2115 lines
83 KiB
Diff
2115 lines
83 KiB
Diff
diff --git a/apache.if b/apache.if
|
|
index fac6fe5..804867a 100644
|
|
--- a/apache.if
|
|
+++ b/apache.if
|
|
@@ -14,99 +14,123 @@
|
|
template(`apache_content_template',`
|
|
gen_require(`
|
|
attribute httpd_exec_scripts, httpd_script_exec_type;
|
|
- type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
- type httpd_sys_content_t;
|
|
+ type httpd_t, httpd_suexec_t;
|
|
attribute httpd_script_type, httpd_content_type;
|
|
')
|
|
|
|
#This type is for webpages
|
|
- type httpd_$1_content_t; # customizable;
|
|
- typeattribute httpd_$1_content_t httpd_content_type;
|
|
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
|
- files_type(httpd_$1_content_t)
|
|
+ type $1_content_t; # customizable;
|
|
+ typeattribute $1_content_t httpd_content_type;
|
|
+ typealias $1_content_t alias httpd_$1_script_ro_t;
|
|
+ files_type($1_content_t)
|
|
|
|
# This type is used for .htaccess files
|
|
- type httpd_$1_htaccess_t, httpd_content_type; # customizable;
|
|
- typeattribute httpd_$1_htaccess_t httpd_content_type;
|
|
- files_type(httpd_$1_htaccess_t)
|
|
+ type $1_htaccess_t, httpd_content_type; # customizable;
|
|
+ typeattribute $1_htaccess_t httpd_content_type;
|
|
+ files_type($1_htaccess_t)
|
|
|
|
# Type that CGI scripts run as
|
|
- type httpd_$1_script_t, httpd_script_type;
|
|
- domain_type(httpd_$1_script_t)
|
|
- role system_r types httpd_$1_script_t;
|
|
+ type $1_script_t, httpd_script_type;
|
|
+ domain_type($1_script_t)
|
|
+ role system_r types $1_script_t;
|
|
|
|
- kernel_read_system_state(httpd_$1_script_t)
|
|
+ kernel_read_system_state($1_script_t)
|
|
|
|
# This type is used for executable scripts files
|
|
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
- typeattribute httpd_$1_script_exec_t httpd_content_type;
|
|
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
+ type $1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
+ typeattribute $1_script_exec_t httpd_content_type;
|
|
+ domain_entry_file($1_script_t, $1_script_exec_t)
|
|
|
|
- type httpd_$1_rw_content_t; # customizable
|
|
- typeattribute httpd_$1_rw_content_t httpd_content_type;
|
|
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
|
- files_type(httpd_$1_rw_content_t)
|
|
+ type $1_rw_content_t; # customizable
|
|
+ typeattribute $1_rw_content_t httpd_content_type;
|
|
+ typealias $1_rw_content_t alias { $1_script_rw_t };
|
|
+ files_type($1_rw_content_t)
|
|
|
|
- type httpd_$1_ra_content_t, httpd_content_type; # customizable
|
|
- typeattribute httpd_$1_ra_content_t httpd_content_type;
|
|
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
|
- files_type(httpd_$1_ra_content_t)
|
|
+ type $1_ra_content_t, httpd_content_type; # customizable
|
|
+ typeattribute $1_ra_content_t httpd_content_type;
|
|
+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
|
|
+ files_type($1_ra_content_t)
|
|
|
|
# Allow the script process to search the cgi directory, and users directory
|
|
- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
|
+ allow $1_script_t $1_content_t:dir search_dir_perms;
|
|
|
|
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
|
+ can_exec($1_script_t, $1_script_exec_t)
|
|
+ allow $1_script_t $1_script_exec_t:dir list_dir_perms;
|
|
|
|
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
|
- read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
|
+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
|
|
|
- allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
|
|
- read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
+ allow $1_script_t $1_content_t:dir list_dir_perms;
|
|
+ read_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
|
+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
|
|
|
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
|
|
|
# Allow the web server to run scripts and serve pages
|
|
tunable_policy(`httpd_builtin_scripting',`
|
|
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
|
+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
|
|
|
- allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
|
|
- read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
- read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
|
|
+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
|
+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
|
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
|
+ allow $1_script_t $1_script_exec_t:file entrypoint;
|
|
|
|
- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
|
|
|
|
# privileged users run the script:
|
|
- domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
|
|
|
|
- allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
|
|
+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
|
|
|
|
# apache runs the script:
|
|
- domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
- allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
|
|
+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
|
|
+ allow httpd_t $1_script_t:unix_dgram_socket sendto;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Create a set of derived types for apache
|
|
+## web content.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## The prefix to be used for deriving new type names.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="oldprefix">
|
|
+## <summary>
|
|
+## The prefix to be used for deriving old type names.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`apache_content_alias_template',`
|
|
+ typealias $1_htaccess_t alias httpd_$2_htaccess_t;
|
|
+ typealias $1_script_t alias httpd_$2_script_t;
|
|
+ typealias $1_script_exec_t alias httpd_$2_script_exec_t;
|
|
+ typealias $1_content_t alias httpd_$2_content_t;
|
|
+ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
|
|
+ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Role access for apache
|
|
## </summary>
|
|
## <param name="role">
|
|
diff --git a/apache.te b/apache.te
|
|
index 0e09bca..85e992e 100644
|
|
--- a/apache.te
|
|
+++ b/apache.te
|
|
@@ -370,7 +370,7 @@ type httpd_suexec_tmp_t;
|
|
files_tmp_file(httpd_suexec_tmp_t)
|
|
|
|
# setup the system domain for system CGI scripts
|
|
-apache_content_template(sys)
|
|
+apache_content_template(httpd_sys)
|
|
|
|
typeattribute httpd_sys_content_t httpdcontent; # customizable
|
|
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
|
@@ -389,7 +389,7 @@ files_tmp_file(httpd_tmp_t)
|
|
type httpd_tmpfs_t;
|
|
files_tmpfs_file(httpd_tmpfs_t)
|
|
|
|
-apache_content_template(user)
|
|
+apache_content_template(httpd_user)
|
|
ubac_constrained(httpd_user_script_t)
|
|
|
|
typeattribute httpd_user_content_t httpdcontent;
|
|
@@ -1619,6 +1619,7 @@ allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
|
allow httpd_script_type self:process { setsched signal_perms };
|
|
allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
|
+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
allow httpd_script_type httpd_t:fd use;
|
|
allow httpd_script_type httpd_t:process sigchld;
|
|
diff --git a/apcupsd.fc b/apcupsd.fc
|
|
index 1c37fe1..274704f 100644
|
|
--- a/apcupsd.fc
|
|
+++ b/apcupsd.fc
|
|
@@ -14,8 +14,8 @@
|
|
|
|
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
|
|
|
|
-/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
|
-/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
|
-/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
|
-/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
|
-/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
|
|
+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
|
|
+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
|
|
+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
|
|
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
|
|
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
|
|
diff --git a/apcupsd.if b/apcupsd.if
|
|
index b6afc90..9c06313 100644
|
|
--- a/apcupsd.if
|
|
+++ b/apcupsd.if
|
|
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to
|
|
-## run httpd_apcupsd_cgi_script.
