[selinux-policy: 2842/3172] Dontaudit signals from sandbox domains to domains that transition to them
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:13:00 UTC 2010
commit ddcd5d6350509c2ff6a3b85bd1865dc0f23271f9
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 30 13:32:47 2010 -0400
Dontaudit signals from sandbox domains to domains that transition to them
policy/modules/apps/sandbox.if | 1 +
policy/modules/services/apache.if | 2 ++
2 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
index d104714..c20d303 100644
--- a/policy/modules/apps/sandbox.if
+++ b/policy/modules/apps/sandbox.if
@@ -49,6 +49,7 @@ interface(`sandbox_transition',`
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+ dontaudit sandbox_x_domain $1:process signal;
allow $1 sandbox_tmpfs_type:file manage_file_perms;
dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 7260bf6..c96d035 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -238,6 +238,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ apache_exec_modules($2)
+
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
More information about the scm-commits
mailing list