[selinux-policy: 2184/3172] pull in apache_admin() from fedora
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:14:01 UTC 2010
commit 4be3e110947c0276696128fa1f74efefc0f87d03
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 28 13:24:08 2009 -0400
pull in apache_admin() from fedora
policy/modules/roles/webadm.te | 4 +-
policy/modules/services/apache.if | 65 +++++++++++++++++++++++++++++++++++++
policy/modules/services/apache.te | 2 +-
3 files changed, 68 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0214c54..426031d 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -1,5 +1,5 @@
-policy_module(webadm, 1.0.0)
+policy_module(webadm, 1.0.1)
########################################
#
@@ -42,7 +42,7 @@ logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
-#apache_admin(webadm_t, webadm_r)
+apache_admin(webadm_t, webadm_r)
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 4b6be37..a898dd8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1040,3 +1040,68 @@ interface(`apache_cgi_domain',`
allow httpd_t $1:process signal;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+
+ type httpd_t, httpd_config_t, httpd_log_t;
+ type httpd_modules_t, httpd_lock_t;
+ type httpd_var_run_t, httpd_php_tmp_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ ')
+
+ allow $1 httpd_t:process { getattr ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
+
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+ files_search_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+
+ admin_pattern($1, httpd_lock_t)
+ files_lock_filetrans($1, httpd_lock_t, file)
+
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+
+ read_lnk_files_pattern($1, httpd_t, httpd_t)
+
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index aa63901..652e585 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache, 2.0.2)
+policy_module(apache, 2.0.3)
#
# NOTES:
More information about the scm-commits
mailing list