stuff from dan

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Add apache relay and db connect tunables.
 - Rename texrel_shlib_t to textrel_shlib_t.
 - Add swat to samba module.
 - Miscellaneous fixes from Dan Walsh.

refpolicy/policy/global_tunables

@@ -68,6 +68,12 @@ gen_tunable(httpd_builtin_scripting,false)
 ## Allow http daemon to tcp connect 
 gen_tunable(httpd_can_network_connect,false)
 
+## allow httpd to connect to mysql/posgresql 
+gen_tunable(httpd_can_network_connect_db, false)
+
+## allow httpd to act as a relay 
+gen_tunable(httpd_can_network_relay, false)
+
 ## Allow httpd cgi support
 gen_tunable(httpd_enable_cgi,false)
 

refpolicy/policy/modules/kernel/filesystem.if

@@ -1237,6 +1237,22 @@ interface(`fs_getattr_rpc_dirs',`
 
 ')
 
+########################################
+## <summary>
+##	Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_search_rpc_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read directories of RPC file system pipes.

refpolicy/policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.1.0)
+policy_module(apache,1.1.1)
 
 #
 # NOTES: 
@@ -226,14 +226,6 @@ corenet_tcp_bind_all_nodes(httpd_t)
 corenet_udp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-# allow httpd to connect to mysql/posgresql 
-corenet_tcp_connect_postgresql_port(httpd_t)
-corenet_tcp_connect_mysqld_port(httpd_t)
-# allow httpd to work as a relay
-corenet_tcp_connect_gopher_port(httpd_t)
-corenet_tcp_connect_ftp_port(httpd_t)
-corenet_tcp_connect_http_port(httpd_t)
-corenet_tcp_connect_http_cache_port(httpd_t)
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
@@ -324,6 +316,20 @@ tunable_policy(`httpd_can_network_connect',`
 	sysnet_read_config(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	# allow httpd to connect to mysql/posgresql
+	corenet_tcp_connect_postgresql_port(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+	# allow httpd to work as a relay
+	corenet_tcp_connect_gopher_port(httpd_t)
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_http_port(httpd_t)
+	corenet_tcp_connect_http_cache_port(httpd_t)
+')
+
 tunable_policy(`httpd_enable_cgi',`
 	domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 	allow httpd_t httpd_unconfined_script_t:fd use;

refpolicy/policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.1.1)
+policy_module(mount,1.1.2)
 
 ########################################
 #
@@ -94,9 +94,7 @@ ifdef(`distro_redhat',`
 
 optional_policy(`portmap',`
 	# for nfs
-	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
+	corenet_non_ipsec_sendrecv(mount_t)
-	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-	#allow mount_t rpc_pipefs_t:dir search;
 	corenet_tcp_sendrecv_all_if(mount_t)
 	corenet_raw_sendrecv_all_if(mount_t)
 	corenet_udp_sendrecv_all_if(mount_t)
@@ -105,7 +103,6 @@ optional_policy(`portmap',`
 	corenet_udp_sendrecv_all_nodes(mount_t)
 	corenet_tcp_sendrecv_all_ports(mount_t)
 	corenet_udp_sendrecv_all_ports(mount_t)
-	corenet_non_ipsec_sendrecv(mount_t)
 	corenet_tcp_bind_all_nodes(mount_t)
 	corenet_udp_bind_all_nodes(mount_t)
 	corenet_tcp_bind_generic_port(mount_t)
@@ -114,6 +111,10 @@ optional_policy(`portmap',`
 	corenet_udp_bind_reserved_port(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
+	fs_search_rpc_dirs(mount_t)
+
+	portmap_udp_sendrecv(mount_t)
+
 	optional_policy(`nis',`
 		nis_use_ypbind(mount_t)
 	')