[selinux-policy: 2842/3172] Dontaudit signals from sandbox domains to domains that transition to them

[Daniel J Walsh]

commit ddcd5d6350509c2ff6a3b85bd1865dc0f23271f9
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Aug 30 13:32:47 2010 -0400

    Dontaudit signals from sandbox domains to domains that transition to them

 policy/modules/apps/sandbox.if    |    1 +
 policy/modules/services/apache.if |    2 ++
 2 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
index d104714..c20d303 100644
--- a/policy/modules/apps/sandbox.if
+++ b/policy/modules/apps/sandbox.if
@@ -49,6 +49,7 @@ interface(`sandbox_transition',`
 	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+	dontaudit sandbox_x_domain $1:process signal;
 	
 	allow $1 sandbox_tmpfs_type:file manage_file_perms;
 	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 7260bf6..c96d035 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -238,6 +238,8 @@ interface(`apache_role',`
 	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
+	apache_exec_modules($2)
+
 	tunable_policy(`httpd_enable_cgi',`
 		# If a user starts a script by hand it gets the proper context
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)