[selinux-policy: 1780/3172] trunk: add 3rd party interface for apache cgi.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:38:50 UTC 2010
commit 371d11ec046fb4a1193a086476cde907d0088ced
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jul 26 19:48:40 2007 +0000
trunk: add 3rd party interface for apache cgi.
Changelog | 1 +
policy/modules/services/apache.if | 54 +++++++++++++++++++++++++++++++++++++
policy/modules/services/apache.te | 2 +-
3 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 072d4ae..677f0c4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add third-party interface for Apache CGI.
- Add getserv and shmemserv nscd permissions.
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
- Added modules:
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 932386f..2c8a6b7 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -987,6 +987,24 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
+## Search apache system CGI directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_scripts',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_script_exec_t;
+ ')
+
+ search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
+')
+
+########################################
+## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
@@ -1002,3 +1020,39 @@ interface(`apache_search_sys_script_state',`
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
+
+########################################
+## <summary>
+## Execute CGI in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute CGI in the specified domain.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain run the cgi script in.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## Type of the executable to enter the cgi domain.
+## </summary>
+## </param>
+#
+interface(`apache_cgi_domain',`
+ gen_require(`
+ type httpd_t, httpd_sys_script_exec_t;
+ ')
+
+ domtrans_pattern(httpd_t, $2, $1)
+ apache_search_sys_scripts($1)
+
+ allow httpd_t $1:process signal;
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index d582fb6..a6395e9 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.7.0)
+policy_module(apache,1.7.1)
#
# NOTES:
More information about the scm-commits
mailing list