|
|
+## run apcupsd_cgi_script.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
|
|
#
|
|
interface(`apcupsd_cgi_script_domtrans',`
|
|
gen_require(`
|
|
- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
|
|
+ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
|
|
+ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
|
|
|
|
optional_policy(`
|
|
apache_search_sys_content($1)
|
|
diff --git a/apcupsd.te b/apcupsd.te
|
|
index b4c43c7..11c215a 100644
|
|
--- a/apcupsd.te
|
|
+++ b/apcupsd.te
|
|
@@ -116,19 +116,20 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(apcupsd_cgi)
|
|
-
|
|
- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
|
|
- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
|
|
-
|
|
- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
|
|
- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
|
|
- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
|
|
- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
|
|
- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
|
|
- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
|
|
- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
|
|
- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
|
|
- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
|
|
-
|
|
- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
|
|
+ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
|
|
+
|
|
+ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
|
|
+ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
|
|
+ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
|
|
+ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
|
|
+
|
|
+ sysnet_dns_name_resolve(apcupsd_cgi_script_t)
|
|
')
|
|
diff --git a/awstats.fc b/awstats.fc
|
|
index 11e6d5f..73b4ea4 100644
|
|
--- a/awstats.fc
|
|
+++ b/awstats.fc
|
|
@@ -1,5 +1,5 @@
|
|
/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
|
|
-/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
|
|
-/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
|
|
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0)
|
|
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0)
|
|
|
|
/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
|
|
diff --git a/awstats.te b/awstats.te
|
|
index c222135..ffbf2cb 100644
|
|
--- a/awstats.te
|
|
+++ b/awstats.te
|
|
@@ -26,6 +26,7 @@ type awstats_var_lib_t;
|
|
files_type(awstats_var_lib_t)
|
|
|
|
apache_content_template(awstats)
|
|
+apache_content_alias_template(awstats, awstats)
|
|
|
|
########################################
|
|
#
|
|
@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
|
|
|
|
manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
|
|
|
|
-allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
|
|
+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms;
|
|
|
|
-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
|
|
+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
|
|
|
|
kernel_dontaudit_read_system_state(awstats_t)
|
|
|
|
@@ -86,13 +87,13 @@ optional_policy(`
|
|
# CGI local policy
|
|
#
|
|
|
|
-apache_read_log(httpd_awstats_script_t)
|
|
+apache_read_log(awstats_script_t)
|
|
|
|
-manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
-manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
-files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
|
|
+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
|
|
|
|
-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
|
|
+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
|
|
|
|
-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
|
|
-files_search_var_lib(httpd_awstats_script_t)
|
|
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
|
|
+files_search_var_lib(awstats_script_t)
|
|
diff --git a/bugzilla.fc b/bugzilla.fc
|
|
index fb6e397..9efceac 100644
|
|
--- a/bugzilla.fc
|
|
+++ b/bugzilla.fc
|
|
@@ -1,4 +1,4 @@
|
|
-/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
|
|
-/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
|
|
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0)
|
|
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
|
|
|
|
-/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
|
|
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
|
|
diff --git a/bugzilla.if b/bugzilla.if
|
|
index bf0cefa..d9ea246 100644
|
|
--- a/bugzilla.if
|
|
+++ b/bugzilla.if
|
|
@@ -12,10 +12,10 @@
|
|
#
|
|
interface(`bugzilla_search_content',`
|
|
gen_require(`
|
|
- type httpd_bugzilla_content_t;
|
|
+ type bugzilla_content_t;
|
|
')
|
|
|
|
- allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
|
|
+ allow $1 bugzilla_content_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
|
|
#
|
|
interface(`bugzilla_dontaudit_rw_stream_sockets',`
|
|
gen_require(`
|
|
- type httpd_bugzilla_script_t;
|
|
+ type bugzilla_script_t;
|
|
')
|
|
|
|
- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
|
|
+ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
@@ -51,32 +51,32 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
|
|
#
|
|
interface(`bugzilla_admin',`
|
|
gen_require(`
|
|
- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
|
|
- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
|
|
- type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
|
|
+ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
|
|
+ type bugzilla_rw_content_t, bugzilla_script_exec_t;
|
|
+ type bugzilla_htaccess_t, bugzilla_tmp_t;
|
|
')
|
|
|
|
- allow $1 httpd_bugzilla_script_t:process signal_perms;
|
|
- ps_process_pattern($1, httpd_bugzilla_script_t)
|
|
+ allow $1 bugzilla_script_t:process signal_perms;
|
|
+ ps_process_pattern($1, bugzilla_script_t)
|
|
|
|
tunable_policy(`deny_ptrace',`',`
|
|
- allow $1 httpd_bugzilla_script_t:process ptrace;
|
|
+ allow $1 bugzilla_script_t:process ptrace;
|
|
')
|
|
|
|
files_list_tmp($1)
|
|
- admin_pattern($1, httpd_bugzilla_tmp_t)
|
|
+ admin_pattern($1, bugzilla_tmp_t)
|
|
|
|
- files_list_var_lib(httpd_bugzilla_script_t)
|
|
+ files_list_var_lib(bugzilla_script_t)
|
|
|
|
- admin_pattern($1, httpd_bugzilla_script_exec_t)
|
|
- admin_pattern($1, httpd_bugzilla_script_t)
|
|
- admin_pattern($1, httpd_bugzilla_content_t)
|
|
- admin_pattern($1, httpd_bugzilla_htaccess_t)
|
|
- admin_pattern($1, httpd_bugzilla_ra_content_t)
|
|
+ admin_pattern($1, bugzilla_script_exec_t)
|
|
+ admin_pattern($1, bugzilla_script_t)
|
|
+ admin_pattern($1, bugzilla_content_t)
|
|
+ admin_pattern($1, bugzilla_htaccess_t)
|
|
+ admin_pattern($1, bugzilla_ra_content_t)
|
|
|
|
files_search_tmp($1)
|
|
files_search_var_lib($1)
|
|
- admin_pattern($1, httpd_bugzilla_rw_content_t)
|
|
+ admin_pattern($1, bugzilla_rw_content_t)
|
|
|
|
optional_policy(`
|
|
apache_list_sys_content($1)
|
|
diff --git a/bugzilla.te b/bugzilla.te
|
|
index d9f3061..c62f617 100644
|
|
--- a/bugzilla.te
|
|
+++ b/bugzilla.te
|
|
@@ -6,54 +6,55 @@ policy_module(bugzilla, 1.1.0)
|
|
#
|
|
|
|
apache_content_template(bugzilla)
|
|
+apache_content_alias_template(bugzilla, bugzilla)
|
|
|
|
-type httpd_bugzilla_tmp_t;
|
|
-files_tmp_file(httpd_bugzilla_tmp_t)
|
|
+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
|
|
+files_tmp_file(bugzilla_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
|
|
+allow bugzilla_script_t self:tcp_socket { accept listen };
|
|
|
|
-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
|
|
-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
|
|
-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
|
|
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
|
|
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
|
|
+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
|
|
|
|
-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
|
|
-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
|
|
-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
|
|
+corenet_sendrecv_http_client_packets(bugzilla_script_t)
|
|
+corenet_tcp_connect_http_port(bugzilla_script_t)
|
|
+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
|
|
|
|
-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
|
|
-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
|
|
-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
|
|
+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
|
|
+corenet_tcp_connect_smtp_port(bugzilla_script_t)
|
|
+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
|
|
|
|
-manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
|
|
-manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
|
|
-files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
|
|
+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
|
|
+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
|
|
+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
|
|
|
|
-files_search_var_lib(httpd_bugzilla_script_t)
|
|
+files_search_var_lib(bugzilla_script_t)
|
|
|
|
-auth_read_passwd(httpd_bugzilla_script_t)
|
|
+auth_read_passwd(bugzilla_script_t)
|
|
|
|
-dev_read_sysfs(httpd_bugzilla_script_t)
|
|
+dev_read_sysfs(bugzilla_script_t)
|
|
|
|
-sysnet_read_config(httpd_bugzilla_script_t)
|
|
-sysnet_use_ldap(httpd_bugzilla_script_t)
|
|
+sysnet_read_config(bugzilla_script_t)
|
|
+sysnet_use_ldap(bugzilla_script_t)
|
|
|
|
-miscfiles_read_certs(httpd_bugzilla_script_t)
|
|
+miscfiles_read_certs(bugzilla_script_t)
|
|
|
|
optional_policy(`
|
|
- mta_send_mail(httpd_bugzilla_script_t)
|
|
+ mta_send_mail(bugzilla_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(httpd_bugzilla_script_t)
|
|
- mysql_tcp_connect(httpd_bugzilla_script_t)
|
|
+ mysql_stream_connect(bugzilla_script_t)
|
|
+ mysql_tcp_connect(bugzilla_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(httpd_bugzilla_script_t)
|
|
- postgresql_tcp_connect(httpd_bugzilla_script_t)
|
|
+ postgresql_stream_connect(bugzilla_script_t)
