ben/silverblue-images
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Building synapse SELinux policy into the image

Browse Source
This commit is contained in:
Ben Radey
2025-10-08 22:03:00 -04:00
parent ac16bf3389
commit e23792990c
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
f42-server/Containerfile
+7
View File
@@ -14,6 +14,13 @@ FROM quay.io/fedora/fedora-silverblue:42
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
# Set up Synapse SELinux policy
COPY synapse.te /tmp/synapse.te
RUN checkmodule -M -m -o /tmp/synapse.mod /tmp/synapse.te \
&& semodule_package -o /tmp/synapse.pp -m /tmp/synapse.mod \
&& semodule -i /tmp/synapse.pp \
&& rm -f /tmp/synapse.{te,mod,pp}
# Install ZFS repository # Install ZFS repository
RUN rpm-ostree install https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \ RUN rpm-ostree install https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \
# cleanup and verification stage # cleanup and verification stage
f42-server/synapse.te
+14
View File
@@ -0,0 +1,14 @@
module synapse 1.0;
require {
type httpd_t;
type unreserved_port_t;
class tcp_socket name_bind;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow httpd_t unreserved_port_t:tcp_socket name_bind;