diff --git a/ext/installfiles/linux/zerotier-one.te b/ext/installfiles/linux/zerotier-one.te new file mode 100644 index 000000000..978df0b10 --- /dev/null +++ b/ext/installfiles/linux/zerotier-one.te @@ -0,0 +1,14 @@ + +module zerotier-one 1.0; + +require { + type unconfined_t; + type initrc_t; + class memprotect mmap_zero; +} + +#============= initrc_t ============== +allow initrc_t self:memprotect mmap_zero; + +#============= unconfined_t ============== +allow unconfined_t self:memprotect mmap_zero; diff --git a/make-linux.mk b/make-linux.mk index eaec7432c..a5a929d8e 100644 --- a/make-linux.mk +++ b/make-linux.mk @@ -418,6 +418,7 @@ install: FORCE rm -f $(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz cat doc/zerotier-cli.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-cli.1.gz cat doc/zerotier-idtool.1 | gzip -9 >$(DESTDIR)/usr/share/man/man1/zerotier-idtool.1.gz + cp ext/installfiles/linux/zerotier-one.te /var/lib/zerotier-one/zerotier-one.te # Uninstall preserves identity.public and identity.secret since the user might # want to save these. These are your ZeroTier address. diff --git a/zerotier-one.spec b/zerotier-one.spec index ab43da42e..edcbc6d06 100644 --- a/zerotier-one.spec +++ b/zerotier-one.spec @@ -121,6 +121,18 @@ case "$1" in chkconfig --add zerotier-one ;; esac +if [ -x /usr/bin/checkmodule -a -x /usr/bin/semodule_package -a -x /usr/bin/semodule ]; then + rm -f /var/lib/zerotier-one/zerotier-one.mod + /usr/bin/checkmodule -M -m -o /var/lib/zerotier-one/zerotier-one.mod /var/lib/zerotier-one/zerotier-one.te + if [ -f /var/lib/zerotier-one/zerotier-one.pp ]; then + rm -f /var/lib/zerotier-one/zerotier-one.pp + /usr/bin/semodule_package -o /var/lib/zerotier-one/zerotier-one.pp -m /var/lib/zerotier-one/zerotier-one.mod + /usr/bin/semodule -u /var/lib/zerotier-one/zerotier-one.pp + else + /usr/bin/semodule_package -o /var/lib/zerotier-one/zerotier-one.pp -m /var/lib/zerotier-one/zerotier-one.mod + /usr/bin/semodule -i /var/lib/zerotier-one/zerotier-one.pp + fi +fi %endif %preun