|
|
+ postgresql_tcp_connect(bugzilla_script_t)
|
|
')
|
|
diff --git a/collectd.fc b/collectd.fc
|
|
index 2e7d7ed..8d70290 100644
|
|
--- a/collectd.fc
|
|
+++ b/collectd.fc
|
|
@@ -8,4 +8,4 @@
|
|
|
|
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
|
|
|
|
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
|
|
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
|
|
diff --git a/collectd.te b/collectd.te
|
|
index dc0423c..d078b96 100644
|
|
--- a/collectd.te
|
|
+++ b/collectd.te
|
|
@@ -30,9 +30,10 @@ type collectd_unit_file_t;
|
|
systemd_unit_file(collectd_unit_file_t)
|
|
|
|
apache_content_template(collectd)
|
|
+apache_content_alias_template(collectd, collectd)
|
|
|
|
-type httpd_collectd_script_tmp_t;
|
|
-files_tmp_file(httpd_collectd_script_tmp_t)
|
|
+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
|
|
+files_tmp_file(collectd_script_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -102,13 +103,13 @@ optional_policy(`
|
|
#
|
|
|
|
|
|
-files_search_var_lib(httpd_collectd_script_t)
|
|
-read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
-list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
-miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
|
+files_search_var_lib(collectd_script_t)
|
|
+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
|
|
|
|
-manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
|
-manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
|
-files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
|
|
+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
|
|
+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
|
|
+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })
|
|
|
|
-auth_read_passwd(httpd_collectd_script_t)
|
|
+auth_read_passwd(collectd_script_t)
|
|
diff --git a/cvs.fc b/cvs.fc
|
|
index 75c8be9..e07e602 100644
|
|
--- a/cvs.fc
|
|
+++ b/cvs.fc
|
|
@@ -4,10 +4,10 @@
|
|
|
|
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
|
|
|
|
-/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
|
|
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
|
|
|
|
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
|
|
|
|
/var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0)
|
|
|
|
-/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
|
|
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0)
|
|
diff --git a/cvs.te b/cvs.te
|
|
index f98a932..c3502c3 100644
|
|
--- a/cvs.te
|
|
+++ b/cvs.te
|
|
@@ -125,9 +125,10 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(cvs)
|
|
+ apache_content_alias_template(cvs, cvs)
|
|
|
|
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
|
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
- files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
|
+ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
|
|
+ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
+ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
+ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
|
|
')
|
|
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
|
|
index 8c44697..5e44c5e 100644
|
|
--- a/dirsrv-admin.fc
|
|
+++ b/dirsrv-admin.fc
|
|
@@ -6,8 +6,8 @@
|
|
/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
|
|
/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
|
|
|
|
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
|
|
-/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
|
|
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
|
|
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
|
|
|
|
/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
|
|
/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
|
|
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
|
|
index 30416f2..e360d38 100644
|
|
--- a/dirsrv-admin.if
|
|
+++ b/dirsrv-admin.if
|
|
@@ -29,13 +29,13 @@ interface(`dirsrvadmin_run_exec',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dirsrvadmin_run_httpd_script_exec',`
|
|
+interface(`dirsrvadmin_run_script_exec',`
|
|
gen_require(`
|
|
- type httpd_dirsrvadmin_script_exec_t;
|
|
+ type dirsrvadmin_script_exec_t;
|
|
')
|
|
|
|
- allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
|
|
- can_exec($1, httpd_dirsrvadmin_script_exec_t)
|
|
+ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
|
|
+ can_exec($1, dirsrvadmin_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
|
|
index 021c5ae..37afbd4 100644
|
|
--- a/dirsrv-admin.te
|
|
+++ b/dirsrv-admin.te
|
|
@@ -70,59 +70,60 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(dirsrvadmin)
|
|
+ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
|
|
|
|
- allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
|
|
- allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
|
|
- allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
|
|
- allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
|
|
- allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
|
|
- allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
|
|
- allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
|
|
+ allow dirsrvadmin_script_t self:process { getsched getpgid };
|
|
+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
|
|
+ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
|
|
+ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+ allow dirsrvadmin_script_t self:sem create_sem_perms;
|
|
|
|
|
|
- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
|
|
- files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
|
|
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
|
|
+ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
|
|
|
|
- kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
|
|
+ kernel_read_kernel_sysctls(dirsrvadmin_script_t)
|
|
|
|
|
|
- corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
|
|
- corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
|
|
- corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
|
|
+ corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
|
|
+ corenet_udp_bind_generic_node(dirsrvadmin_script_t)
|
|
+ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
|
|
|
|
- corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
|
|
- corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
|
|
- corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
|
|
- corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
|
|
+ corenet_tcp_bind_http_port(dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_http_port(dirsrvadmin_script_t)
|
|
|
|
- files_search_var_lib(httpd_dirsrvadmin_script_t)
|
|
+ files_search_var_lib(dirsrvadmin_script_t)
|
|
|
|
- sysnet_read_config(httpd_dirsrvadmin_script_t)
|
|
+ sysnet_read_config(dirsrvadmin_script_t)
|
|
|
|
- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
- manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
- files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
|
|
+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
|
|
|
|
optional_policy(`
|
|
- apache_read_modules(httpd_dirsrvadmin_script_t)
|
|
- apache_read_config(httpd_dirsrvadmin_script_t)
|
|
- apache_signal(httpd_dirsrvadmin_script_t)
|
|
- apache_signull(httpd_dirsrvadmin_script_t)
|
|
+ apache_read_modules(dirsrvadmin_script_t)
|
|
+ apache_read_config(dirsrvadmin_script_t)
|
|
+ apache_signal(dirsrvadmin_script_t)
|
|
+ apache_signull(dirsrvadmin_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# The CGI scripts must be able to manage dirsrv-admin
|
|
- dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
|
|
- dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_domtrans(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_signal(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_signull(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_manage_log(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_manage_config(httpd_dirsrvadmin_script_t)
|
|
- dirsrv_read_share(httpd_dirsrvadmin_script_t)
|
|
+ dirsrvadmin_run_exec(dirsrvadmin_script_t)
|
|
+ dirsrvadmin_manage_config(dirsrvadmin_script_t)
|
|
+ dirsrv_domtrans(dirsrvadmin_script_t)
|
|
+ dirsrv_signal(dirsrvadmin_script_t)
|
|
+ dirsrv_signull(dirsrvadmin_script_t)
|
|
+ dirsrv_manage_log(dirsrvadmin_script_t)
|
|
+ dirsrv_manage_var_lib(dirsrvadmin_script_t)
|
|
+ dirsrv_pid_filetrans(dirsrvadmin_script_t)
|
|
+ dirsrv_manage_var_run(dirsrvadmin_script_t)
|
|
+ dirsrv_manage_config(dirsrvadmin_script_t)
|
|
+ dirsrv_read_share(dirsrvadmin_script_t)
|
|
')
|
|
')
|
|
|
|
diff --git a/dspam.fc b/dspam.fc
|
|
index 3ea0423..b5fcb77 100644
|
|
--- a/dspam.fc
|
|
+++ b/dspam.fc
|
|
@@ -2,7 +2,7 @@
|
|
|
|
/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
|
|
|
|
-/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
|
|
+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
|
|
|
|
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
|
|
|
|
@@ -11,7 +11,7 @@
|
|
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
|
|
|
|
# web
|
|
-/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
|
|
-/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
|
|
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0)
|
|
+/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0)
|
|
|
|
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
|
|
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0)
|
|
diff --git a/dspam.te b/dspam.te
|
|
index 37c844b..1ec4d89 100644
|
|
--- a/dspam.te
|
|
+++ b/dspam.te
|
|
@@ -75,29 +75,27 @@ logging_send_syslog_msg(dspam_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(dspam)
|
|
+ apache_content_alias_template(dspam, dspam)
|
|
|
|
- read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
|
+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
|
|
|
- files_search_var_lib(httpd_dspam_script_t)
|
|
- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
|
|
- manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
|
|
- manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
|
|
+ files_search_var_lib(dspam_script_t)
|
|
|
|
- domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
|
|
+ domain_dontaudit_read_all_domains_state(dspam_script_t)
|
|
|
|
- term_dontaudit_search_ptys(httpd_dspam_script_t)
|
|
- term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
|
|
- term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
|
|
+ term_dontaudit_search_ptys(dspam_script_t)
|
|
+ term_dontaudit_getattr_all_ttys(dspam_script_t)
|
|
+ term_dontaudit_getattr_all_ptys(dspam_script_t)
|
|
|
|
- init_read_utmp(httpd_dspam_script_t)
|
|
+ init_read_utmp(dspam_script_t)
|
|
|
|
- logging_send_syslog_msg(httpd_dspam_script_t)
|
|
+ logging_send_syslog_msg(dspam_script_t)
|
|
|
|
- mta_send_mail(httpd_dspam_script_t)
|
|
+ mta_send_mail(dspam_script_t)
|
|
|
|
optional_policy(`
|
|
- mysql_tcp_connect(httpd_dspam_script_t)
|
|
- mysql_stream_connect(httpd_dspam_script_t)
|
|
+ mysql_tcp_connect(dspam_script_t)
|
|
+ mysql_stream_connect(dspam_script_t)
|
|
')
|
|
')
|
|
|
|
diff --git a/git.fc b/git.fc
|
|
index 24700f8..6561d56 100644
|
|
--- a/git.fc
|
|
+++ b/git.fc
|
|
@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
|
|
|
|
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
|
|
|
|
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
|
|
-/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
|
|
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
|
|
+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0)
|
|
|
|
/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
|
|
|
|
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
|
-/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
|
-/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
|
-/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
|
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0)
|
|
+/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0)
|
|
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
|
|
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0)
|
|
diff --git a/git.te b/git.te
|
|
index 2609364..d3caffa 100644
|
|
--- a/git.te
|
|
+++ b/git.te
|
|
@@ -75,6 +75,7 @@ attribute git_daemon;
|
|
attribute_role git_session_roles;
|
|
|
|
apache_content_template(git)
|
|
+apache_content_alias_template(git, git)
|
|
|
|
type git_system_t, git_daemon;
|
|
type gitd_exec_t;
|
|
@@ -210,48 +211,48 @@ tunable_policy(`git_system_use_nfs',`
|
|
# CGI policy
|
|
#
|
|
|
|
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
|
|
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
|
|
-files_search_var_lib(httpd_git_script_t)
|
|
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
|
|
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
|
|
+files_search_var_lib(git_script_t)
|
|
|
|
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
|
|
+files_dontaudit_getattr_tmp_dirs(git_script_t)
|
|
|
|
-auth_use_nsswitch(httpd_git_script_t)
|
|
+auth_use_nsswitch(git_script_t)
|
|
|
|
tunable_policy(`git_cgi_enable_homedirs',`
|
|
- userdom_search_user_home_dirs(httpd_git_script_t)
|
|
+ userdom_search_user_home_dirs(git_script_t)
|
|
')
|
|
|
|
tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
|
|
- fs_getattr_nfs(httpd_git_script_t)
|
|
- fs_list_nfs(httpd_git_script_t)
|
|
- fs_read_nfs_files(httpd_git_script_t)
|
|
+ fs_getattr_nfs(git_script_t)
|
|
+ fs_list_nfs(git_script_t)
|
|
+ fs_read_nfs_files(git_script_t)
|
|
',`
|
|
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
|
|
+ fs_dontaudit_read_nfs_files(git_script_t)
|
|
')
|
|
|
|
tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
|
|
- fs_getattr_cifs(httpd_git_script_t)
|
|
- fs_list_cifs(httpd_git_script_t)
|
|
- fs_read_cifs_files(httpd_git_script_t)
|
|
+ fs_getattr_cifs(git_script_t)
|
|
+ fs_list_cifs(git_script_t)
|
|
+ fs_read_cifs_files(git_script_t)
|
|
',`
|
|
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
|
|
+ fs_dontaudit_read_cifs_files(git_script_t)
|
|
')
|
|
|
|
tunable_policy(`git_cgi_use_cifs',`
|
|
- fs_getattr_cifs(httpd_git_script_t)
|
|
- fs_list_cifs(httpd_git_script_t)
|
|
- fs_read_cifs_files(httpd_git_script_t)
|
|
+ fs_getattr_cifs(git_script_t)
|
|
+ fs_list_cifs(git_script_t)
|
|
+ fs_read_cifs_files(git_script_t)
|
|
',`
|
|
- fs_dontaudit_read_cifs_files(httpd_git_script_t)
|
|
+ fs_dontaudit_read_cifs_files(git_script_t)
|
|
')
|
|
|
|
tunable_policy(`git_cgi_use_nfs',`
|
|
- fs_getattr_nfs(httpd_git_script_t)
|
|
- fs_list_nfs(httpd_git_script_t)
|
|
- fs_read_nfs_files(httpd_git_script_t)
|
|
+ fs_getattr_nfs(git_script_t)
|
|
+ fs_list_nfs(git_script_t)
|
|
+ fs_read_nfs_files(git_script_t)
|
|
',`
|
|
- fs_dontaudit_read_nfs_files(httpd_git_script_t)
|
|
+ fs_dontaudit_read_nfs_files(git_script_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/lightsquid.fc b/lightsquid.fc
|
|
index 044390c..63e2058 100644
|
|
--- a/lightsquid.fc
|
|
+++ b/lightsquid.fc
|
|
@@ -1,11 +1,11 @@
|
|
/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
|
|
|
|
-/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
|
|
-/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
|
|
+/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0)
|
|
+/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
|
|
|
|
-/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
|
|
+/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
|
|
|
|
/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
|
|
|
|
-/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
|
|
-/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
|
|
+/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0)
|
|
+/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0)
|
|
diff --git a/lightsquid.te b/lightsquid.te
|
|
index 75854ed..6c7855e 100644
|
|
--- a/lightsquid.te
|
|
+++ b/lightsquid.te
|
|
@@ -13,18 +13,18 @@ type lightsquid_exec_t;
|
|
application_domain(lightsquid_t, lightsquid_exec_t)
|
|
role lightsquid_roles types lightsquid_t;
|
|
|
|
-type lightsquid_rw_content_t;
|
|
-files_type(lightsquid_rw_content_t)
|
|
+type lightsquid_report_content_t;
|
|
+files_type(lightsquid_report_content_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
|
|
+manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
+manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
+manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
+files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
|
|
|
|
corecmd_exec_bin(lightsquid_t)
|
|
corecmd_exec_shell(lightsquid_t)
|
|
@@ -36,10 +36,11 @@ squid_read_log(lightsquid_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(lightsquid)
|
|
+ apache_content_alias_template(lightsquid, lightsquid)
|
|
|
|
- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
|
|
+ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
+ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
+ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/man2html.fc b/man2html.fc
|
|
index 82f6255..3686732 100644
|
|
--- a/man2html.fc
|
|
+++ b/man2html.fc
|
|
@@ -1,5 +1,5 @@
|
|
-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
|
|
-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
|
|
-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
|
|
+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
|
|
+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
|
|
+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0)
|
|
|
|
-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
|
|
+/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0)
|
|
diff --git a/man2html.if b/man2html.if
|
|
index fe43dea..53eaf61 100644
|
|
--- a/man2html.if
|
|
+++ b/man2html.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Transition to httpd_man2html_script.
|
|
+## Transition to man2html_script.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -10,18 +10,18 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_domtrans',`
|
|
+interface(`man2html_script_domtrans',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_t, httpd_man2html_script_exec_t;
|
|
+ type man2html_script_t, man2html_script_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
- domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
|
|
+ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search httpd_man2html_script cache directories.
|
|
+## Search man2html_script content directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -29,18 +29,19 @@ interface(`httpd_man2html_script_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_search_cache',`
|
|
+interface(`man2html_search_content',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_cache_t;
|
|
+ type man2html_content_t;
|
|
+ type man2html_rw_content_t;
|
|
')
|
|
|
|
- allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
|
|
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
|
|
files_search_var($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd_man2html_script cache files.
|
|
+## Read man2html cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -48,19 +49,22 @@ interface(`httpd_man2html_script_search_cache',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_read_cache_files',`
|
|
+interface(`man2html_read_content_files',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_cache_t;
|
|
+ type man2html_content_t;
|
|
+ type man2html_rw_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
- read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
|
|
+ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
|
|
+ read_files_pattern($1, man2html_content_t, man2html_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
-## httpd_man2html_script cache files.
