Clean up SELinux policy Try to determine supported SELinux policy types by
reading /etc/selinux/config
This commit is contained in:
Paul Howarth
parent
ab94cf9fd0
commit
7db27df3bb
@ -3,6 +3,8 @@
|
||||
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
||||
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
||||
#
|
||||
# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
|
||||
#
|
||||
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
||||
# which is now an alias for httpd_sys_script_t.
|
||||
|
||||
@ -11,7 +13,6 @@ policy_module(fastcgi, 0.2.6)
|
||||
require {
|
||||
type devpts_t;
|
||||
type httpd_t;
|
||||
type httpd_config_t;
|
||||
type httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_content_ra_t;
|
||||
@ -38,32 +39,17 @@ typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
||||
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
|
||||
|
||||
# ==========================================================
|
||||
# Re-use httpd_sys_script_t for mod_fcgid apps
|
||||
# ==========================================================
|
||||
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to do DNS lookups
|
||||
sysnet_dns_name_resolve(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
# Allow web applications to call getpw* functions
|
||||
auth_use_nsswitch(httpd_sys_script_t)
|
||||
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
|
||||
#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
# Rules to do this are already in selinux-policy apart from dir setattr
|
||||
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
|
||||
# Allow httpd to read httpd_sys_content_t
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
||||
#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
|
||||
#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
|
||||
|
||||
# Allow FastCGI applications to listen for FastCGI requests on their
|
||||
# sockets and respond to them
|
||||
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
@ -72,66 +58,6 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Rules cribbed from recent httpd_sys_script_t policy
|
||||
# ======================================================
|
||||
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
#
|
||||
#fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
|
||||
# PHP uploads a file to /tmp and then execs programs to action them
|
||||
# Included in selinux-policy 2.6.4 (F7) apart from filetrans
|
||||
#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
|
||||
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#files_search_var_lib(httpd_sys_script_t)
|
||||
#files_search_spool(httpd_sys_script_t)
|
||||
|
||||
# Should we add a boolean?
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#ifdef(`distro_redhat',`
|
||||
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
#')
|
||||
#
|
||||
#ifdef(`targeted_policy',`
|
||||
# tunable_policy(`httpd_enable_homedirs',`
|
||||
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
||||
# ')
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_use_nfs', `
|
||||
# fs_read_nfs_files(httpd_sys_script_t)
|
||||
# fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
# fs_read_nfs_files(httpd_sys_script_t)
|
||||
# fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_use_cifs', `
|
||||
# fs_read_cifs_files(httpd_sys_script_t)
|
||||
# fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
# fs_read_cifs_files(httpd_sys_script_t)
|
||||
# fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# mysql_stream_connect(httpd_sys_script_t)
|
||||
# mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
#')
|
||||
|
||||
|
||||
71
fastcgi.te
71
fastcgi.te
@ -1,17 +1,18 @@
|
||||
policy_module(fastcgi, 0.1.10)
|
||||
|
||||
# This policy module provides support for mod_fcgid using the httpd system script domain.
|
||||
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
|
||||
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
||||
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
||||
#
|
||||
# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
|
||||
#
|
||||
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
||||
# which is now an alias for httpd_sys_script_t.
|
||||
|
||||
policy_module(fastcgi, 0.1.10)
|
||||
|
||||
require {
|
||||
type devpts_t;
|
||||
type httpd_t;
|
||||
#type httpd_config_t;
|
||||
type httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_content_ra_t;
|
||||
@ -42,29 +43,15 @@ typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
# Re-use httpd_sys_script_t for mod_fcgid apps
|
||||
# ==========================================================
|
||||
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to do DNS lookups
|
||||
sysnet_dns_name_resolve(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
# Allow web applications to call getpw* functions
|
||||
auth_use_nsswitch(httpd_sys_script_t)
|
||||
#sysnet_dns_name_resolve(httpd_sys_script_t)
|
||||
#allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
|
||||
#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
|
||||
#allow httpd_t httpd_var_run_t:file { create_file_perms };
|
||||
#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
|
||||
# Rules to do this are already in selinux-policy apart from dir setattr
|
||||
allow httpd_t httpd_var_run_t:dir setattr;
|
||||
|
||||
# Allow httpd to read httpd_sys_content_t
|
||||
# (shouldn't this be in the content template?)
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
|
||||
#allow httpd_t httpd_sys_content_t:file r_file_perms;
|
||||
#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
|
||||
|
||||
# Allow FastCGI applications to listen for FastCGI requests on their
|
||||
# sockets and respond to them
|
||||
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
@ -73,13 +60,7 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Rules cribbed from recent httpd_sys_script_t policy
|
||||
# ======================================================
|
||||
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
# Search automount filesystem to use automatically mounted filesystems
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
|
||||
# PHP uploads a file to /tmp and then execs programs to action them
|
||||
@ -87,42 +68,12 @@ allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
|
||||
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#files_search_var_lib(httpd_sys_script_t)
|
||||
#files_search_spool(httpd_sys_script_t)
|
||||
|
||||
# Should we add a boolean?
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#ifdef(`distro_redhat',`
|
||||
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
#')
|
||||
#
|
||||
#ifdef(`targeted_policy',`
|
||||
# tunable_policy(`httpd_enable_homedirs',`
|
||||
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
||||
# ')
|
||||
#')
|
||||
|
||||
# Support network home directories
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#optional_policy(`
|
||||
# mysql_stream_connect(httpd_sys_script_t)
|
||||
# mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
#')
|
||||
|
||||
|
||||
@ -1,14 +1,15 @@
|
||||
# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
|
||||
# Fedora 8,9,10 versions will include policy in errata selinux-policy releases
|
||||
%if 0%{?fedora}%{?rhel} < 5
|
||||
%define selinux_module 0
|
||||
%define selinux_variants %{nil}
|
||||
%define selinux_buildreqs %{nil}
|
||||
%global selinux_module 0
|
||||
%global selinux_variants %{nil}
|
||||
%global selinux_buildreqs %{nil}
|
||||
%else
|
||||
# Temporarily build merged policy to make sure it works
|
||||
%define selinux_module 1
|
||||
%define selinux_variants mls strict targeted
|
||||
%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
|
||||
%global selinux_module 1
|
||||
%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
|
||||
%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
|
||||
%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
|
||||
%endif
|
||||
|
||||
Name: mod_fcgid
|
||||
@ -160,6 +161,7 @@ exit 0
|
||||
* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6
|
||||
- SELinux policy module rewritten to merge fastcgi and system script domains
|
||||
in preparation for merge into main selinux-policy package (#462318)
|
||||
- Try to determine supported SELinux policy types by reading /etc/selinux/config
|
||||
|
||||
* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5
|
||||
- Tweak selinux-policy version detection macro to work with current Rawhide
|
||||
|
||||
Loading…
Reference in New Issue
Block a user