- More alias for fastcgi

2008-10-22 15:42:16 +00:00 · 2008-10-22 15:42:16 +00:00 · 5a79419b06
commit 5a79419b06
parent ae68d97fe5
1 changed files with 47 additions and 45 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -10545,7 +10545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-10-22 09:08:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-10-22 09:53:30.000000000 -0400
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -10639,26 +10639,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
-@@ -180,6 +220,18 @@
+@@ -181,6 +221,10 @@
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
-+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+ 
 +typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
 +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
 +typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
 +typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
 +typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 +
 +typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
 +typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
 +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
- 
+
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
-@@ -202,12 +254,16 @@
+ 
@@ -202,12 +246,16 @@
 	prelink_object_file(httpd_modules_t)
 ')
@ -10676,7 +10668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
-@@ -249,6 +305,7 @@
+@@ -249,6 +297,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -10684,7 +10676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -260,9 +317,9 @@
+@@ -260,9 +309,9 @@
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@ -10697,7 +10689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -289,6 +346,7 @@
+@@ -289,6 +338,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -10705,7 +10697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -299,6 +357,7 @@
+@@ -299,6 +349,7 @@
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_all_nodes(httpd_t)
@ -10713,7 +10705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
-@@ -312,12 +371,11 @@
+@@ -312,12 +363,11 @@
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -10728,7 +10720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_use_interactive_fds(httpd_t)
-@@ -335,6 +393,10 @@
+@@ -335,6 +385,10 @@
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -10739,7 +10731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -351,18 +413,33 @@
+@@ -351,18 +405,33 @@
 userdom_use_unpriv_users_fds(httpd_t)
@ -10760,7 +10752,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
 -	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@ -10771,13 +10764,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
+tunable_policy(`allow_httpd_mod_auth_pam',`
 -	auth_domtrans_chk_passwd(httpd_t)
 +		samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
-@@ -370,20 +447,45 @@
+@@ -370,20 +439,45 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -10824,7 +10816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +496,12 @@
+@@ -394,11 +488,12 @@
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
@ -10840,7 +10832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_read_nfs_files(httpd_t)
 	fs_read_nfs_symlinks(httpd_t)
 ')
-@@ -408,6 +511,11 @@
+@@ -408,6 +503,11 @@
 	fs_read_cifs_symlinks(httpd_t)
 ')
@ -10852,7 +10844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +549,13 @@
+@@ -441,8 +541,13 @@
 ')
 optional_policy(`
@ -10868,7 +10860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -454,18 +567,13 @@
+@@ -454,18 +559,13 @@
 ')
 optional_policy(`
@ -10888,7 +10880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -475,6 +583,12 @@
+@@ -475,6 +575,12 @@
 	openca_kill(httpd_t)
 ')
@ -10901,7 +10893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
-@@ -482,6 +596,7 @@
+@@ -482,6 +588,7 @@
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
@ -10909,7 +10901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -490,6 +605,7 @@
+@@ -490,6 +597,7 @@
 ')
 optional_policy(`
@ -10917,7 +10909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -519,9 +635,28 @@
+@@ -519,9 +627,28 @@
 logging_send_syslog_msg(httpd_helper_t)
 tunable_policy(`httpd_tty_comm',`
@ -10946,7 +10938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -551,22 +686,27 @@
+@@ -551,22 +678,27 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -10980,7 +10972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -584,12 +724,14 @@
+@@ -584,12 +716,14 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -10996,7 +10988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +740,7 @@
+@@ -598,9 +732,7 @@
 fs_search_auto_mountpoints(httpd_suexec_t)
@ -11007,7 +10999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +773,25 @@
+@@ -633,12 +765,25 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -11036,7 +11028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +800,12 @@
+@@ -647,6 +792,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -11049,7 +11041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +823,6 @@
+@@ -664,10 +815,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -11060,7 +11052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache system script local policy
-@@ -677,7 +832,8 @@
+@@ -677,7 +824,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -11070,7 +11062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +847,15 @@
+@@ -691,12 +839,15 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -11088,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +863,30 @@
+@@ -704,6 +855,30 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
@ -11119,7 +11111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +899,10 @@
+@@ -716,10 +891,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -11134,7 +11126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -727,6 +910,8 @@
+@@ -727,6 +902,8 @@
 # httpd_rotatelogs local policy
 #
@ -11143,7 +11135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +926,56 @@
+@@ -741,3 +918,66 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -11200,6 +11192,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
 +manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
 +manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
 +
 +# Removal of fastcgi, will cause problems without the following
 +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
 +typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
 +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
 +typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
 +typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
 +typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc
 --- nsaserefpolicy/policy/modules/services/arpwatch.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc	2008-10-17 10:31:27.000000000 -0400