From 8b220a9ced8dbe5449cf443a16b782141d6f4772 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 5 Mar 2024 10:18:41 -0500
Subject: certbot: Drop execmem.

This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/certbot.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index 9723f788..6edaac83 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
 manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
 fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
 
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
 allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
-- 
cgit v1.2.3-65-gdbad