Use entry_file as entry_point to domain transition.

Squash with e9f4178aa052c15ac7919a06e0c226b846ef7c7b Duplicate TE rule.
2010-09-17 08:32:11 +02:00 · 2010-09-17 08:32:11 +02:00 · b11ba46f38
commit b11ba46f38
parent 28fdb87aed
2 changed files with 2 additions and 6 deletions
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -50,8 +50,6 @@ template(`apache_content_template',`

 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

-	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
 	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;

@ -132,6 +130,8 @@ template(`apache_content_template',`
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

+		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
 		# privileged users run the script:
 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)

--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -946,10 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')

-tunable_policy(`httpd_enable_cgi',`
-	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
-')
-
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)