Tunable and optional policy goes below.

2010-09-17 09:30:55 +02:00 · 2010-09-17 09:30:55 +02:00 · f6bcb24b48
commit f6bcb24b48
parent b11ba46f38
2 changed files with 18 additions and 17 deletions
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -152,6 +152,8 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t httpd_t:fd use;
 		allow httpd_$1_script_t httpd_t:process sigchld;

+		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
 		kernel_read_system_state(httpd_$1_script_t)

 		dev_read_urand(httpd_$1_script_t)
@ -180,8 +182,6 @@ template(`apache_content_template',`
 	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
-
-	dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
 ')

 ########################################
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -557,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
 	corenet_sendrecv_squid_client_packets(httpd_t)
 ')

+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
 	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@ -744,12 +750,6 @@ optional_policy(`
 	rpc_search_nfs_state_data(httpd_t)
 ')

-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
-	allow httpd_sys_script_t self:process { execmem execstack };
-	allow httpd_suexec_t self:process { execmem execstack };
-') 
-
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
@ -887,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })

 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)

+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
@ -932,11 +936,8 @@ tunable_policy(`httpd_can_network_connect_db',`
 	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 ')

-read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
-read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
-
 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@ -1032,15 +1033,15 @@ optional_policy(`
 	')
 ')

-fs_cifs_entry_type(httpd_sys_script_t)
-fs_read_iso9660_files(httpd_sys_script_t)
-fs_nfs_entry_type(httpd_sys_script_t)
-
 tunable_policy(`httpd_can_network_connect_db',`
 	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
 	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
 ')

+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
 tunable_policy(`httpd_use_nfs',`
 	fs_manage_nfs_dirs(httpd_sys_script_t)
 	fs_manage_nfs_files(httpd_sys_script_t)
@ -1180,6 +1181,6 @@ tunable_policy(`httpd_enable_homedirs',`

 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_t)
-	userdom_read_user_home_content_files(httpd_user_script_t)
 	userdom_read_user_home_content_files(httpd_suexec_t)
+	userdom_read_user_home_content_files(httpd_user_script_t)
 ')