ansible-playbooks/peertube-server/templates/cil/peertube.cil

(block peertube
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process flash_port_t ( tcp_socket (  name_bind ))) 
    (allow process http_port_t ( tcp_socket (  name_bind ))) 
    (allow process unreserved_port_t (tcp_socket (name_connect) ) )
    (allow process cifs_t (dir (setattr)))
    (allow process redis_port_t (tcp_socket (name_connect)))
    (allow process smtp_port_t (tcp_socket (name_connect)))
    (allow process postgresql_port_t (tcp_socket (name_connect)))


    (allow process container_file_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
    (allow process container_file_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
    (allow process container_file_t ( fifo_file ( getattr read write append ioctl lock open ))) 
    (allow process container_file_t ( sock_file ( append getattr open read write ))) 
    (allow process default_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
    (allow process default_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
    (allow process default_t ( fifo_file ( getattr read write append ioctl lock open )))
    (allow process default_t ( sock_file ( append getattr open read write )))
)
work on peertube ansible playbook 2025-02-05 19:39:03 +02:00			`(block peertube`
			`(blockinherit container)`
			`(blockinherit restricted_net_container)`
			`(allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot )))`

			`(allow process flash_port_t ( tcp_socket ( name_bind )))`
			`(allow process http_port_t ( tcp_socket ( name_bind )))`
			`(allow process unreserved_port_t (tcp_socket (name_connect) ) )`
			`(allow process cifs_t (dir (setattr)))`
			`(allow process redis_port_t (tcp_socket (name_connect)))`
			`(allow process smtp_port_t (tcp_socket (name_connect)))`
			`(allow process postgresql_port_t (tcp_socket (name_connect)))`


			`(allow process container_file_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))`
			`(allow process container_file_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))`
			`(allow process container_file_t ( fifo_file ( getattr read write append ioctl lock open )))`
			`(allow process container_file_t ( sock_file ( append getattr open read write )))`
update peertube container and cil 2025-02-06 23:02:52 +02:00			`(allow process default_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))`
			`(allow process default_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))`
			`(allow process default_t ( fifo_file ( getattr read write append ioctl lock open )))`
			`(allow process default_t ( sock_file ( append getattr open read write )))`
work on peertube ansible playbook 2025-02-05 19:39:03 +02:00			`)`