rpms/mod_fcgid/devel fastcgi-2.5.te, 1.4, 1.5 fastcgi.te, 1.5, 1.6 mod_fcgid.spec, 1.13, 1.14

Paul Howarth pghmcfc at fedoraproject.org
Wed Oct 22 23:30:18 UTC 2008 

Author: pghmcfc

Update of /cvs/pkgs/rpms/mod_fcgid/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31215

Modified Files:
	fastcgi-2.5.te fastcgi.te mod_fcgid.spec 
Log Message:
Clean up SELinux policy
Try to determine supported SELinux policy types by reading /etc/selinux/config



Index: fastcgi-2.5.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi-2.5.te,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- fastcgi-2.5.te	22 Oct 2008 10:31:34 -0000	1.4
+++ fastcgi-2.5.te	22 Oct 2008 23:29:48 -0000	1.5
@@ -3,6 +3,8 @@
 # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
 # as updates for selinux-policy in Fedora 8, 9, and 10.
 #
+# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
+#
 # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
 # which is now an alias for httpd_sys_script_t.
 
@@ -11,7 +13,6 @@
 require {
 	type devpts_t;
 	type httpd_t;
-	type httpd_config_t;
 	type httpd_log_t;
 	type httpd_sys_content_t;
 	type httpd_sys_content_ra_t;
@@ -38,32 +39,17 @@
 typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 
-
 # ==========================================================
 # Re-use httpd_sys_script_t for mod_fcgid apps
 # ==========================================================
 
-# Included in selinux-policy 2.6.4 (F7)
-#kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_sys_script_t)
-
-# Allow FastCGI applications to read the routing table
-allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
 
 # Allow httpd to create and use files and sockets for communicating with mod_fcgid
-# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
-#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
-#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+# Rules to do this are already in selinux-policy apart from dir setattr
 setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
 
-# Allow httpd to read httpd_sys_content_t
-# Included in selinux-policy 2.6.4 (F7)
-#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
-#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
-
 # Allow FastCGI applications to listen for FastCGI requests on their
 # sockets and respond to them
 allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@@ -72,66 +58,6 @@
 dontaudit httpd_t devpts_t:chr_file ioctl;
 dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
 
-# ======================================================
-# Rules cribbed from recent httpd_sys_script_t policy
-# ======================================================
-
-# Included in selinux-policy 2.6.4 (F7)
-#dontaudit httpd_sys_script_t httpd_config_t:dir search;
-#
-#fs_search_auto_mountpoints(httpd_sys_script_t)
-
 # PHP uploads a file to /tmp and then execs programs to action them
-# Included in selinux-policy 2.6.4 (F7) apart from filetrans
-#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
-#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
 files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-# Included in selinux-policy 2.6.4 (F7)
-#files_search_var_lib(httpd_sys_script_t)
-#files_search_spool(httpd_sys_script_t)
-
-# Should we add a boolean?
-# Included in selinux-policy 2.6.4 (F7)
-#apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-# Included in selinux-policy 2.6.4 (F7)
-#ifdef(`distro_redhat',`
-#	allow httpd_sys_script_t httpd_log_t:file { getattr append };
-#')
-#
-#ifdef(`targeted_policy',`
-#	tunable_policy(`httpd_enable_homedirs',`
-#		userdom_search_generic_user_home_dirs(httpd_sys_script_t)
-#	')
-#')
-#
-#tunable_policy(`httpd_use_nfs', `
-#	fs_read_nfs_files(httpd_sys_script_t)
-#	fs_read_nfs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-#	fs_read_nfs_files(httpd_sys_script_t)
-#	fs_read_nfs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_use_cifs', `
-#	fs_read_cifs_files(httpd_sys_script_t)
-#	fs_read_cifs_symlinks(httpd_sys_script_t)
-#')
-#
-#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-#	fs_read_cifs_files(httpd_sys_script_t)
-#	fs_read_cifs_symlinks(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-#	mysql_stream_connect(httpd_sys_script_t)
-#	mysql_rw_db_sockets(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-#	clamav_domtrans_clamscan(httpd_sys_script_t)
-#')
-


Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi.te,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- fastcgi.te	22 Oct 2008 10:31:34 -0000	1.5
+++ fastcgi.te	22 Oct 2008 23:29:48 -0000	1.6
@@ -1,17 +1,18 @@
-policy_module(fastcgi, 0.1.10)
-
 # This policy module provides support for mod_fcgid using the httpd system script domain.
 # It provides "allow" rules that will overlap to varying degrees with selinux-policy
 # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
 # as updates for selinux-policy in Fedora 8, 9, and 10.
 #
+# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
+#
 # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
 # which is now an alias for httpd_sys_script_t.
 
