[selinux-policy/f16] Remove pwauth_domtrans which is not used in F16
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 12 21:00:01 UTC 2012
commit d7f927933054a1e51dd0e603f69ecf171622bed7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 12 22:59:34 2012 +0200
Remove pwauth_domtrans which is not used in F16
policy-F16.patch | 44 ++++++++++++++++++++------------------------
1 files changed, 20 insertions(+), 24 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 17d9f3a..9ddb377 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26362,7 +26362,7 @@ index 6480167..eeb2953 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..7bb71e2 100644
+index 3136c6a..d24a31a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
@@ -26495,7 +26495,10 @@ index 3136c6a..7bb71e2 100644
gen_tunable(httpd_can_sendmail, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
@@ -26509,10 +26512,7 @@ index 3136c6a..7bb71e2 100644
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -27126,14 +27126,10 @@ index 3136c6a..7bb71e2 100644
')
optional_policy(`
-@@ -577,6 +879,39 @@ optional_policy(`
+@@ -577,6 +879,35 @@ optional_policy(`
')
optional_policy(`
-+ pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
@@ -27166,7 +27162,7 @@ index 3136c6a..7bb71e2 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +926,11 @@ optional_policy(`
+@@ -591,6 +922,11 @@ optional_policy(`
')
optional_policy(`
@@ -27178,7 +27174,7 @@ index 3136c6a..7bb71e2 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +943,12 @@ optional_policy(`
+@@ -603,6 +939,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27191,7 +27187,7 @@ index 3136c6a..7bb71e2 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +958,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27204,7 +27200,7 @@ index 3136c6a..7bb71e2 100644
########################################
#
-@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1000,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27248,7 +27244,7 @@ index 3136c6a..7bb71e2 100644
')
########################################
-@@ -685,6 +1037,8 @@ optional_policy(`
+@@ -685,6 +1033,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27257,7 +27253,7 @@ index 3136c6a..7bb71e2 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1049,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27283,7 +27279,7 @@ index 3136c6a..7bb71e2 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1095,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27316,7 +27312,7 @@ index 3136c6a..7bb71e2 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1146,25 @@ optional_policy(`
+@@ -769,6 +1142,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27342,7 +27338,7 @@ index 3136c6a..7bb71e2 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1181,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27360,7 +27356,7 @@ index 3136c6a..7bb71e2 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1200,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27417,7 +27413,7 @@ index 3136c6a..7bb71e2 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1251,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27458,7 +27454,7 @@ index 3136c6a..7bb71e2 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1300,20 @@ optional_policy(`
+@@ -842,10 +1296,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27479,7 +27475,7 @@ index 3136c6a..7bb71e2 100644
')
########################################
-@@ -891,11 +1359,49 @@ optional_policy(`
+@@ -891,11 +1355,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
More information about the scm-commits
mailing list