rpms/mod_fcgid
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Clean up SELinux policy Try to determine supported SELinux policy types by

Browse Source 
reading /etc/selinux/config
This commit is contained in:
Paul Howarth 2008-10-22 23:29:48 +00:00
parent ab94cf9fd0
commit 7db27df3bb
3 changed files with 25 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
fastcgi-2.5.te
View File

@ -3,6 +3,8 @@
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10. # as updates for selinux-policy in Fedora 8, 9, and 10.
# #
# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t. # which is now an alias for httpd_sys_script_t.
@ -11,7 +13,6 @@ policy_module(fastcgi, 0.2.6)
require { require {
type devpts_t; type devpts_t;
type httpd_t; type httpd_t;
type httpd_config_t;
type httpd_log_t; type httpd_log_t;
type httpd_sys_content_t; type httpd_sys_content_t;
type httpd_sys_content_ra_t; type httpd_sys_content_ra_t;
@ -38,32 +39,17 @@ typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t; typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# ========================================================== # ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps # Re-use httpd_sys_script_t for mod_fcgid apps
# ========================================================== # ==========================================================
# Included in selinux-policy 2.6.4 (F7) # Allow web applications to call getpw* functions
#kernel_read_kernel_sysctls(httpd_sys_script_t) auth_use_nsswitch(httpd_sys_script_t)
# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_sys_script_t)
# Allow FastCGI applications to read the routing table
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use files and sockets for communicating with mod_fcgid # Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Included in selinux-policy 2.6.4 (F7) apart from dir setattr # Rules to do this are already in selinux-policy apart from dir setattr
#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
# Allow httpd to read httpd_sys_content_t
# Included in selinux-policy 2.6.4 (F7)
#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
# Allow FastCGI applications to listen for FastCGI requests on their # Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them # sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@ -72,66 +58,6 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
dontaudit httpd_t devpts_t:chr_file ioctl; dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl; dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# ======================================================
# Rules cribbed from recent httpd_sys_script_t policy
# ======================================================
# Included in selinux-policy 2.6.4 (F7)
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
#
#fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them # PHP uploads a file to /tmp and then execs programs to action them
# Included in selinux-policy 2.6.4 (F7) apart from filetrans # Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
# Included in selinux-policy 2.6.4 (F7)
#files_search_var_lib(httpd_sys_script_t)
#files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
# Included in selinux-policy 2.6.4 (F7)
#apache_domtrans_rotatelogs(httpd_sys_script_t)
# Included in selinux-policy 2.6.4 (F7)
#ifdef(`distro_redhat',`
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
#')
#
#ifdef(`targeted_policy',`
# tunable_policy(`httpd_enable_homedirs',`
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
# ')
#')
#
#tunable_policy(`httpd_use_nfs', `
# fs_read_nfs_files(httpd_sys_script_t)
# fs_read_nfs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
# fs_read_nfs_files(httpd_sys_script_t)
# fs_read_nfs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_use_cifs', `
# fs_read_cifs_files(httpd_sys_script_t)
# fs_read_cifs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
# fs_read_cifs_files(httpd_sys_script_t)
# fs_read_cifs_symlinks(httpd_sys_script_t)
#')
#
#optional_policy(`
# mysql_stream_connect(httpd_sys_script_t)
# mysql_rw_db_sockets(httpd_sys_script_t)
#')
#
#optional_policy(`
# clamav_domtrans_clamscan(httpd_sys_script_t)
#')

