Don't transition roles when executing daemons from unconfined_t

2014-01-09 23:12:05 +01:00 · 2014-01-09 23:12:05 +01:00 · 01969cfc26
parent af2dcd6ac0
commit 01969cfc26
2 changed files with 17 additions and 17 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -19265,10 +19265,10 @@ index 0000000..cf6582f
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..993b768
+index 0000000..bba3177
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,327 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -19338,7 +19338,6 @@ index 0000000..993b768
 +files_create_default_dir(unconfined_t)
 +files_root_filetrans_default(unconfined_t, dir)
 +
-+init_run_daemon(unconfined_t, unconfined_r)
 +init_domtrans_script(unconfined_t)
 +init_telinit(unconfined_t)
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -4756,7 +4756,7 @@ index f6eb485..51b128e 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..dd376b5 100644
+index 6649962..8d471e8 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
@ -5943,7 +5943,7 @@ index 6649962..dd376b5 100644
 	dbus_system_bus_client(httpd_t)
 
 	tunable_policy(`httpd_dbus_avahi',`
-@@ -786,35 +912,53 @@ optional_policy(`
+@@ -786,35 +912,54 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -5985,6 +5985,7 @@ index 6649962..dd376b5 100644
 +optional_policy(`
 +	# needed by FreeIPA
 +	ldap_stream_connect(httpd_t)
+	ldap_read_certs(httpd_t)
 ')
 
 optional_policy(`
@ -6010,7 +6011,7 @@ index 6649962..dd376b5 100644
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +966,18 @@ optional_policy(`
+@@ -822,8 +967,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6029,7 +6030,7 @@ index 6649962..dd376b5 100644
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +986,7 @@ optional_policy(`
+@@ -832,6 +987,7 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6037,7 +6038,7 @@ index 6649962..dd376b5 100644
 ')
 
 optional_policy(`
-@@ -842,20 +997,39 @@ optional_policy(`
+@@ -842,20 +998,39 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6063,7 +6064,7 @@ index 6649962..dd376b5 100644
 +	pki_manage_apache_lib(httpd_t)
 +	pki_manage_apache_log_files(httpd_t)
 +	pki_manage_apache_run(httpd_t)
-+    pki_read_tomcat_cert(httpd_t)
+	pki_read_tomcat_cert(httpd_t)
 +')
 
 -	tunable_policy(`httpd_can_network_connect_db',`
@ -6083,7 +6084,7 @@ index 6649962..dd376b5 100644
 ')
 
 optional_policy(`
-@@ -863,19 +1037,35 @@ optional_policy(`
+@@ -863,19 +1038,35 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6119,7 +6120,7 @@ index 6649962..dd376b5 100644
 	udev_read_db(httpd_t)
 ')
 
-@@ -883,65 +1073,173 @@ optional_policy(`
+@@ -883,65 +1074,173 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -6315,7 +6316,7 @@ index 6649962..dd376b5 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -6470,7 +6471,7 @@ index 6649962..dd376b5 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1332,106 @@ optional_policy(`
+@@ -1083,172 +1333,106 @@ optional_policy(`
 	')
 ')
 
@ -6707,7 +6708,7 @@ index 6649962..dd376b5 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -6804,7 +6805,7 @@ index 6649962..dd376b5 100644
 
 ########################################
 #
-@@ -1321,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -6821,7 +6822,7 @@ index 6649962..dd376b5 100644
 ')
 
 ########################################
-@@ -1330,49 +1530,38 @@ optional_policy(`
+@@ -1330,49 +1531,38 @@ optional_policy(`
 # User content local policy
 #
 
@ -6886,7 +6887,7 @@ index 6649962..dd376b5 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1571,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1572,100 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)