1{mL?4=!O}X>4rA^Vzecp%4s*53bmvdALKd-iU`+%D53^c(gK`e90
zrN-YP`7F)X?9z9ib6eZ=lx%Wc(`K7bhE8?iy7jd_;Nf>o@M!bhW8=Kd^!x<P(hKO7
z#@q~4U6FbTgA1uT|Bx{2b8~36e4EO)mwlvsiqr&ygj9{YK$!LUdHg14KYgTTDN+-R
r62$+?i;;gy`Ce|+c&S+_$z9eCPl_6IP8jc9+07mNZqG^&EF*jX!^~6%

literal 0
HcmV?d00001

diff --git a/selinux/malp_to_malpd.te b/selinux/malp_to_malpd.te
new file mode 100644
index 0000000..1ba0a14
--- /dev/null
+++ b/selinux/malp_to_malpd.te
@@ -0,0 +1,11 @@
+
+module malp_to_malpd 1.0;
+
+require {
+	type httpd_sys_script_t;
+	type unconfined_service_t;
+	class unix_stream_socket connectto;
+}
+
+#============= httpd_sys_script_t ==============
+allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;