[selinux-policy/f16] - Fix httpd_stickshift boolean
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 15 22:42:42 UTC 2012
commit 1e59306a3ec3db0481c18ea16b88d9f5601ce8c9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 16 00:41:23 2012 +0200
- Fix httpd_stickshift boolean
policy-F16.patch | 92 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 1 +
2 files changed, 53 insertions(+), 40 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9ddb377..9c62993 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26362,7 +26362,7 @@ index 6480167..eeb2953 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..d24a31a 100644
+index 3136c6a..a0b6de0 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
@@ -26495,10 +26495,7 @@ index 3136c6a..d24a31a 100644
gen_tunable(httpd_can_sendmail, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
@@ -26512,7 +26509,10 @@ index 3136c6a..d24a31a 100644
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -27126,7 +27126,7 @@ index 3136c6a..d24a31a 100644
')
optional_policy(`
-@@ -577,6 +879,35 @@ optional_policy(`
+@@ -577,6 +879,47 @@ optional_policy(`
')
optional_policy(`
@@ -27134,23 +27134,35 @@ index 3136c6a..d24a31a 100644
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_manage_lib_files(httpd_t)
++
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_dontaudit_read_all_domains_state(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
-+ openshift_read_lib_files(httpd_t)
-+ ',`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
-+ passenger_stream_connect(httpd_t)
-+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ openshift_read_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
++optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
@@ -27162,7 +27174,7 @@ index 3136c6a..d24a31a 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +922,11 @@ optional_policy(`
+@@ -591,6 +934,11 @@ optional_policy(`
')
optional_policy(`
@@ -27174,7 +27186,7 @@ index 3136c6a..d24a31a 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +939,12 @@ optional_policy(`
+@@ -603,6 +951,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27187,7 +27199,7 @@ index 3136c6a..d24a31a 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +958,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27200,7 +27212,7 @@ index 3136c6a..d24a31a 100644
########################################
#
-@@ -654,28 +1000,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27244,7 +27256,7 @@ index 3136c6a..d24a31a 100644
')
########################################
-@@ -685,6 +1033,8 @@ optional_policy(`
+@@ -685,6 +1045,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27253,7 +27265,7 @@ index 3136c6a..d24a31a 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1049,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27279,7 +27291,7 @@ index 3136c6a..d24a31a 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1095,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27312,7 +27324,7 @@ index 3136c6a..d24a31a 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1142,25 @@ optional_policy(`
+@@ -769,6 +1154,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27338,7 +27350,7 @@ index 3136c6a..d24a31a 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1181,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27356,7 +27368,7 @@ index 3136c6a..d24a31a 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1200,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27413,7 +27425,7 @@ index 3136c6a..d24a31a 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1251,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27454,7 +27466,7 @@ index 3136c6a..d24a31a 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1296,20 @@ optional_policy(`
+@@ -842,10 +1308,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27475,7 +27487,7 @@ index 3136c6a..d24a31a 100644
')
########################################
-@@ -891,11 +1355,49 @@ optional_policy(`
+@@ -891,11 +1367,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27493,13 +27505,13 @@ index 3136c6a..d24a31a 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
+
+########################################
+#
@@ -49834,10 +49846,10 @@ index 0000000..3eb6a30
+## <summary></summary>
diff --git a/policy/modules/services/openshift-origin.te b/policy/modules/services/openshift-origin.te
new file mode 100644
-index 0000000..966d0b3
+index 0000000..a437f80
--- /dev/null
+++ b/policy/modules/services/openshift-origin.te
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
@@ -49850,14 +49862,13 @@ index 0000000..966d0b3
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
-+dev_read_sysfs(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
new file mode 100644
-index 0000000..fdff8eb
+index 0000000..8283601
--- /dev/null
+++ b/policy/modules/services/openshift.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -49877,6 +49888,7 @@ index 0000000..fdff8eb
+
+/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -50444,7 +50456,7 @@ index 0000000..681f8a0
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..91c558e
+index 0000000..8f642e4
--- /dev/null
+++ b/policy/modules/services/openshift.te
@@ -0,0 +1,351 @@
@@ -50611,7 +50623,7 @@ index 0000000..91c558e
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
-+dev_list_sysfs(openshift_domain)
++dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
@@ -50626,7 +50638,7 @@ index 0000000..91c558e
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
-+fs_getattr_xattr_fs(openshift_domain)
++fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f379ab..5fac803 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -467,6 +467,7 @@ SELinux Reference policy mls base module.
%changelog
* Fri Oct 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92
+- Fix httpd_stickshift boolean
- Backport openshift policy
* Mon Aug 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-91
More information about the scm-commits
mailing list