Adding two new booleans to httpd to tighten it's security.

[Tom London]

Running latest rawhide stuff, targeted/enforcing.

Two 'after market' packages appear to need some help: skype and vmware.

Here's the avc from vmware
----
time->Sun Dec 11 13:05:51 2005
type=AVC_PATH msg=audit(1134335151.660:39): 
path="/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0"
type=SYSCALL msg=audit(1134335151.660:39): arch=40000003 syscall=125 per=400000
success=no exit=-13 a0=b7c99000 a1=7b000 a2=5 a3=bfc5a1e0 items=0
pid=4418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 comm="vmware" exe="/usr/lib/vmware/bin/vmware"
type=AVC msg=audit(1134335151.660:39): avc:  denied  { execmod } for 
pid=4418 comm="vmware" name="libgdk-x11-2.0.so.0" dev=dm-0 ino=343461
scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:lib_t:s0 tclass=file

Looks like they have a 'local version' of libgdk-x11-2.s0.0 that needs
TEXTREL (looks like the one in /usr/lib doesn't need TEXTREL).

and for skype:
----
time->Sun Dec 11 12:00:29 2005
type=PATH msg=audit(1134331229.904:20): item=1 flags=101  inode=327136
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1134331229.904:20): item=0 name="/usr/bin/skype"
flags=101 inode=145190 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1134331229.904:20):  cwd="/home/tbl"
type=SYSCALL msg=audit(1134331229.904:20): arch=40000003 syscall=11
success=yes exit=0 a0=86ec0d8 a1=86f0e98 a2=86eca28 a3=1 items=2
pid=3359 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="skype"
type=AVC msg=audit(1134331229.904:20): avc:  denied  { execmem } for 
pid=3359 comm="skype" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
----

I'm willing to pester the vmware folks to get them to examine/fix
this. Not sure how to do that with the skype folks .....

Any suggestions with either?
   tom
--
Tom London