|
|
+## man2html content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -68,18 +72,21 @@ interface(`httpd_man2html_script_read_cache_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_manage_cache_files',`
|
|
+interface(`man2html_manage_content_files',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_cache_t;
|
|
+ type man2html_content_t;
|
|
+ type man2html_rw_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
- manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
|
|
+ manage_files_pattern($1, man2html_content_t, man2html_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Manage httpd_man2html_script cache dirs.
|
|
+## Create, read, write, and delete
|
|
+## man2html content dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -87,20 +94,21 @@ interface(`httpd_man2html_script_manage_cache_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_manage_cache_dirs',`
|
|
+interface(`man2html_manage_content_dirs',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_cache_t;
|
|
+ type man2html_content_t;
|
|
+ type man2html_rw_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
- manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
|
|
+ manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
|
|
')
|
|
|
|
-
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
-## an httpd_man2html_script environment
|
|
+## an man2html environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -108,17 +116,19 @@ interface(`httpd_man2html_script_manage_cache_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_man2html_script_admin',`
|
|
+interface(`man2html_admin',`
|
|
gen_require(`
|
|
- type httpd_man2html_script_t;
|
|
- type httpd_man2html_script_cache_t;
|
|
+ type man2html_script_t;
|
|
+ type man2html_rw_content_t;
|
|
+ type man2html_content_t;
|
|
')
|
|
|
|
- allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, httpd_man2html_script_t)
|
|
+ allow $1 man2html_script_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, man2html_script_t)
|
|
|
|
files_search_var($1)
|
|
- admin_pattern($1, httpd_man2html_script_cache_t)
|
|
+ admin_pattern($1, man2html_content_t)
|
|
+ admin_pattern($1, man2html_rw_content_t)
|
|
|
|
optional_policy(`
|
|
systemd_passwd_agent_exec($1)
|
|
diff --git a/man2html.te b/man2html.te
|
|
index 9e634bd..24b56e9 100644
|
|
--- a/man2html.te
|
|
+++ b/man2html.te
|
|
@@ -6,23 +6,17 @@ policy_module(man2html, 1.0.0)
|
|
#
|
|
|
|
|
|
-type httpd_man2html_script_cache_t;
|
|
-files_type(httpd_man2html_script_cache_t)
|
|
-
|
|
########################################
|
|
#
|
|
-# httpd_man2html_script local policy
|
|
+# man2html_script local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
-
|
|
apache_content_template(man2html)
|
|
+ apache_content_alias_template(man2html, man2html)
|
|
|
|
- allow httpd_man2html_script_t self:process { fork };
|
|
-
|
|
- manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
- manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
- manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
- files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
|
|
+ allow man2html_script_t self:process fork;
|
|
|
|
+ typealias man2html_rw_content_t alias man2html_script_cache_t;
|
|
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
|
|
')
|
|
diff --git a/mediawiki.fc b/mediawiki.fc
|
|
index 99f7c41..93ec6db 100644
|
|
--- a/mediawiki.fc
|
|
+++ b/mediawiki.fc
|
|
@@ -1,8 +1,8 @@
|
|
-/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
|
|
-/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
|
|
-/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
|
|
+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
|
|
+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
|
|
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
|
|
|
|
-/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
|
|
+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0)
|
|
|
|
-/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
|
|
-/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
|
|
+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
|
|
+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0)
|
|
diff --git a/mediawiki.if b/mediawiki.if
|
|
index 1c1d012..9b183e6 100644
|
|
--- a/mediawiki.if
|
|
+++ b/mediawiki.if
|
|
@@ -13,12 +13,12 @@
|
|
#
|
|
interface(`mediawiki_read_tmp_files',`
|
|
gen_require(`
|
|
- type httpd_mediawiki_tmp_t;
|
|
+ type mediawiki_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
- read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
- read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
+ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
+ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -33,8 +33,8 @@ interface(`mediawiki_read_tmp_files',`
|
|
#
|
|
interface(`mediawiki_delete_tmp_files',`
|
|
gen_require(`
|
|
- type httpd_mediawiki_tmp_t;
|
|
+ type mediawiki_tmp_t;
|
|
')
|
|
|
|
- delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
+ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
')
|
|
diff --git a/mediawiki.te b/mediawiki.te
|
|
index 212712c..fcbc191 100644
|
|
--- a/mediawiki.te
|
|
+++ b/mediawiki.te
|
|
@@ -5,16 +5,26 @@ policy_module(mediawiki, 1.0.0)
|
|
# Declarations
|
|
#
|
|
|
|
-optional_policy(`
|
|
-
|
|
- apache_content_template(mediawiki)
|
|
+type mediawiki_tmp_t;
|
|
+files_tmp_file(mediawiki_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
- files_search_var_lib(httpd_mediawiki_script_t)
|
|
+optional_policy(`
|
|
+
|
|
+ apache_content_template(mediawiki)
|
|
+ apache_content_alias_template(mediawiki, mediawiki)
|
|
+
|
|
+ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
+ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
+ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
+ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
|
|
+ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
|
|
+
|
|
+ files_search_var_lib(mediawiki_script_t)
|
|
|
|
- miscfiles_read_tetex_data(httpd_mediawiki_script_t)
|
|
+ miscfiles_read_tetex_data(mediawiki_script_t)
|
|
')
|
|
diff --git a/mojomojo.fc b/mojomojo.fc
|
|
index 7b827ca..5ee8a0f 100644
|
|
--- a/mojomojo.fc
|
|
+++ b/mojomojo.fc
|
|
@@ -1,5 +1,5 @@
|
|
-/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
|
|
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
|
|
|
|
-/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
|
|
+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0)
|
|
|
|
-/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
|
|
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
|
|
diff --git a/mojomojo.te b/mojomojo.te
|
|
index 9556487..25d1d33 100644
|
|
--- a/mojomojo.te
|
|
+++ b/mojomojo.te
|
|
@@ -5,8 +5,8 @@ policy_module(mojomojo, 1.1.0)
|
|
# Declarations
|
|
#
|
|
|
|
-type httpd_mojomojo_tmp_t;
|
|
-files_tmp_file(httpd_mojomojo_tmp_t)
|
|
+type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
|
|
+files_tmp_file(mojomojo_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -15,31 +15,30 @@ files_tmp_file(httpd_mojomojo_tmp_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(mojomojo)
|
|
+ apache_content_alias_template(mojomojo, mojomojo)
|
|
|
|
- allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
+ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
|
|
+ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
|
|
+ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
|
|
|
|
- manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
|
|
- manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
|
|
- files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
|
|
+ corenet_tcp_connect_postgresql_port(mojomojo_script_t)
|
|
+ corenet_tcp_connect_mysqld_port(mojomojo_script_t)
|
|
+ corenet_tcp_connect_smtp_port(mojomojo_script_t)
|
|
+ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
|
|
+ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
|
|
+ corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
|
|
|
|
- corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
|
|
- corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
|
|
- corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
|
|
- corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
|
|
- corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
|
|
- corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
|
+ files_search_var_lib(mojomojo_script_t)
|
|
|
|
- files_search_var_lib(httpd_mojomojo_script_t)
|
|
+ sysnet_dns_name_resolve(mojomojo_script_t)
|
|
|
|
- sysnet_dns_name_resolve(httpd_mojomojo_script_t)
|
|
-
|
|
- mta_send_mail(httpd_mojomojo_script_t)
|
|
+ mta_send_mail(mojomojo_script_t)
