- Add devicekit policy
This commit is contained in:
Daniel J Walsh
parent
acc137684b
commit
3b03e7b7cb
@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:34:22.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-20 07:55:29.000000000 -0500
|
||||||
@@ -19,6 +19,8 @@
|
@@ -19,6 +19,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
@ -8833,7 +8833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect',`
|
tunable_policy(`httpd_can_network_connect',`
|
||||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -641,12 +788,23 @@
|
@@ -641,12 +788,19 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8844,10 +8844,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t)
|
|
||||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t)
|
|
||||||
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t)
|
|
||||||
+
|
|
||||||
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||||
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||||
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||||
@ -8860,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -655,6 +813,12 @@
|
@@ -655,6 +809,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8873,7 +8869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -672,15 +836,14 @@
|
@@ -672,15 +832,14 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8892,7 +8888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
@@ -699,12 +862,24 @@
|
@@ -699,12 +858,24 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
@ -8919,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -712,6 +887,35 @@
|
@@ -712,6 +883,35 @@
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -8955,7 +8951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -724,6 +928,10 @@
|
@@ -724,6 +924,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
@ -8966,7 +8962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -735,6 +943,8 @@
|
@@ -735,6 +939,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -8975,17 +8971,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -754,6 +964,9 @@
|
@@ -754,6 +960,12 @@
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||||
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
||||||
|
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||||
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||||
|
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||||
|
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# allow accessing files/dirs below the users home dir
|
# allow accessing files/dirs below the users home dir
|
||||||
@@ -762,3 +975,66 @@
|
@@ -762,3 +974,66 @@
|
||||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user