[selinux-policy/f16] - Fix httpd_stickshift boolean

Miroslav Grepl mgrepl at fedoraproject.org
Mon Oct 15 22:42:42 UTC 2012 

commit 1e59306a3ec3db0481c18ea16b88d9f5601ce8c9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 16 00:41:23 2012 +0200

    - Fix httpd_stickshift boolean

 policy-F16.patch    |   92 +++++++++++++++++++++++++++++----------------------
 selinux-policy.spec |    1 +
 2 files changed, 53 insertions(+), 40 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9ddb377..9c62993 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26362,7 +26362,7 @@ index 6480167..eeb2953 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..d24a31a 100644
+index 3136c6a..a0b6de0 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
@@ -26495,10 +26495,7 @@ index 3136c6a..d24a31a 100644
  gen_tunable(httpd_can_sendmail, false)
  
 +
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
 +##  <p>
 +##  Allow http daemon to connect to zabbix
 +##  </p>
@@ -26512,7 +26509,10 @@ index 3136c6a..d24a31a 100644
 +## </desc>
 +gen_tunable(httpd_can_check_spam, false)
 +
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
 +##	<p>
 +##	Allow Apache to communicate with avahi service via dbus
 +##	</p>
@@ -27126,7 +27126,7 @@ index 3136c6a..d24a31a 100644
  ')
  
  optional_policy(`
-@@ -577,6 +879,35 @@ optional_policy(`
+@@ -577,6 +879,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27134,23 +27134,35 @@ index 3136c6a..d24a31a 100644
 +		allow httpd_t self:capability { fowner fsetid sys_resource };
 +		dontaudit httpd_t self:capability sys_ptrace;
 +		allow httpd_t self:process setexec;
-+		passenger_exec(httpd_t)
-+		passenger_manage_pid_content(httpd_t)
-+		passenger_manage_lib_files(httpd_t)
++
 +		files_dontaudit_getattr_all_files(httpd_t)
 +		domain_dontaudit_read_all_domains_state(httpd_t)
 +		domain_getpgid_all_domains(httpd_t)
-+		openshift_read_lib_files(httpd_t)
-+	',`
-+		passenger_domtrans(httpd_t)
-+		passenger_manage_pid_content(httpd_t)
-+		passenger_read_lib_files(httpd_t)
-+		passenger_stream_connect(httpd_t)
-+		passenger_manage_tmp_files(httpd_t)
 +	')
 +')
 +
 +optional_policy(`
++    tunable_policy(`httpd_run_stickshift', `
++        passenger_exec(httpd_t)
++        passenger_manage_pid_content(httpd_t)
++        passenger_manage_lib_files(httpd_t)
++        openshift_read_lib_files(httpd_t)
++    ',`
++        passenger_domtrans(httpd_t)
++        passenger_manage_pid_content(httpd_t)
++        passenger_read_lib_files(httpd_t)
++        passenger_stream_connect(httpd_t)
++        passenger_manage_tmp_files(httpd_t)
++    ')
++')
++
++optional_policy(`
++    tunable_policy(`httpd_run_stickshift', `
++        oddjob_dbus_chat(httpd_t)
++    ')
++')
++
++optional_policy(`
 +	puppet_read_lib(httpd_t)
 +')
 +
@@ -27162,7 +27174,7 @@ index 3136c6a..d24a31a 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +922,11 @@ optional_policy(`
+@@ -591,6 +934,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27174,7 +27186,7 @@ index 3136c6a..d24a31a 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +939,12 @@ optional_policy(`
+@@ -603,6 +951,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -27187,7 +27199,7 @@ index 3136c6a..d24a31a 100644
  ########################################
  #
  # Apache helper local policy
-@@ -616,7 +958,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -27200,7 +27212,7 @@ index 3136c6a..d24a31a 100644
  
  ########################################
  #
-@@ -654,28 +1000,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -27244,7 +27256,7 @@ index 3136c6a..d24a31a 100644
  ')
  
  ########################################
-@@ -685,6 +1033,8 @@ optional_policy(`
+@@ -685,6 +1045,8 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -27253,7 +27265,7 @@ index 3136c6a..d24a31a 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1049,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -27279,7 +27291,7 @@ index 3136c6a..d24a31a 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1095,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -27312,7 +27324,7 @@ index 3136c6a..d24a31a 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1142,25 @@ optional_policy(`
+@@ -769,6 +1154,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -27338,7 +27350,7 @@ index 3136c6a..d24a31a 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1181,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -27356,7 +27368,7 @@ index 3136c6a..d24a31a 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1200,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -27413,7 +27425,7 @@ index 3136c6a..d24a31a 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1251,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -27454,7 +27466,7 @@ index 3136c6a..d24a31a 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1296,20 @@ optional_policy(`
+@@ -842,10 +1308,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27475,7 +27487,7 @@ index 3136c6a..d24a31a 100644
  ')
  
  ########################################
-@@ -891,11 +1355,49 @@ optional_policy(`
+@@ -891,11 +1367,49 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27493,13 +27505,13 @@ index 3136c6a..d24a31a 100644
 +	userdom_search_user_home_content(httpd_t)
 +	userdom_search_user_home_content(httpd_suexec_t)
 +	userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
 +
 +tunable_policy(`httpd_read_user_content',`
 +	userdom_read_user_home_content_files(httpd_t)
 +	userdom_read_user_home_content_files(httpd_suexec_t)
 +	userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
 +
 +########################################
 +#
@@ -49834,10 +49846,10 @@ index 0000000..3eb6a30
 +## <summary></summary>
 diff --git a/policy/modules/services/openshift-origin.te b/policy/modules/services/openshift-origin.te
 new file mode 100644
-index 0000000..966d0b3
+index 0000000..a437f80
 --- /dev/null
 +++ b/policy/modules/services/openshift-origin.te
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
 +policy_module(openshift-origin,1.0.0)
 +gen_require(`
 +	attribute openshift_domain;
@@ -49850,14 +49862,13 @@ index 0000000..966d0b3
 +allow openshift_domain self:socket_class_set create_socket_perms;
 +corenet_tcp_connect_all_ports(openshift_domain)
 +corenet_tcp_bind_all_ports(openshift_domain)
-+dev_read_sysfs(openshift_domain)
 +files_read_config_files(openshift_domain)
 diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
 new file mode 100644
-index 0000000..fdff8eb
+index 0000000..8283601
 --- /dev/null
 +++ b/policy/modules/services/openshift.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,23 @@
 +/etc/rc\.d/init\.d/libra        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mcollective        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +
@@ -49877,6 +49888,7 @@ index 0000000..fdff8eb
 +
 +/usr/bin/rhc-restorer           --    gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +/usr/bin/rhc-restorer-wrapper.sh    --  gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/bin/oo-admin-ctl-gears	--	gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +
 +/var/run/stickshift(/.*)?		    	gen_context(system_u:object_r:openshift_var_run_t,s0)
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -50444,7 +50456,7 @@ index 0000000..681f8a0
 +')
 diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
 new file mode 100644
-index 0000000..91c558e
+index 0000000..8f642e4
 --- /dev/null
 +++ b/policy/modules/services/openshift.te
 @@ -0,0 +1,351 @@
@@ -50611,7 +50623,7 @@ index 0000000..91c558e
 +corecmd_bin_entry_type(openshift_domain)
 +corecmd_exec_all_executables(openshift_domain)
 +
-+dev_list_sysfs(openshift_domain)
++dev_read_sysfs(openshift_domain)
 +dev_read_rand(openshift_domain)
 +dev_dontaudit_append_rand(openshift_domain)
 +dev_dontaudit_write_urand(openshift_domain)
@@ -50626,7 +50638,7 @@ index 0000000..91c558e
 +fs_rw_hugetlbfs_files(openshift_domain)
 +fs_rw_anon_inodefs_files(openshift_domain)
 +fs_search_tmpfs(openshift_domain)
-+fs_getattr_xattr_fs(openshift_domain)
++fs_getattr_all_fs(openshift_domain)
 +fs_dontaudit_getattr_all_fs(openshift_domain)
 +fs_list_inotifyfs(openshift_domain)
 +fs_dontaudit_list_auto_mountpoints(openshift_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f379ab..5fac803 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -467,6 +467,7 @@ SELinux Reference policy mls base module.
 
 %changelog
 * Fri Oct 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92
+- Fix httpd_stickshift boolean
 - Backport openshift policy
 
 * Mon Aug 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-91

More information about the scm-commits mailing list