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(httpd_mojomojo_script_t)
|
|
+ mysql_stream_connect(mojomojo_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(httpd_mojomojo_script_t)
|
|
+ postgresql_stream_connect(mojomojo_script_t)
|
|
')
|
|
')
|
|
diff --git a/munin.fc b/munin.fc
|
|
index 4968324..af28bb5 100644
|
|
--- a/munin.fc
|
|
+++ b/munin.fc
|
|
@@ -73,7 +73,7 @@
|
|
/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
|
|
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
|
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
|
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
|
|
-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
-/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
-/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0)
|
|
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0)
|
|
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
|
|
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
|
|
diff --git a/munin.if b/munin.if
|
|
index 4c1b6a8..900d083 100644
|
|
--- a/munin.if
|
|
+++ b/munin.if
|
|
@@ -209,7 +209,7 @@ interface(`munin_admin',`
|
|
attribute munin_plugin_domain, munin_plugin_tmp_content;
|
|
type munin_t, munin_etc_t, munin_tmp_t;
|
|
type munin_log_t, munin_var_lib_t, munin_var_run_t;
|
|
- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
|
|
+ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
|
|
')
|
|
|
|
allow $1 munin_t:process signal_perms;
|
|
@@ -239,5 +239,5 @@ interface(`munin_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, munin_var_run_t)
|
|
|
|
- admin_pattern($1, httpd_munin_content_t)
|
|
+ admin_pattern($1, munin_content_t)
|
|
')
|
|
diff --git a/munin.te b/munin.te
|
|
index cead88c..16b96d0 100644
|
|
--- a/munin.te
|
|
+++ b/munin.te
|
|
@@ -44,8 +44,8 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
|
|
munin_plugin_template(system)
|
|
munin_plugin_template(unconfined)
|
|
|
|
-type httpd_munin_script_tmp_t;
|
|
-files_tmp_file(httpd_munin_script_tmp_t)
|
|
+type munin_script_tmp_t alias httpd_munin_script_tmp_t;
|
|
+files_tmp_file(munin_script_tmp_t)
|
|
|
|
################################
|
|
#
|
|
@@ -435,22 +435,23 @@ optional_policy(`
|
|
#
|
|
|
|
apache_content_template(munin)
|
|
+apache_content_alias_template(munin, munin)
|
|
|
|
-manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
-manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
+manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
|
|
+manage_files_pattern(munin_t, munin_content_t, munin_content_t)
|
|
|
|
-manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
|
|
-manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
|
|
+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
|
|
+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
|
|
|
|
-read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
|
|
-read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
|
|
+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
|
|
+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
|
|
|
|
-read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
|
-append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
|
+read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
|
|
+append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
|
|
|
|
-files_search_var_lib(httpd_munin_script_t)
|
|
+files_search_var_lib(munin_script_t)
|
|
|
|
-auth_read_passwd(httpd_munin_script_t)
|
|
+auth_read_passwd(munin_script_t)
|
|
|
|
optional_policy(`
|
|
apache_search_sys_content(munin_t)
|
|
diff --git a/mythtv.fc b/mythtv.fc
|
|
index 3a1c423..d62cf88 100644
|
|
--- a/mythtv.fc
|
|
+++ b/mythtv.fc
|
|
@@ -1,9 +1,9 @@
|
|
-/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
|
|
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0)
|
|
|
|
/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
|
|
|
|
/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
|
|
|
|
-/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
|
|
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
|
|
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
|
|
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
|
|
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0)
|
|
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
|
|
diff --git a/mythtv.if b/mythtv.if
|
|
index 171f666..e2403dd 100644
|
|
--- a/mythtv.if
|
|
+++ b/mythtv.if
|
|
@@ -1,9 +1,9 @@
|
|
|
|
-## <summary>policy for httpd_mythtv_script</summary>
|
|
+## <summary>policy for mythtv_script</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute TEMPLATE in the httpd_mythtv_script domin.
|
|
+## Execute TEMPLATE in the mythtv_script domin.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -11,13 +11,13 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`httpd_mythtv_script_domtrans',`
|
|
+interface(`mythtv_script_domtrans',`
|
|
gen_require(`
|
|
- type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
|
|
+ type mythtv_script_t, mythtv_script_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
- domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
|
|
+ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -133,15 +133,15 @@ interface(`mythtv_manage_log',`
|
|
#
|
|
interface(`mythtv_admin',`
|
|
gen_require(`
|
|
- type httpd_mythtv_script_t, mythtv_var_lib_t;
|
|
+ type mythtv_script_t, mythtv_var_lib_t;
|
|
type mythtv_var_log_t;
|
|
')
|
|
|
|
- allow $1 httpd_mythtv_script_t:process signal_perms;
|
|
- ps_process_pattern($1, httpd_mythtv_script_t)
|
|
+ allow $1 mythtv_script_t:process signal_perms;
|
|
+ ps_process_pattern($1, mythtv_script_t)
|
|
|
|
tunable_policy(`deny_ptrace',`',`
|
|
- allow $1 httpd_mythtv_script_t:process ptrace;
|
|
+ allow $1 mythtv_script_t:process ptrace;
|
|
')
|
|
|
|
logging_list_logs($1)
|
|
diff --git a/mythtv.te b/mythtv.te
|
|
index 90129ac..7a4910c 100644
|
|
--- a/mythtv.te
|
|
+++ b/mythtv.te
|
|
@@ -6,6 +6,7 @@ policy_module(mythtv, 1.0.0)
|
|
#
|
|
|
|
apache_content_template(mythtv)
|
|
+apache_content_alias_template(mythtv, mythtv)
|
|
|
|
type mythtv_var_lib_t;
|
|
files_type(mythtv_var_lib_t)
|
|
@@ -15,27 +16,27 @@ logging_log_file(mythtv_var_log_t)
|
|
|
|
########################################
|
|
#
|
|
-# httpd_mythtv_script local policy
|
|
+# mythtv_script local policy
|
|
#
|
|
|
|
-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
-files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
|
|
+manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
|
|
|
|
-manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
-manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
-logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
|
|
+manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
+manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
+logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
|
|
|
|
-domain_use_interactive_fds(httpd_mythtv_script_t)
|
|
+domain_use_interactive_fds(mythtv_script_t)
|
|
|
|
-files_read_etc_files(httpd_mythtv_script_t)
|
|
+files_read_etc_files(mythtv_script_t)
|
|
|
|
-fs_read_nfs_files(httpd_mythtv_script_t)
|
|
+fs_read_nfs_files(mythtv_script_t)
|
|
|
|
-miscfiles_read_localization(httpd_mythtv_script_t)
|
|
+miscfiles_read_localization(mythtv_script_t)
|
|
|
|
optional_policy(`
|
|
- mysql_read_config(httpd_mythtv_script_t)
|
|
- mysql_stream_connect(httpd_mythtv_script_t)
|
|
- mysql_tcp_connect(httpd_mythtv_script_t)
|
|
+ mysql_read_config(mythtv_script_t)
|
|
+ mysql_stream_connect(mythtv_script_t)
|
|
+ mysql_tcp_connect(mythtv_script_t)
|
|
')
|
|
diff --git a/nagios.fc b/nagios.fc
|
|
index a00cc2d..24a2dec 100644
|
|
--- a/nagios.fc
|
|
+++ b/nagios.fc
|
|
@@ -6,8 +6,8 @@
|
|
/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
|
|
|
|
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
|
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
|
|
|
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
@@ -19,8 +19,8 @@
|
|
ifdef(`distro_debian',`
|
|
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
')
|
|
-/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
|
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
|
|
|
# admin plugins
|
|
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
|
|
diff --git a/nagios.te b/nagios.te
|
|
index f565a0e..1726e88 100644
|
|
--- a/nagios.te
|
|
+++ b/nagios.te
|
|
@@ -186,33 +186,34 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(nagios)
|
|
- typealias httpd_nagios_script_t alias nagios_cgi_t;
|
|
- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
|
|
+ apache_content_alias_template(nagios, nagios)
|
|
