[selinux-policy: 3023/3172] Tunable and optional policy goes below.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:28:58 UTC 2010
commit f6bcb24b481e54cddd445a726d064546310f7c4b
Author: Dominick Grift <domg472 at gmail.com>
Date: Fri Sep 17 09:30:55 2010 +0200
Tunable and optional policy goes below.
Tunable and optional policy goes below.
policy/modules/services/apache.if | 4 ++--
policy/modules/services/apache.te | 31 ++++++++++++++++---------------
2 files changed, 18 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index a06a8dd..426e686 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -152,6 +152,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
@@ -180,8 +182,6 @@ template(`apache_content_template',`
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
-
- dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
')
########################################
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 509a71a..300dffb 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -557,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
corenet_sendrecv_squid_client_packets(httpd_t)
')
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -744,12 +750,6 @@ optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
- allow httpd_sys_script_t self:process { execmem execstack };
- allow httpd_suexec_t self:process { execmem execstack };
-')
-
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@@ -887,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -932,11 +936,8 @@ tunable_policy(`httpd_can_network_connect_db',`
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
')
-read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
-read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -1032,15 +1033,15 @@ optional_policy(`
')
')
-fs_cifs_entry_type(httpd_sys_script_t)
-fs_read_iso9660_files(httpd_sys_script_t)
-fs_nfs_entry_type(httpd_sys_script_t)
-
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
')
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
tunable_policy(`httpd_use_nfs',`
fs_manage_nfs_dirs(httpd_sys_script_t)
fs_manage_nfs_files(httpd_sys_script_t)
@@ -1180,6 +1181,6 @@ tunable_policy(`httpd_enable_homedirs',`
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_t)
- userdom_read_user_home_content_files(httpd_user_script_t)
userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
')
More information about the scm-commits
mailing list