trunk: Database labeled networking update from KaiGai Kohei.
This commit is contained in:
parent
6224fc1485
commit
dc1920b218
@ -1,3 +1,4 @@
|
||||
- Database labeled networking update from KaiGai Kohei.
|
||||
- Several misc changes from the Fedora policy, cherry picked by David
|
||||
Hrdeman.
|
||||
- Large whitespace fix from Dominick Grift.
|
||||
|
@ -189,10 +189,6 @@ template(`apache_content_template',`
|
||||
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
|
||||
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
@ -219,6 +215,12 @@ template(`apache_content_template',`
|
||||
mta_send_mail(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
@ -227,6 +229,10 @@ template(`apache_content_template',`
|
||||
|
||||
optional_policy(`
|
||||
postgresql_unpriv_client(httpd_$1_script_t)
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache, 1.10.0)
|
||||
policy_module(apache, 1.10.1)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -459,8 +459,7 @@ optional_policy(`
|
||||
mysql_rw_db_sockets(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
||||
mysql_tcp_connect(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -18,6 +18,27 @@ interface(`mysql_signal',`
|
||||
allow $1 mysqld_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to postgresql with a tcp socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_tcp_connect',`
|
||||
gen_require(`
|
||||
type mysqld_t;
|
||||
')
|
||||
|
||||
corenet_tcp_recvfrom_labeled($1, mysqld_t)
|
||||
corenet_tcp_sendrecv_mysqld_port($1)
|
||||
corenet_tcp_connect_mysqld_port($1)
|
||||
corenet_sendrecv_mysqld_client_packets($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to MySQL using a unix domain stream socket.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mysql, 1.8.0)
|
||||
policy_module(mysql, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1283,3 +1283,38 @@ interface(`init_manage_utmp',`
|
||||
files_search_pids($1)
|
||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a tcp socket
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_tcp_recvfrom_all_daemons',`
|
||||
gen_require(`
|
||||
attribute daemon;
|
||||
')
|
||||
|
||||
corenet_tcp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to daemon with a udp socket
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_udp_recvfrom_all_daemons',`
|
||||
gen_require(`
|
||||
attribute daemon;
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init, 1.11.1)
|
||||
policy_module(init, 1.11.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -549,6 +549,13 @@ template(`userdom_basic_networking_template',`
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
corenet_sendrecv_all_client_packets($1_t)
|
||||
|
||||
corenet_all_recvfrom_labeled($1_t, $1_t)
|
||||
|
||||
optional_policy(`
|
||||
init_tcp_recvfrom_all_daemons($1_t)
|
||||
init_udp_recvfrom_all_daemons($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ipsec_match_default_spd($1_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain, 3.1.0)
|
||||
policy_module(userdomain, 3.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user