[selinux-policy/f16] Add missing gen_tunable(httpd_run_stickshift, false)
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 15 23:09:06 UTC 2012
commit c25ab3c8ea72e12af9375b24d18fe76997a33a64
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 16 01:08:50 2012 +0200
Add missing gen_tunable(httpd_run_stickshift, false)
policy-F16.patch | 93 +++++++++++++++++++++++++++++-------------------------
1 files changed, 50 insertions(+), 43 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9c62993..07b5233 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26362,15 +26362,22 @@ index 6480167..eeb2953 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..a0b6de0 100644
+index 3136c6a..a77ef51 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,246 @@ policy_module(apache, 2.2.1)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
++## <desc>
++## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
## <desc>
-## <p>
-## Allow Apache to modify public files
@@ -26502,17 +26509,17 @@ index 3136c6a..a0b6de0 100644
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -26661,7 +26668,7 @@ index 3136c6a..a0b6de0 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +275,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +282,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26670,7 +26677,7 @@ index 3136c6a..a0b6de0 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +286,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +293,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26680,7 +26687,7 @@ index 3136c6a..a0b6de0 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +328,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +335,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26699,7 +26706,7 @@ index 3136c6a..a0b6de0 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +348,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +355,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26710,7 +26717,7 @@ index 3136c6a..a0b6de0 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +359,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +366,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26718,7 +26725,7 @@ index 3136c6a..a0b6de0 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +381,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +388,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26742,7 +26749,7 @@ index 3136c6a..a0b6de0 100644
########################################
#
# Apache server local policy
-@@ -281,11 +417,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +424,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26756,7 +26763,7 @@ index 3136c6a..a0b6de0 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +467,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +474,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26767,7 +26774,7 @@ index 3136c6a..a0b6de0 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +478,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +485,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26778,7 +26785,7 @@ index 3136c6a..a0b6de0 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +495,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +502,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26788,7 +26795,7 @@ index 3136c6a..a0b6de0 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +508,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +515,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26809,7 +26816,7 @@ index 3136c6a..a0b6de0 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +529,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +536,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26825,7 +26832,7 @@ index 3136c6a..a0b6de0 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +542,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +549,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26833,7 +26840,7 @@ index 3136c6a..a0b6de0 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +554,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +561,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26937,7 +26944,7 @@ index 3136c6a..a0b6de0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +659,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +666,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -27001,7 +27008,7 @@ index 3136c6a..a0b6de0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +723,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +730,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -27024,7 +27031,7 @@ index 3136c6a..a0b6de0 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +753,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +760,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -27045,7 +27052,7 @@ index 3136c6a..a0b6de0 100644
')
optional_policy(`
-@@ -513,7 +777,13 @@ optional_policy(`
+@@ -513,7 +784,13 @@ optional_policy(`
')
optional_policy(`
@@ -27060,7 +27067,7 @@ index 3136c6a..a0b6de0 100644
')
optional_policy(`
-@@ -528,7 +798,19 @@ optional_policy(`
+@@ -528,7 +805,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -27081,7 +27088,7 @@ index 3136c6a..a0b6de0 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +819,13 @@ optional_policy(`
+@@ -537,8 +826,13 @@ optional_policy(`
')
optional_policy(`
@@ -27096,7 +27103,7 @@ index 3136c6a..a0b6de0 100644
')
')
-@@ -556,7 +843,21 @@ optional_policy(`
+@@ -556,7 +850,21 @@ optional_policy(`
')
optional_policy(`
@@ -27118,7 +27125,7 @@ index 3136c6a..a0b6de0 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +868,7 @@ optional_policy(`
+@@ -567,6 +875,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -27126,7 +27133,7 @@ index 3136c6a..a0b6de0 100644
')
optional_policy(`
-@@ -577,6 +879,47 @@ optional_policy(`
+@@ -577,6 +886,47 @@ optional_policy(`
')
optional_policy(`
@@ -27174,7 +27181,7 @@ index 3136c6a..a0b6de0 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +934,11 @@ optional_policy(`
+@@ -591,6 +941,11 @@ optional_policy(`
')
optional_policy(`
@@ -27186,7 +27193,7 @@ index 3136c6a..a0b6de0 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +951,12 @@ optional_policy(`
+@@ -603,6 +958,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27199,7 +27206,7 @@ index 3136c6a..a0b6de0 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +977,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27212,7 +27219,7 @@ index 3136c6a..a0b6de0 100644
########################################
#
-@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1019,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27256,7 +27263,7 @@ index 3136c6a..a0b6de0 100644
')
########################################
-@@ -685,6 +1045,8 @@ optional_policy(`
+@@ -685,6 +1052,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27265,7 +27272,7 @@ index 3136c6a..a0b6de0 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1068,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27291,7 +27298,7 @@ index 3136c6a..a0b6de0 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1114,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27324,7 +27331,7 @@ index 3136c6a..a0b6de0 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1154,25 @@ optional_policy(`
+@@ -769,6 +1161,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27350,7 +27357,7 @@ index 3136c6a..a0b6de0 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1200,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27368,7 +27375,7 @@ index 3136c6a..a0b6de0 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1219,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27425,7 +27432,7 @@ index 3136c6a..a0b6de0 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1270,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27466,7 +27473,7 @@ index 3136c6a..a0b6de0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1308,20 @@ optional_policy(`
+@@ -842,10 +1315,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27487,7 +27494,7 @@ index 3136c6a..a0b6de0 100644
')
########################################
-@@ -891,11 +1367,49 @@ optional_policy(`
+@@ -891,11 +1374,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
More information about the scm-commits
mailing list