+ typealias nagios_script_t alias nagios_cgi_t;
|
|
+ typealias nagios_script_exec_t alias nagios_cgi_exec_t;
|
|
|
|
- allow httpd_nagios_script_t self:process signal_perms;
|
|
+ allow nagios_script_t self:process signal_perms;
|
|
|
|
- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
|
|
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
|
|
+ read_files_pattern(nagios_script_t, nagios_t, nagios_t)
|
|
+ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
|
|
|
|
- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
|
|
- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
|
|
- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
|
|
+ allow nagios_script_t nagios_etc_t:dir list_dir_perms;
|
|
+ allow nagios_script_t nagios_etc_t:file read_file_perms;
|
|
+ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
|
|
|
|
- files_search_spool(httpd_nagios_script_t)
|
|
- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
|
|
+ files_search_spool(nagios_script_t)
|
|
+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
|
|
|
|
- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
|
|
- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
|
|
- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
|
|
+ allow nagios_script_t nagios_log_t:dir list_dir_perms;
|
|
+ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
|
|
+ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
|
|
|
|
- kernel_read_system_state(httpd_nagios_script_t)
|
|
+ kernel_read_system_state(nagios_script_t)
|
|
|
|
- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
|
|
+ domain_dontaudit_read_all_domains_state(nagios_script_t)
|
|
|
|
- files_read_etc_runtime_files(httpd_nagios_script_t)
|
|
- files_read_kernel_symbol_table(httpd_nagios_script_t)
|
|
+ files_read_etc_runtime_files(nagios_script_t)
|
|
+ files_read_kernel_symbol_table(nagios_script_t)
|
|
|
|
- logging_send_syslog_msg(httpd_nagios_script_t)
|
|
+ logging_send_syslog_msg(nagios_script_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/nut.fc b/nut.fc
|
|
index 41ff159..fac7d7b 100644
|
|
--- a/nut.fc
|
|
+++ b/nut.fc
|
|
@@ -11,6 +11,6 @@
|
|
|
|
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
|
|
|
|
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
|
|
diff --git a/nut.te b/nut.te
|
|
index 1701352..249224e 100644
|
|
--- a/nut.te
|
|
+++ b/nut.te
|
|
@@ -166,17 +166,18 @@ logging_send_syslog_msg(nut_upsdrvctl_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(nutups_cgi)
|
|
+ apache_content_alias_template(nutups_cgi,nutups_cgi)
|
|
|
|
- read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
|
|
+ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
|
|
|
|
- corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
|
|
- corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
|
|
- corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
|
|
- corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
|
|
- corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
|
|
- corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
|
|
- corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
|
|
- corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
|
|
+ corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
|
|
+ corenet_tcp_connect_ups_port(nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
|
|
|
|
- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
|
|
+ sysnet_dns_name_resolve(nutups_cgi_script_t)
|
|
')
|
|
diff --git a/openshift.fc b/openshift.fc
|
|
index f2d6119..71ba1bd 100644
|
|
--- a/openshift.fc
|
|
+++ b/openshift.fc
|
|
@@ -18,7 +18,7 @@
|
|
/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
|
|
|
|
/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
-/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
|
|
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0)
|
|
/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
|
|
diff --git a/openshift.te b/openshift.te
|
|
index cd25e8e..7965e82 100644
|
|
--- a/openshift.te
|
|
+++ b/openshift.te
|
|
@@ -294,13 +294,14 @@ optional_policy(`
|
|
# openshift cgi script policy
|
|
#
|
|
apache_content_template(openshift)
|
|
- domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
|
|
+ apache_content_alias_template(openshift, openshift)
|
|
+ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
|
|
|
|
optional_policy(`
|
|
- dbus_system_bus_client(httpd_openshift_script_t)
|
|
+ dbus_system_bus_client(openshift_script_t)
|
|
|
|
optional_policy(`
|
|
- oddjob_dbus_chat(httpd_openshift_script_t)
|
|
+ oddjob_dbus_chat(openshift_script_t)
|
|
oddjob_dontaudit_rw_fifo_file(openshift_domain)
|
|
')
|
|
')
|
|
diff --git a/pki.if b/pki.if
|
|
index b975b85..798efb6 100644
|
|
--- a/pki.if
|
|
+++ b/pki.if
|
|
@@ -134,13 +134,6 @@ template(`pki_apache_template',`
|
|
|
|
# need to resolve addresses?
|
|
auth_use_nsswitch($1_t)
|
|
-
|
|
- #pki_apache_domain_signal(httpd_t)
|
|
- #pki_apache_domain_signal(httpd_t)
|
|
- #pki_manage_apache_run(httpd_t)
|
|
- #pki_manage_apache_config_files(httpd_t)
|
|
- #pki_manage_apache_log_files(httpd_t)
|
|
- #pki_manage_apache_lib(httpd_t)
|
|
')
|
|
|
|
#######################################
|
|
diff --git a/pki.te b/pki.te
|
|
index 17f5d18..d656f71 100644
|
|
--- a/pki.te
|
|
+++ b/pki.te
|
|
@@ -43,7 +43,6 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_
|
|
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
|
|
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
|
|
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
|
|
-# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
|
|
|
|
|
|
# pki policy types
|
|
@@ -126,10 +125,6 @@ miscfiles_read_hwdata(pki_tomcat_t)
|
|
userdom_manage_user_tmp_dirs(pki_tomcat_t)
|
|
userdom_manage_user_tmp_files(pki_tomcat_t)
|
|
|
|
-# forward proxy
|
|
-# need to define ports to fix this
|
|
-#corenet_tcp_connect_pki_tomcat_port(httpd_t)
|
|
-
|
|
# for crl publishing
|
|
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
|
|
|
|
@@ -166,9 +161,6 @@ corenet_tcp_connect_pki_tks_port(pki_tps_t)
|
|
|
|
files_exec_usr_files(pki_tps_t)
|
|
|
|
-# why do I need to add this?
|
|
-#allow httpd_t httpd_config_t:file execute;
|
|
-
|
|
######################################
|
|
#
|
|
# ra local policy
|
|
@@ -268,13 +260,8 @@ optional_policy(`
|
|
apache_list_modules(pki_apache_domain)
|
|
apache_read_config(pki_apache_domain)
|
|
apache_exec(pki_apache_domain)
|
|
- apache_exec_suexec(pki_apache_domain)
|
|
+ apache_exec_suexec(pki_apache_domain)
|
|
apache_entrypoint(pki_apache_domain)
|
|
-
|
|
- # should be started using a script which will execute httpd
|
|
- # start up httpd in pki_apache_domain mode
|
|
- #can_exec(pki_apache_domain, httpd_config_t)
|
|
- #can_exec(pki_apache_domain, httpd_suexec_exec_t)
|
|
')
|
|
|
|
# allow rpm -q in init scripts
|
|
diff --git a/prelude.fc b/prelude.fc
|
|
index 8dbc763..b580f85 100644
|
|
--- a/prelude.fc
|
|
+++ b/prelude.fc
|
|
@@ -12,7 +12,7 @@
|
|
|
|
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
|
|
|
|
-/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
|
|
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0)
|
|
|
|
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
|
|
|
|
diff --git a/prelude.te b/prelude.te
|
|
index 509fd0a..e1f4f70 100644
|
|
--- a/prelude.te
|
|
+++ b/prelude.te
|
|
@@ -265,27 +265,28 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(prewikka)
|
|
+ apache_content_alias_template(prewikka, prewikka)
|
|
|
|
- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
|
|
+ can_exec(prewikka_script_t, prewikka_script_exec_t)
|
|
|
|
- files_search_tmp(httpd_prewikka_script_t)
|
|
+ files_search_tmp(prewikka_script_t)
|
|
|
|
- kernel_read_sysctl(httpd_prewikka_script_t)
|
|
- kernel_search_network_sysctl(httpd_prewikka_script_t)
|
|
+ kernel_read_sysctl(prewikka_script_t)
|
|
+ kernel_search_network_sysctl(prewikka_script_t)
|
|
|
|
- auth_use_nsswitch(httpd_prewikka_script_t)
|
|
+ auth_use_nsswitch(prewikka_script_t)
|
|
|
|
- logging_send_syslog_msg(httpd_prewikka_script_t)
|
|
+ logging_send_syslog_msg(prewikka_script_t)
|
|
|
|
- apache_search_sys_content(httpd_prewikka_script_t)
|
|
+ apache_search_sys_content(prewikka_script_t)
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(httpd_prewikka_script_t)
|
|
- mysql_tcp_connect(httpd_prewikka_script_t)
|
|
+ mysql_stream_connect(prewikka_script_t)
|
|
+ mysql_tcp_connect(prewikka_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(httpd_prewikka_script_t)
|
|
- postgresql_tcp_connect(httpd_prewikka_script_t)
|
|
+ postgresql_stream_connect(prewikka_script_t)
|
|
