[selinux-policy: 2184/3172] pull in apache_admin() from fedora

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:14:01 UTC 2010 

commit 4be3e110947c0276696128fa1f74efefc0f87d03
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 28 13:24:08 2009 -0400

    pull in apache_admin() from fedora

 policy/modules/roles/webadm.te    |    4 +-
 policy/modules/services/apache.if |   65 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/apache.te |    2 +-
 3 files changed, 68 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0214c54..426031d 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -1,5 +1,5 @@
 
-policy_module(webadm, 1.0.0)
+policy_module(webadm, 1.0.1)
 
 ########################################
 #
@@ -42,7 +42,7 @@ logging_send_syslog_msg(webadm_t)
 
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 
-#apache_admin(webadm_t, webadm_r)
+apache_admin(webadm_t, webadm_r)
 
 tunable_policy(`webadm_manage_user_files',`
 	userdom_manage_user_home_content_files(webadm_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 4b6be37..a898dd8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1040,3 +1040,68 @@ interface(`apache_cgi_domain',`
 
 	allow httpd_t $1:process signal;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix of the domain. Example, user would be
+##	the prefix for the uder_t domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+	gen_require(`
+		attribute httpdcontent;
+		attribute httpd_script_exec_type;
+
+		type httpd_t, httpd_config_t, httpd_log_t;
+		type httpd_modules_t, httpd_lock_t;
+		type httpd_var_run_t, httpd_php_tmp_t;
+		type httpd_suexec_tmp_t, httpd_tmp_t;
+	')
+
+	allow $1 httpd_t:process { getattr ptrace signal_perms };
+	ps_process_pattern($1, httpd_t)
+
+	apache_manage_all_content($1)
+	miscfiles_manage_public_files($1)
+
+	files_search_etc($1)
+	admin_pattern($1, httpd_config_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, httpd_log_t)
+
+	admin_pattern($1, httpd_modules_t)
+
+	admin_pattern($1, httpd_lock_t)
+	files_lock_filetrans($1, httpd_lock_t, file)
+
+	admin_pattern($1, httpd_var_run_t)
+	files_pid_filetrans($1, httpd_var_run_t, file)
+
+	kernel_search_proc($1)
+	allow $1 httpd_t:dir list_dir_perms;
+
+	read_lnk_files_pattern($1, httpd_t, httpd_t)
+
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index aa63901..652e585 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache, 2.0.2)
+policy_module(apache, 2.0.3)
 
 #
 # NOTES:

More information about the scm-commits mailing list