rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Don't transition roles when executing daemons from unconfined_t

Browse Source
This commit is contained in:
Miroslav Grepl 2014-01-09 23:12:05 +01:00
parent af2dcd6ac0
commit 01969cfc26
2 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy-rawhide-base.patch
View File

@ -19265,10 +19265,10 @@ index 0000000..cf6582f
+ +
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644 new file mode 100644
index 0000000..993b768 index 0000000..bba3177
--- /dev/null --- /dev/null
+++ b/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,328 @@ @@ -0,0 +1,327 @@
+policy_module(unconfineduser, 1.0.0) +policy_module(unconfineduser, 1.0.0)
+ +
+######################################## +########################################
@ -19338,7 +19338,6 @@ index 0000000..993b768
+files_create_default_dir(unconfined_t) +files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir) +files_root_filetrans_default(unconfined_t, dir)
+ +
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t) +init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t) +init_telinit(unconfined_t)
+ +

29
policy-rawhide-contrib.patch
View File

@ -4756,7 +4756,7 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962..dd376b5 100644 index 6649962..8d471e8 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
@ -5943,7 +5943,7 @@ index 6649962..dd376b5 100644
dbus_system_bus_client(httpd_t) dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',` tunable_policy(`httpd_dbus_avahi',`
@@ -786,35 +912,53 @@ optional_policy(` @@ -786,35 +912,54 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -5985,6 +5985,7 @@ index 6649962..dd376b5 100644
+optional_policy(` +optional_policy(`
+ # needed by FreeIPA + # needed by FreeIPA
+ ldap_stream_connect(httpd_t) + ldap_stream_connect(httpd_t)
+ ldap_read_certs(httpd_t)
') ')
optional_policy(` optional_policy(`
@ -6010,7 +6011,7 @@ index 6649962..dd376b5 100644
tunable_policy(`httpd_manage_ipa',` tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t) memcached_manage_pid_files(httpd_t)
@@ -822,8 +966,18 @@ optional_policy(` @@ -822,8 +967,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6029,7 +6030,7 @@ index 6649962..dd376b5 100644
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t) mysql_tcp_connect(httpd_t)
@@ -832,6 +986,7 @@ optional_policy(` @@ -832,6 +987,7 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
@ -6037,7 +6038,7 @@ index 6649962..dd376b5 100644
') ')
optional_policy(` optional_policy(`
@@ -842,20 +997,39 @@ optional_policy(` @@ -842,20 +998,39 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6063,7 +6064,7 @@ index 6649962..dd376b5 100644
+ pki_manage_apache_lib(httpd_t) + pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t) + pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t) + pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t) + pki_read_tomcat_cert(httpd_t)
+') +')
- tunable_policy(`httpd_can_network_connect_db',` - tunable_policy(`httpd_can_network_connect_db',`
@ -6083,7 +6084,7 @@ index 6649962..dd376b5 100644
') ')
optional_policy(` optional_policy(`
@@ -863,19 +1037,35 @@ optional_policy(` @@ -863,19 +1038,35 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6119,7 +6120,7 @@ index 6649962..dd376b5 100644
udev_read_db(httpd_t) udev_read_db(httpd_t)
') ')
@@ -883,65 +1073,173 @@ optional_policy(` @@ -883,65 +1074,173 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -6315,7 +6316,7 @@ index 6649962..dd376b5 100644
files_dontaudit_search_pids(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t) files_search_home(httpd_suexec_t)
@@ -950,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t) @@ -950,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t) logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t)
@ -6470,7 +6471,7 @@ index 6649962..dd376b5 100644
mysql_read_config(httpd_suexec_t) mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1332,106 @@ optional_policy(` @@ -1083,172 +1333,106 @@ optional_policy(`
') ')
') ')
@ -6707,7 +6708,7 @@ index 6649962..dd376b5 100644
') ')
tunable_policy(`httpd_read_user_content',` tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
') ')
tunable_policy(`httpd_use_cifs',` tunable_policy(`httpd_use_cifs',`
@ -6804,7 +6805,7 @@ index 6649962..dd376b5 100644
######################################## ########################################
# #
@@ -1321,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -1321,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
# #
optional_policy(` optional_policy(`
@ -6821,7 +6822,7 @@ index 6649962..dd376b5 100644
') ')
######################################## ########################################
@@ -1330,49 +1530,38 @@ optional_policy(` @@ -1330,49 +1531,38 @@ optional_policy(`
# User content local policy # User content local policy
# #
@ -6886,7 +6887,7 @@ index 6649962..dd376b5 100644
kernel_read_system_state(httpd_passwd_t) kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1571,100 @@ dev_read_urand(httpd_passwd_t) @@ -1382,38 +1572,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)