From 0def274b9696fbc4094fc3c4dd9b1fb67245ce17 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Tue, 5 Oct 2010 14:47:38 +0200
Subject: [PATCH] Add policy for mediawiki

---
 policy/modules/apps/mediawiki.fc      | 10 +++++++
 policy/modules/apps/mediawiki.if      | 40 +++++++++++++++++++++++++++
 policy/modules/apps/mediawiki.te      | 35 +++++++++++++++++++++++
 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/services/apache.te     |  5 ++++
 5 files changed, 91 insertions(+)
 create mode 100644 policy/modules/apps/mediawiki.fc
 create mode 100644 policy/modules/apps/mediawiki.if
 create mode 100644 policy/modules/apps/mediawiki.te

diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
new file mode 100644
index 00000000..bf872efa
--- /dev/null
+++ b/policy/modules/apps/mediawiki.fc
@@ -0,0 +1,10 @@
+
+/usr/lib(64)?/mediawiki/math/texvc	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)	
+/usr/lib(64)?/mediawiki/math/texvc_tex --      gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc_tes --      gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+
+/var/www/wiki(/.*)?		  gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+
+/var/www/wiki/.*\.php    --           gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+
+/usr/share/mediawiki(/.*)?	  gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if
new file mode 100644
index 00000000..1c1d0123
--- /dev/null
+++ b/policy/modules/apps/mediawiki.if
@@ -0,0 +1,40 @@
+## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
+##      Allow the specified domain to read
+##      mediawiki tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mediawiki_read_tmp_files',`
+        gen_require(`
+                type httpd_mediawiki_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+	read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
+
+#######################################
+## <summary>
+##      Delete mediawiki tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mediawiki_delete_tmp_files',`
+        gen_require(`
+                type httpd_mediawiki_tmp_t;
+        ')
+
+        delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
new file mode 100644
index 00000000..7cfbc3ba
--- /dev/null
+++ b/policy/modules/apps/mediawiki.te
@@ -0,0 +1,35 @@
+
+policy_module(mediawiki, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mediawiki)
+
+type httpd_mediawiki_tmp_t;
+files_tmp_file(httpd_mediawiki_tmp_t)
+
+permissive httpd_mediawiki_script_t;
+
+########################################
+#
+# mediawiki local policy
+#
+
+manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
+
+files_search_var_lib(httpd_mediawiki_script_t)
+
+userdom_read_user_tmp_files(httpd_mediawiki_script_t)
+
+miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+
+optional_policy(`
+	apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
+')
+
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 46af2a46..217bd0df 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -273,6 +273,7 @@ ifdef(`distro_gentoo',`
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 411a3ff9..bfb9f50b 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -717,6 +717,11 @@ optional_policy(`
 	mailman_read_archive(httpd_t)
 ')
 
+optional_policy(`
+	mediawiki_read_tmp_files(httpd_t)
+	mediawiki_delete_tmp_files(httpd_t)
+')
+
 optional_policy(`
 	# Allow httpd to work with mysql
 	mysql_read_config(httpd_t)