[selinux-policy: 1054/3172] stuff from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:36:00 UTC 2010
commit bb43724465bdf17b4f0fa4d12ede591dd284e6d1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Dec 12 21:47:43 2005 +0000
stuff from dan
refpolicy/Changelog | 1 +
refpolicy/policy/global_tunables | 6 ++++++
refpolicy/policy/modules/kernel/filesystem.if | 16 ++++++++++++++++
refpolicy/policy/modules/services/apache.te | 24 +++++++++++++++---------
refpolicy/policy/modules/system/mount.te | 11 ++++++-----
5 files changed, 44 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2d701c9..649364a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
- Miscellaneous fixes from Dan Walsh.
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b1535b4..ba62978 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -68,6 +68,12 @@ gen_tunable(httpd_builtin_scripting,false)
## Allow http daemon to tcp connect
gen_tunable(httpd_can_network_connect,false)
+## allow httpd to connect to mysql/posgresql
+gen_tunable(httpd_can_network_connect_db, false)
+
+## allow httpd to act as a relay
+gen_tunable(httpd_can_network_relay, false)
+
## Allow httpd cgi support
gen_tunable(httpd_enable_cgi,false)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a64164e..6648e9f 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1239,6 +1239,22 @@ interface(`fs_getattr_rpc_dirs',`
########################################
## <summary>
+## Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_search_rpc_dirs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read directories of RPC file system pipes.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index dad36ad..f22676a 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.1.0)
+policy_module(apache,1.1.1)
#
# NOTES:
@@ -226,14 +226,6 @@ corenet_tcp_bind_all_nodes(httpd_t)
corenet_udp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
-# allow httpd to connect to mysql/posgresql
-corenet_tcp_connect_postgresql_port(httpd_t)
-corenet_tcp_connect_mysqld_port(httpd_t)
-# allow httpd to work as a relay
-corenet_tcp_connect_gopher_port(httpd_t)
-corenet_tcp_connect_ftp_port(httpd_t)
-corenet_tcp_connect_http_port(httpd_t)
-corenet_tcp_connect_http_cache_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
@@ -324,6 +316,20 @@ tunable_policy(`httpd_can_network_connect',`
sysnet_read_config(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ # allow httpd to connect to mysql/posgresql
+ corenet_tcp_connect_postgresql_port(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
+')
+
tunable_policy(`httpd_enable_cgi',`
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_t httpd_unconfined_script_t:fd use;
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index a3668f8..90d55d1 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.1.1)
+policy_module(mount,1.1.2)
########################################
#
@@ -94,9 +94,7 @@ ifdef(`distro_redhat',`
optional_policy(`portmap',`
# for nfs
- #allow portmap_t mount_t:udp_socket { sendto recvfrom };
- #allow mount_t portmap_t:udp_socket { sendto recvfrom };
- #allow mount_t rpc_pipefs_t:dir search;
+ corenet_non_ipsec_sendrecv(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
@@ -105,7 +103,6 @@ optional_policy(`portmap',`
corenet_udp_sendrecv_all_nodes(mount_t)
corenet_tcp_sendrecv_all_ports(mount_t)
corenet_udp_sendrecv_all_ports(mount_t)
- corenet_non_ipsec_sendrecv(mount_t)
corenet_tcp_bind_all_nodes(mount_t)
corenet_udp_bind_all_nodes(mount_t)
corenet_tcp_bind_generic_port(mount_t)
@@ -114,6 +111,10 @@ optional_policy(`portmap',`
corenet_udp_bind_reserved_port(mount_t)
corenet_tcp_connect_all_ports(mount_t)
+ fs_search_rpc_dirs(mount_t)
+
+ portmap_udp_sendrecv(mount_t)
+
optional_policy(`nis',`
nis_use_ypbind(mount_t)
')
More information about the scm-commits
mailing list