From f6bcb24b481e54cddd445a726d064546310f7c4b Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 17 Sep 2010 09:30:55 +0200 Subject: [PATCH] Tunable and optional policy goes below. Tunable and optional policy goes below. --- policy/modules/services/apache.if | 4 ++-- policy/modules/services/apache.te | 31 ++++++++++++++++--------------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index a06a8ddc..426e6868 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -152,6 +152,8 @@ template(`apache_content_template',` allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; + dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; + kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) @@ -180,8 +182,6 @@ template(`apache_content_template',` optional_policy(` nscd_socket_use(httpd_$1_script_t) ') - - dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; ') ######################################## diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 509a71a8..300dffb6 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -557,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',` corenet_sendrecv_squid_client_packets(httpd_t) ') +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') + tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) @@ -744,12 +750,6 @@ optional_policy(` rpc_search_nfs_state_data(httpd_t) ') -tunable_policy(`httpd_execmem',` - allow httpd_t self:process { execmem execstack }; - allow httpd_sys_script_t self:process { execmem execstack }; - allow httpd_suexec_t self:process { execmem execstack }; -') - optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) @@ -887,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) can_exec(httpd_suexec_t, httpd_sys_script_exec_t) +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) @@ -932,11 +936,8 @@ tunable_policy(`httpd_can_network_connect_db',` corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ') -read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) -read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) - domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) @@ -1032,15 +1033,15 @@ optional_policy(` ') ') -fs_cifs_entry_type(httpd_sys_script_t) -fs_read_iso9660_files(httpd_sys_script_t) -fs_nfs_entry_type(httpd_sys_script_t) - tunable_policy(`httpd_can_network_connect_db',` corenet_tcp_connect_mssql_port(httpd_sys_script_t) corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) ') +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) + tunable_policy(`httpd_use_nfs',` fs_manage_nfs_dirs(httpd_sys_script_t) fs_manage_nfs_files(httpd_sys_script_t) @@ -1180,6 +1181,6 @@ tunable_policy(`httpd_enable_homedirs',` tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_t) - userdom_read_user_home_content_files(httpd_user_script_t) userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) ')