trunk: Database labeled networking update from KaiGai Kohei.
This commit is contained in:
parent
6224fc1485
commit
dc1920b218
@ -1,3 +1,4 @@
|
|||||||
|
- Database labeled networking update from KaiGai Kohei.
|
||||||
- Several misc changes from the Fedora policy, cherry picked by David
|
- Several misc changes from the Fedora policy, cherry picked by David
|
||||||
Hrdeman.
|
Hrdeman.
|
||||||
- Large whitespace fix from Dominick Grift.
|
- Large whitespace fix from Dominick Grift.
|
||||||
|
@ -189,10 +189,6 @@ template(`apache_content_template',`
|
|||||||
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
||||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||||
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
|
|
||||||
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
|
|
||||||
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
|
|
||||||
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
|
|
||||||
|
|
||||||
sysnet_read_config(httpd_$1_script_t)
|
sysnet_read_config(httpd_$1_script_t)
|
||||||
')
|
')
|
||||||
@ -219,6 +215,12 @@ template(`apache_content_template',`
|
|||||||
mta_send_mail(httpd_$1_script_t)
|
mta_send_mail(httpd_$1_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||||
|
mysql_tcp_connect(httpd_$1_script_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||||
@ -227,6 +229,10 @@ template(`apache_content_template',`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postgresql_unpriv_client(httpd_$1_script_t)
|
postgresql_unpriv_client(httpd_$1_script_t)
|
||||||
|
|
||||||
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||||
|
postgresql_tcp_connect(httpd_$1_script_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(apache, 1.10.0)
|
policy_module(apache, 1.10.1)
|
||||||
|
|
||||||
#
|
#
|
||||||
# NOTES:
|
# NOTES:
|
||||||
@ -459,8 +459,7 @@ optional_policy(`
|
|||||||
mysql_rw_db_sockets(httpd_t)
|
mysql_rw_db_sockets(httpd_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
mysql_tcp_connect(httpd_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -18,6 +18,27 @@ interface(`mysql_signal',`
|
|||||||
allow $1 mysqld_t:process signal;
|
allow $1 mysqld_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to connect to postgresql with a tcp socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mysql_tcp_connect',`
|
||||||
|
gen_require(`
|
||||||
|
type mysqld_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corenet_tcp_recvfrom_labeled($1, mysqld_t)
|
||||||
|
corenet_tcp_sendrecv_mysqld_port($1)
|
||||||
|
corenet_tcp_connect_mysqld_port($1)
|
||||||
|
corenet_sendrecv_mysqld_client_packets($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Connect to MySQL using a unix domain stream socket.
|
## Connect to MySQL using a unix domain stream socket.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mysql, 1.8.0)
|
policy_module(mysql, 1.8.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1283,3 +1283,38 @@ interface(`init_manage_utmp',`
|
|||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 initrc_var_run_t:file manage_file_perms;
|
allow $1 initrc_var_run_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to connect to daemon with a tcp socket
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_tcp_recvfrom_all_daemons',`
|
||||||
|
gen_require(`
|
||||||
|
attribute daemon;
|
||||||
|
')
|
||||||
|
|
||||||
|
corenet_tcp_recvfrom_labeled($1, daemon)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to connect to daemon with a udp socket
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_udp_recvfrom_all_daemons',`
|
||||||
|
gen_require(`
|
||||||
|
attribute daemon;
|
||||||
|
')
|
||||||
|
corenet_udp_recvfrom_labeled($1, daemon)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init, 1.11.1)
|
policy_module(init, 1.11.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
@ -549,6 +549,13 @@ template(`userdom_basic_networking_template',`
|
|||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
corenet_sendrecv_all_client_packets($1_t)
|
corenet_sendrecv_all_client_packets($1_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_labeled($1_t, $1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
init_tcp_recvfrom_all_daemons($1_t)
|
||||||
|
init_udp_recvfrom_all_daemons($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ipsec_match_default_spd($1_t)
|
ipsec_match_default_spd($1_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain, 3.1.0)
|
policy_module(userdomain, 3.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user