[selinux-policy: 1054/3172] stuff from dan

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:36:00 UTC 2010 

commit bb43724465bdf17b4f0fa4d12ede591dd284e6d1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Dec 12 21:47:43 2005 +0000

    stuff from dan

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/global_tunables              |    6 ++++++
 refpolicy/policy/modules/kernel/filesystem.if |   16 ++++++++++++++++
 refpolicy/policy/modules/services/apache.te   |   24 +++++++++++++++---------
 refpolicy/policy/modules/system/mount.te      |   11 ++++++-----
 5 files changed, 44 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2d701c9..649364a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add apache relay and db connect tunables.
 - Rename texrel_shlib_t to textrel_shlib_t.
 - Add swat to samba module.
 - Miscellaneous fixes from Dan Walsh.
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b1535b4..ba62978 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -68,6 +68,12 @@ gen_tunable(httpd_builtin_scripting,false)
 ## Allow http daemon to tcp connect 
 gen_tunable(httpd_can_network_connect,false)
 
+## allow httpd to connect to mysql/posgresql 
+gen_tunable(httpd_can_network_connect_db, false)
+
+## allow httpd to act as a relay 
+gen_tunable(httpd_can_network_relay, false)
+
 ## Allow httpd cgi support
 gen_tunable(httpd_enable_cgi,false)
 
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a64164e..6648e9f 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1239,6 +1239,22 @@ interface(`fs_getattr_rpc_dirs',`
 
 ########################################
 ## <summary>
+##	Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_search_rpc_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read directories of RPC file system pipes.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index dad36ad..f22676a 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.1.0)
+policy_module(apache,1.1.1)
 
 #
 # NOTES: 
@@ -226,14 +226,6 @@ corenet_tcp_bind_all_nodes(httpd_t)
 corenet_udp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-# allow httpd to connect to mysql/posgresql 
-corenet_tcp_connect_postgresql_port(httpd_t)
-corenet_tcp_connect_mysqld_port(httpd_t)
-# allow httpd to work as a relay
-corenet_tcp_connect_gopher_port(httpd_t)
-corenet_tcp_connect_ftp_port(httpd_t)
-corenet_tcp_connect_http_port(httpd_t)
-corenet_tcp_connect_http_cache_port(httpd_t)
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
@@ -324,6 +316,20 @@ tunable_policy(`httpd_can_network_connect',`
 	sysnet_read_config(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	# allow httpd to connect to mysql/posgresql
+	corenet_tcp_connect_postgresql_port(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+	# allow httpd to work as a relay
+	corenet_tcp_connect_gopher_port(httpd_t)
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_http_port(httpd_t)
+	corenet_tcp_connect_http_cache_port(httpd_t)
+')
+
 tunable_policy(`httpd_enable_cgi',`
 	domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 	allow httpd_t httpd_unconfined_script_t:fd use;
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index a3668f8..90d55d1 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.1.1)
+policy_module(mount,1.1.2)
 
 ########################################
 #
@@ -94,9 +94,7 @@ ifdef(`distro_redhat',`
 
 optional_policy(`portmap',`
 	# for nfs
-	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
-	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-	#allow mount_t rpc_pipefs_t:dir search;
+	corenet_non_ipsec_sendrecv(mount_t)
 	corenet_tcp_sendrecv_all_if(mount_t)
 	corenet_raw_sendrecv_all_if(mount_t)
 	corenet_udp_sendrecv_all_if(mount_t)
@@ -105,7 +103,6 @@ optional_policy(`portmap',`
 	corenet_udp_sendrecv_all_nodes(mount_t)
 	corenet_tcp_sendrecv_all_ports(mount_t)
 	corenet_udp_sendrecv_all_ports(mount_t)
-	corenet_non_ipsec_sendrecv(mount_t)
 	corenet_tcp_bind_all_nodes(mount_t)
 	corenet_udp_bind_all_nodes(mount_t)
 	corenet_tcp_bind_generic_port(mount_t)
@@ -114,6 +111,10 @@ optional_policy(`portmap',`
 	corenet_udp_bind_reserved_port(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
+	fs_search_rpc_dirs(mount_t)
+
+	portmap_udp_sendrecv(mount_t)
+
 	optional_policy(`nis',`
 		nis_use_ypbind(mount_t)
 	')

More information about the scm-commits mailing list