[selinux-policy: 1974/3172] trunk: Database labeled networking update from KaiGai Kohei.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:55:31 UTC 2010 

commit dc1920b2180a51866d34b806e1d631c7415842a0
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jul 25 04:07:09 2008 +0000

    trunk: Database labeled networking update from KaiGai Kohei.

 Changelog                           |    1 +
 policy/modules/services/apache.if   |   14 ++++++++++----
 policy/modules/services/apache.te   |    5 ++---
 policy/modules/services/mysql.if    |   21 +++++++++++++++++++++
 policy/modules/services/mysql.te    |    2 +-
 policy/modules/system/init.if       |   35 +++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te       |    2 +-
 policy/modules/system/userdomain.if |    7 +++++++
 policy/modules/system/userdomain.te |    2 +-
 9 files changed, 79 insertions(+), 10 deletions(-)
---
diff --git a/Changelog b/Changelog
index 9de9e4a..017d2ce 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Database labeled networking update from KaiGai Kohei.
 - Several misc changes from the Fedora policy, cherry picked by David
   Hrdeman.
 - Large whitespace fix from Dominick Grift.
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index e590e67..630b5e3 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -189,10 +189,6 @@ template(`apache_content_template',`
 		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
-		corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
-		corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
-		corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
 
 		sysnet_read_config(httpd_$1_script_t)
 	')
@@ -220,6 +216,12 @@ template(`apache_content_template',`
 	')
 
 	optional_policy(`
+		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+			mysql_tcp_connect(httpd_$1_script_t)
+		')
+	')
+
+	optional_policy(`
 		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
 			nis_use_ypbind_uncond(httpd_$1_script_t)
 		')
@@ -227,6 +229,10 @@ template(`apache_content_template',`
 
 	optional_policy(`
 		postgresql_unpriv_client(httpd_$1_script_t)
+
+		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+			postgresql_tcp_connect(httpd_$1_script_t)
+		')
 	')
 
 	optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index be43195..f08dbee 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache, 1.10.0)
+policy_module(apache, 1.10.1)
 
 #
 # NOTES: 
@@ -459,8 +459,7 @@ optional_policy(`
 	mysql_rw_db_sockets(httpd_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-		corenet_tcp_connect_mysqld_port(httpd_t)
-		corenet_sendrecv_mysqld_client_packets(httpd_t)
+		mysql_tcp_connect(httpd_t)
 	')
 ')
 
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 75b3476..ba21f5f 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -20,6 +20,27 @@ interface(`mysql_signal',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_tcp_connect',`
+	gen_require(`
+		type mysqld_t;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, mysqld_t)
+	corenet_tcp_sendrecv_mysqld_port($1)
+	corenet_tcp_connect_mysqld_port($1)
+	corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
 ##	Connect to MySQL using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index e19ce51..5ec048a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
 
-policy_module(mysql, 1.8.0)
+policy_module(mysql, 1.8.1)
 
 ########################################
 #
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index cb8974e..c923e6f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1283,3 +1283,38 @@ interface(`init_manage_utmp',`
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+	corenet_udp_recvfrom_labeled($1, daemon)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0e457dd..51b714c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init, 1.11.1)
+policy_module(init, 1.11.2)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d52771f..96d11e2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -549,6 +549,13 @@ template(`userdom_basic_networking_template',`
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
 
+	corenet_all_recvfrom_labeled($1_t, $1_t)
+
+	optional_policy(`
+		init_tcp_recvfrom_all_daemons($1_t)
+		init_udp_recvfrom_all_daemons($1_t)
+	')
+
 	optional_policy(`
 		ipsec_match_default_spd($1_t)
 	')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1359791..8c29e89 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 3.1.0)
+policy_module(userdomain, 3.1.1)
 
 ########################################
 #

More information about the scm-commits mailing list