+policy_module(fastcgi, 0.1.10)
+
 require {
 	type devpts_t;
 	type httpd_t;
-	#type httpd_config_t;
 	type httpd_log_t;
 	type httpd_sys_content_t;
 	type httpd_sys_content_ra_t;
@@ -42,29 +43,15 @@
 # Re-use httpd_sys_script_t for mod_fcgid apps
 # ==========================================================
 
-# Included in selinux-policy 2.3.7 (FC5)
-#kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_sys_script_t)
-
-# Allow FastCGI applications to read the routing table
-allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
+#sysnet_dns_name_resolve(httpd_sys_script_t)
+#allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
 
 # Allow httpd to create and use files and sockets for communicating with mod_fcgid
-# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
-#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
-#allow httpd_t httpd_var_run_t:file { create_file_perms };
-#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
+# Rules to do this are already in selinux-policy apart from dir setattr
 allow httpd_t httpd_var_run_t:dir setattr;
 
-# Allow httpd to read httpd_sys_content_t
-# (shouldn't this be in the content template?)
-# Included in selinux-policy 2.3.7 (FC5)
-#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
-#allow httpd_t httpd_sys_content_t:file r_file_perms;
-#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
-
 # Allow FastCGI applications to listen for FastCGI requests on their
 # sockets and respond to them
 allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@@ -73,13 +60,7 @@
 dontaudit httpd_t devpts_t:chr_file ioctl;
 dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
 
-# ======================================================
-# Rules cribbed from recent httpd_sys_script_t policy
-# ======================================================
-
-# Included in selinux-policy 2.3.7 (FC5)
-#dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
+# Search automount filesystem to use automatically mounted filesystems
 fs_search_auto_mountpoints(httpd_sys_script_t)
 
 # PHP uploads a file to /tmp and then execs programs to action them
@@ -87,42 +68,12 @@
 allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
 files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
 
-# Included in selinux-policy 2.3.7 (FC5)
-#files_search_var_lib(httpd_sys_script_t)
-#files_search_spool(httpd_sys_script_t)
-
-# Should we add a boolean?
-# Included in selinux-policy 2.3.7 (FC5)
-#apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-# Included in selinux-policy 2.3.7 (FC5)
-#ifdef(`distro_redhat',`
-#	allow httpd_sys_script_t httpd_log_t:file { getattr append };
-#')
-#
-#ifdef(`targeted_policy',`
-#	tunable_policy(`httpd_enable_homedirs',`
-#		userdom_search_generic_user_home_dirs(httpd_sys_script_t)
-#	')
-#')
-
+# Support network home directories
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
-
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
 ')
-
-# Included in selinux-policy 2.3.7 (FC5)
-#optional_policy(`
-#	mysql_stream_connect(httpd_sys_script_t)
-#	mysql_rw_db_sockets(httpd_sys_script_t)
-#')
-#
-#optional_policy(`
-#	clamav_domtrans_clamscan(httpd_sys_script_t)
-#')
-


Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/mod_fcgid.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- mod_fcgid.spec	22 Oct 2008 10:31:34 -0000	1.13
+++ mod_fcgid.spec	22 Oct 2008 23:29:48 -0000	1.14
@@ -1,14 +1,15 @@
 # Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
 # Fedora 8,9,10 versions will include policy in errata selinux-policy releases
 %if 0%{?fedora}%{?rhel} < 5
-%define selinux_module 0
-%define selinux_variants %{nil}
-%define selinux_buildreqs %{nil}
+%global selinux_module 0
+%global selinux_variants %{nil}
+%global selinux_buildreqs %{nil}
 %else
 # Temporarily build merged policy to make sure it works
-%define selinux_module 1
-%define selinux_variants mls strict targeted
-%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
+%global selinux_module 1
+%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
+%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
+%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
 %endif
 
 Name:		mod_fcgid
@@ -160,6 +161,7 @@
 * Tue Oct 21 2008 Paul Howarth <paul at city-fan.org> 2.2-6
 - SELinux policy module rewritten to merge fastcgi and system script domains
   in preparation for merge into main selinux-policy package (#462318)
+- Try to determine supported SELinux policy types by reading /etc/selinux/config
 
 * Thu Jul 24 2008 Paul Howarth <paul at city-fan.org> 2.2-5
 - Tweak selinux-policy version detection macro to work with current Rawhide

More information about the scm-commits mailing list