rpms/mod_fcgid/devel fastcgi-2.5.te, 1.4, 1.5 fastcgi.te, 1.5, 1.6 mod_fcgid.spec, 1.13, 1.14
Paul Howarth
pghmcfc at fedoraproject.org
Wed Oct 22 23:30:18 UTC 2008
Author: pghmcfc
Update of /cvs/pkgs/rpms/mod_fcgid/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31215
Modified Files:
fastcgi-2.5.te fastcgi.te mod_fcgid.spec
Log Message:
Clean up SELinux policy
Try to determine supported SELinux policy types by reading /etc/selinux/config
Index: fastcgi-2.5.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi-2.5.te,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- fastcgi-2.5.te 22 Oct 2008 10:31:34 -0000 1.4
+++ fastcgi-2.5.te 22 Oct 2008 23:29:48 -0000 1.5
@@ -3,6 +3,8 @@
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
+# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
+#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.
@@ -11,7 +13,6 @@
require {
type devpts_t;
type httpd_t;
- type httpd_config_t;
type httpd_log_t;
type httpd_sys_content_t;
type httpd_sys_content_ra_t;
@@ -38,32 +39,17 @@
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-
# ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
-# Included in selinux-policy 2.6.4 (F7)
-#kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_sys_script_t)
-
-# Allow FastCGI applications to read the routing table
-allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
-# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
-#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
-#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+# Rules to do this are already in selinux-policy apart from dir setattr
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
-# Allow httpd to read httpd_sys_content_t
-# Included in selinux-policy 2.6.4 (F7)
-#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
-#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
-
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@@ -72,66 +58,6 @@
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
-# ======================================================
-# Rules cribbed from recent httpd_sys_script_t policy
-# ======================================================
-
-# Included in selinux-policy 2.6.4 (F7)
-#dontaudit httpd_sys_script_t httpd_config_t:dir search;
-#
-#fs_search_auto_mountpoints(httpd_sys_script_t)
-
# PHP uploads a file to /tmp and then execs programs to action them
-# Included in selinux-policy 2.6.4 (F7) apart from filetrans
-#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
-#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-# Included in selinux-policy 2.6.4 (F7)
-#files_search_var_lib(httpd_sys_script_t)
-#files_search_spool(httpd_sys_script_t)
-
-# Should we add a boolean?
-# Included in selinux-policy 2.6.4 (F7)
-#apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-# Included in selinux-policy 2.6.4 (F7)
-#ifdef(`distro_redhat',`
-# allow httpd_sys_script_t httpd_log_t:file { getattr append };
-#')
-#
-#ifdef(`targeted_policy',`
-# tunable_policy(`httpd_enable_homedirs',`
-# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
-# ')
-#')
-#
-#tunable_policy(`httpd_use_nfs', `
-# fs_read_nfs_files(httpd_sys_script_t)
-# fs_read_nfs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-# fs_read_nfs_files(httpd_sys_script_t)
-# fs_read_nfs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_use_cifs', `
-# fs_read_cifs_files(httpd_sys_script_t)
-# fs_read_cifs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-# fs_read_cifs_files(httpd_sys_script_t)
-# fs_read_cifs_symlinks(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-# mysql_stream_connect(httpd_sys_script_t)
-# mysql_rw_db_sockets(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-# clamav_domtrans_clamscan(httpd_sys_script_t)
-#')
-
Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi.te,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- fastcgi.te 22 Oct 2008 10:31:34 -0000 1.5
+++ fastcgi.te 22 Oct 2008 23:29:48 -0000 1.6
@@ -1,17 +1,18 @@
-policy_module(fastcgi, 0.1.10)
-
# This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
+# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
+#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.
+policy_module(fastcgi, 0.1.10)
+
require {
type devpts_t;
type httpd_t;
- #type httpd_config_t;
type httpd_log_t;
type httpd_sys_content_t;
type httpd_sys_content_ra_t;
@@ -42,29 +43,15 @@
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
-# Included in selinux-policy 2.3.7 (FC5)
-#kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_sys_script_t)
-
-# Allow FastCGI applications to read the routing table
-allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
+#sysnet_dns_name_resolve(httpd_sys_script_t)
+#allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
-# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
-#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
-#allow httpd_t httpd_var_run_t:file { create_file_perms };
-#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
+# Rules to do this are already in selinux-policy apart from dir setattr
allow httpd_t httpd_var_run_t:dir setattr;
-# Allow httpd to read httpd_sys_content_t
-# (shouldn't this be in the content template?)
-# Included in selinux-policy 2.3.7 (FC5)
-#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
-#allow httpd_t httpd_sys_content_t:file r_file_perms;
-#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
-
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@@ -73,13 +60,7 @@
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
-# ======================================================
-# Rules cribbed from recent httpd_sys_script_t policy
-# ======================================================
-
-# Included in selinux-policy 2.3.7 (FC5)
-#dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
+# Search automount filesystem to use automatically mounted filesystems
fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them
@@ -87,42 +68,12 @@
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-# Included in selinux-policy 2.3.7 (FC5)
-#files_search_var_lib(httpd_sys_script_t)
-#files_search_spool(httpd_sys_script_t)
-
-# Should we add a boolean?
-# Included in selinux-policy 2.3.7 (FC5)
-#apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-# Included in selinux-policy 2.3.7 (FC5)
-#ifdef(`distro_redhat',`
-# allow httpd_sys_script_t httpd_log_t:file { getattr append };
-#')
-#
-#ifdef(`targeted_policy',`
-# tunable_policy(`httpd_enable_homedirs',`
-# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
-# ')
-#')
-
+# Support network home directories
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
-
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
')
-
-# Included in selinux-policy 2.3.7 (FC5)
-#optional_policy(`
-# mysql_stream_connect(httpd_sys_script_t)
-# mysql_rw_db_sockets(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-# clamav_domtrans_clamscan(httpd_sys_script_t)
-#')
-
Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/mod_fcgid.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- mod_fcgid.spec 22 Oct 2008 10:31:34 -0000 1.13
+++ mod_fcgid.spec 22 Oct 2008 23:29:48 -0000 1.14
@@ -1,14 +1,15 @@
# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
# Fedora 8,9,10 versions will include policy in errata selinux-policy releases
%if 0%{?fedora}%{?rhel} < 5
-%define selinux_module 0
-%define selinux_variants %{nil}
-%define selinux_buildreqs %{nil}
+%global selinux_module 0
+%global selinux_variants %{nil}
+%global selinux_buildreqs %{nil}
%else
# Temporarily build merged policy to make sure it works
-%define selinux_module 1
-%define selinux_variants mls strict targeted
-%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
+%global selinux_module 1
+%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
+%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
+%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
%endif
Name: mod_fcgid
@@ -160,6 +161,7 @@
* Tue Oct 21 2008 Paul Howarth <paul at city-fan.org> 2.2-6
- SELinux policy module rewritten to merge fastcgi and system script domains
in preparation for merge into main selinux-policy package (#462318)
+- Try to determine supported SELinux policy types by reading /etc/selinux/config
* Thu Jul 24 2008 Paul Howarth <paul at city-fan.org> 2.2-5
- Tweak selinux-policy version detection macro to work with current Rawhide
More information about the scm-commits
mailing list