+ postgresql_tcp_connect(prewikka_script_t)
|
|
')
|
|
')
|
|
diff --git a/smokeping.fc b/smokeping.fc
|
|
index 3359819..a231ecb 100644
|
|
--- a/smokeping.fc
|
|
+++ b/smokeping.fc
|
|
@@ -2,7 +2,7 @@
|
|
|
|
/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
|
|
|
|
-/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
|
|
+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
|
|
|
|
/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
|
|
|
|
diff --git a/smokeping.te b/smokeping.te
|
|
index ebf575f..26b6da1 100644
|
|
--- a/smokeping.te
|
|
+++ b/smokeping.te
|
|
@@ -58,19 +58,20 @@ netutils_domtrans_ping(smokeping_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(smokeping_cgi)
|
|
+ apache_content_alias_template(smokeping_cgi, smokeping_cgi)
|
|
|
|
- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
|
|
- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
|
|
+ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
|
|
+ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
|
|
|
|
- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
|
|
+ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
|
|
|
|
- files_read_etc_files(httpd_smokeping_cgi_script_t)
|
|
- files_search_tmp(httpd_smokeping_cgi_script_t)
|
|
- files_search_var_lib(httpd_smokeping_cgi_script_t)
|
|
+ files_read_etc_files(smokeping_cgi_script_t)
|
|
+ files_search_tmp(smokeping_cgi_script_t)
|
|
+ files_search_var_lib(smokeping_cgi_script_t)
|
|
|
|
- auth_read_passwd(httpd_smokeping_cgi_script_t)
|
|
+ auth_read_passwd(smokeping_cgi_script_t)
|
|
|
|
- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
|
|
+ sysnet_dns_name_resolve(smokeping_cgi_script_t)
|
|
|
|
- netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
|
|
+ netutils_domtrans_ping(smokeping_cgi_script_t)
|
|
')
|
|
diff --git a/squid.fc b/squid.fc
|
|
index ebbec17..5b066d3 100644
|
|
--- a/squid.fc
|
|
+++ b/squid.fc
|
|
@@ -2,14 +2,14 @@
|
|
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
|
|
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
|
|
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0)
|
|
|
|
/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
|
|
|
|
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
|
|
|
|
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
-/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
|
|
+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
|
|
|
|
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
|
|
diff --git a/squid.te b/squid.te
|
|
index 7cb8bec..4ade5f1 100644
|
|
--- a/squid.te
|
|
+++ b/squid.te
|
|
@@ -201,24 +201,25 @@ tunable_policy(`squid_use_tproxy',`
|
|
|
|
optional_policy(`
|
|
apache_content_template(squid)
|
|
+ apache_content_alias_template(squid, squid)
|
|
|
|
- allow httpd_squid_script_t self:tcp_socket create_socket_perms;
|
|
+ allow squid_script_t self:tcp_socket create_socket_perms;
|
|
|
|
- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
|
|
- corenet_all_recvfrom_netlabel(httpd_squid_script_t)
|
|
- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
|
|
- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
|
|
+ corenet_all_recvfrom_unlabeled(squid_script_t)
|
|
+ corenet_all_recvfrom_netlabel(squid_script_t)
|
|
+ corenet_tcp_sendrecv_generic_if(squid_script_t)
|
|
+ corenet_tcp_sendrecv_generic_node(squid_script_t)
|
|
|
|
- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
|
|
- corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
|
|
- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
|
|
+ corenet_sendrecv_http_cache_client_packets(squid_script_t)
|
|
+ corenet_tcp_connect_http_cache_port(squid_script_t)
|
|
+ corenet_tcp_sendrecv_http_cache_port(squid_script_t)
|
|
|
|
- corenet_tcp_connect_squid_port(httpd_squid_script_t)
|
|
+ corenet_tcp_connect_squid_port(squid_script_t)
|
|
|
|
- sysnet_dns_name_resolve(httpd_squid_script_t)
|
|
+ sysnet_dns_name_resolve(squid_script_t)
|
|
|
|
optional_policy(`
|
|
- squid_read_config(httpd_squid_script_t)
|
|
+ squid_read_config(squid_script_t)
|
|
')
|
|
')
|
|
|
|
diff --git a/w3c.fc b/w3c.fc
|
|
index 463c799..227feaf 100644
|
|
--- a/w3c.fc
|
|
+++ b/w3c.fc
|
|
@@ -1,4 +1,4 @@
|
|
-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
|
|
+/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
|
|
|
|
-/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
|
|
-/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
|
|
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0)
|
|
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
|
|
diff --git a/w3c.te b/w3c.te
|
|
index b14d6a9..ac1944e 100644
|
|
--- a/w3c.te
|
|
+++ b/w3c.te
|
|
@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0)
|
|
#
|
|
|
|
apache_content_template(w3c_validator)
|
|
+apache_content_alias_template(w3c_validator, w3c_validator)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
|
|
-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
|
|
+corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
|
|
+corenet_all_recvfrom_netlabel(w3c_validator_script_t)
|
|
+corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
|
|
+corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
|
|
|
|
-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
|
|
+corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
|
|
+corenet_tcp_connect_ftp_port(w3c_validator_script_t)
|
|
+corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
|
|
|
|
-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
|
|
+corenet_sendrecv_http_client_packets(w3c_validator_script_t)
|
|
+corenet_tcp_connect_http_port(w3c_validator_script_t)
|
|
+corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
|
|
|
|
-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
|
|
-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
|
|
+corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
|
|
+corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
|
|
+corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
|
|
|
|
-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
|
|
+miscfiles_read_generic_certs(w3c_validator_script_t)
|
|
|
|
-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
|
|
+sysnet_dns_name_resolve(w3c_validator_script_t)
|
|
diff --git a/webalizer.fc b/webalizer.fc
|
|
index 64baf67..76c753b 100644
|
|
--- a/webalizer.fc
|
|
+++ b/webalizer.fc
|
|
@@ -6,4 +6,4 @@
|
|
|
|
/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
|
|
|
|
-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
|
|
+/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0)
|
|
diff --git a/webalizer.te b/webalizer.te
|
|
index e0b1983..32cbf8c 100644
|
|
--- a/webalizer.te
|
|
+++ b/webalizer.te
|
|
@@ -83,9 +83,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)
|
|
optional_policy(`
|
|
apache_read_log(webalizer_t)
|
|
apache_content_template(webalizer)
|
|
+ apache_content_alias_template(webalizer, webalizer)
|
|
apache_manage_sys_content(webalizer_t)
|
|
- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
|
|
- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/zoneminder.fc b/zoneminder.fc
|
|
index 8c61505..ceaa219 100644
|
|
--- a/zoneminder.fc
|
|
+++ b/zoneminder.fc
|
|
@@ -4,7 +4,7 @@
|
|
|
|
/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
|
|
|
|
-/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
|
|
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
|
|
|
|
/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
|
|
|
|
diff --git a/zoneminder.te b/zoneminder.te
|
|
index add28f7..b66e76d 100644
|
|
--- a/zoneminder.te
|
|
+++ b/zoneminder.te
|
|
@@ -164,24 +164,24 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_content_template(zoneminder)
|
|
+ apache_content_alias_template(zoneminder, zoneminder)
|
|
|
|
# need more testing
|
|
- #allow httpd_zoneminder_script_t self:shm create_shm_perms;
|
|
+ #allow zoneminder_script_t self:shm create_shm_perms;
|
|
|
|
- manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
|
|
- rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
|
|
- zoneminder_stream_connect(httpd_zoneminder_script_t)
|
|
+ zoneminder_stream_connect(zoneminder_script_t)
|
|
|
|
- can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
|
|
+ can_exec(zoneminder_t, zoneminder_script_exec_t)
|
|
|
|
- files_search_var_lib(httpd_zoneminder_script_t)
|
|
+ files_search_var_lib(zoneminder_script_t)
|
|
|
|
- logging_send_syslog_msg(httpd_zoneminder_script_t)
|
|
+ logging_send_syslog_msg(zoneminder_script_t)
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(httpd_zoneminder_script_t)
|
|
+ mysql_stream_connect(zoneminder_script_t)
|
|
')
|
|
-
|
|
')
|