71
fastcgi.te
View File

@ -1,17 +1,18 @@
policy_module(fastcgi, 0.1.10)
# This policy module provides support for mod_fcgid using the httpd system script domain. # This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy # It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10. # as updates for selinux-policy in Fedora 8, 9, and 10.
# #
# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t. # which is now an alias for httpd_sys_script_t.
policy_module(fastcgi, 0.1.10)
require { require {
type devpts_t; type devpts_t;
type httpd_t; type httpd_t;
#type httpd_config_t;
type httpd_log_t; type httpd_log_t;
type httpd_sys_content_t; type httpd_sys_content_t;
type httpd_sys_content_ra_t; type httpd_sys_content_ra_t;
@ -42,29 +43,15 @@ typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# Re-use httpd_sys_script_t for mod_fcgid apps # Re-use httpd_sys_script_t for mod_fcgid apps
# ========================================================== # ==========================================================
# Included in selinux-policy 2.3.7 (FC5) # Allow web applications to call getpw* functions
#kernel_read_kernel_sysctls(httpd_sys_script_t) auth_use_nsswitch(httpd_sys_script_t)
#sysnet_dns_name_resolve(httpd_sys_script_t)
# Allow FastCGI applications to do DNS lookups #allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
sysnet_dns_name_resolve(httpd_sys_script_t)
# Allow FastCGI applications to read the routing table
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use files and sockets for communicating with mod_fcgid # Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr # Rules to do this are already in selinux-policy apart from dir setattr
#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
#allow httpd_t httpd_var_run_t:file { create_file_perms };
#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
allow httpd_t httpd_var_run_t:dir setattr; allow httpd_t httpd_var_run_t:dir setattr;
# Allow httpd to read httpd_sys_content_t
# (shouldn't this be in the content template?)
# Included in selinux-policy 2.3.7 (FC5)
#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
#allow httpd_t httpd_sys_content_t:file r_file_perms;
#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
# Allow FastCGI applications to listen for FastCGI requests on their # Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them # sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
@ -73,13 +60,7 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
dontaudit httpd_t devpts_t:chr_file ioctl; dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl; dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# ====================================================== # Search automount filesystem to use automatically mounted filesystems
# Rules cribbed from recent httpd_sys_script_t policy
# ======================================================
# Included in selinux-policy 2.3.7 (FC5)
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
fs_search_auto_mountpoints(httpd_sys_script_t) fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them # PHP uploads a file to /tmp and then execs programs to action them
@ -87,42 +68,12 @@ allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
# Included in selinux-policy 2.3.7 (FC5) # Support network home directories
#files_search_var_lib(httpd_sys_script_t)
#files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
# Included in selinux-policy 2.3.7 (FC5)
#apache_domtrans_rotatelogs(httpd_sys_script_t)
# Included in selinux-policy 2.3.7 (FC5)
#ifdef(`distro_redhat',`
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
#')
#
#ifdef(`targeted_policy',`
# tunable_policy(`httpd_enable_homedirs',`
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
# ')
#')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t)
') ')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t)
') ')
# Included in selinux-policy 2.3.7 (FC5)
#optional_policy(`
# mysql_stream_connect(httpd_sys_script_t)
# mysql_rw_db_sockets(httpd_sys_script_t)
#')
#
#optional_policy(`
# clamav_domtrans_clamscan(httpd_sys_script_t)
#')

14
mod_fcgid.spec
View File

@ -1,14 +1,15 @@
# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package # Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
# Fedora 8,9,10 versions will include policy in errata selinux-policy releases # Fedora 8,9,10 versions will include policy in errata selinux-policy releases
%if 0%{?fedora}%{?rhel} < 5 %if 0%{?fedora}%{?rhel} < 5
%define selinux_module 0 %global selinux_module 0
%define selinux_variants %{nil} %global selinux_variants %{nil}
%define selinux_buildreqs %{nil} %global selinux_buildreqs %{nil}
%else %else
# Temporarily build merged policy to make sure it works # Temporarily build merged policy to make sure it works
%define selinux_module 1 %global selinux_module 1
%define selinux_variants mls strict targeted %global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink %global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
%endif %endif
Name: mod_fcgid Name: mod_fcgid
@ -160,6 +161,7 @@ exit 0
* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6 * Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6
- SELinux policy module rewritten to merge fastcgi and system script domains - SELinux policy module rewritten to merge fastcgi and system script domains
in preparation for merge into main selinux-policy package (#462318) in preparation for merge into main selinux-policy package (#462318)
- Try to determine supported SELinux policy types by reading /etc/selinux/config
* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5 * Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5
- Tweak selinux-policy version detection macro to work with current Rawhide - Tweak selinux-policy version detection macro to work with current Rawhide