- Add devicekit policy
This commit is contained in:
Daniel J Walsh
parent
acc137684b
commit
3b03e7b7cb
|
|
@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:34:22.000000000 -0500
|
||||
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-20 07:55:29.000000000 -0500
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
|
@ -8833,7 +8833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -641,12 +788,23 @@
|
||||
@@ -641,12 +788,19 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
|
|
@ -8844,10 +8844,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t)
|
||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t)
|
||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t)
|
||||
+
|
||||
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||
|
|
@ -8860,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -655,6 +813,12 @@
|
||||
@@ -655,6 +809,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
|
|
@ -8873,7 +8869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -672,15 +836,14 @@
|
||||
@@ -672,15 +832,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
|
|
@ -8892,7 +8888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +862,24 @@
|
||||
@@ -699,12 +858,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
|
|
@ -8919,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +887,35 @@
|
||||
@@ -712,6 +883,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
|
|
@ -8955,7 +8951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +928,10 @@
|
||||
@@ -724,6 +924,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
|
|
@ -8966,7 +8962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +943,8 @@
|
||||
@@ -735,6 +939,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
|
|
@ -8975,17 +8971,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -754,6 +964,9 @@
|
||||
@@ -754,6 +960,12 @@
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
@@ -762,3 +975,66 @@
|
||||
@@ -762,3 +974,66 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue