From ddcd5d6350509c2ff6a3b85bd1865dc0f23271f9 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 30 Aug 2010 13:32:47 -0400
Subject: [PATCH] Dontaudit signals from sandbox domains to domains that
 transition to them

---
 policy/modules/apps/sandbox.if    | 1 +
 policy/modules/services/apache.if | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
index d104714d..c20d3030 100644
--- a/policy/modules/apps/sandbox.if
+++ b/policy/modules/apps/sandbox.if
@@ -49,6 +49,7 @@ interface(`sandbox_transition',`
 	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+	dontaudit sandbox_x_domain $1:process signal;
 	
 	allow $1 sandbox_tmpfs_type:file manage_file_perms;
 	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 7260bf6b..c96d0357 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -238,6 +238,8 @@ interface(`apache_role',`
 	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
+	apache_exec_modules($2)
+
 	tunable_policy(`httpd_enable_cgi',`
 		# If a user starts a script by hand it gets the proper context
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)