From be6893bb6042b2fbca83224d7fb871b697df5ea0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Oct 30 2012 21:56:36 +0000
Subject: Add httpd_verify_dns boolean
---
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 47fed92..71adce4 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 904ffa3..099990f 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -10,14 +10,6 @@ optional_policy(`
optional_policy(`
gen_require(`
- type dkim_t;
- ')
-
- permissive dkim_t;
-')
-
-optional_policy(`
- gen_require(`
type rngd_t;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index f495c39..30b1348 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -3005,7 +3005,7 @@ index 6480167..e77ad76 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..08c3720 100644
+index 0833afb..c1e855c 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3132,7 +3132,7 @@ index 0833afb..08c3720 100644
## Allow httpd to read home directories
##
##
-@@ -100,6 +173,20 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
##
##
@@ -3150,10 +3150,17 @@ index 0833afb..08c3720 100644
+
+##
+##
++## Allow Apache to query NS records
++##
++##
++gen_tunable(httpd_verify_dns, false)
++
++##
++##
## Allow httpd daemon to change its resource limits
##
##
-@@ -114,6 +201,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
##
##
@@ -3167,7 +3174,7 @@ index 0833afb..08c3720 100644
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,12 +224,26 @@ gen_tunable(httpd_unified, false)
+@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
##
##
@@ -3194,7 +3201,7 @@ index 0833afb..08c3720 100644
##
## Allow httpd to run gpg
##
-@@ -149,12 +257,28 @@ gen_tunable(httpd_use_gpg, false)
+@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
##
gen_tunable(httpd_use_nfs, false)
@@ -3223,7 +3230,7 @@ index 0833afb..08c3720 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -173,7 +297,7 @@ files_type(httpd_cache_t)
+@@ -173,7 +304,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -3232,7 +3239,7 @@ index 0833afb..08c3720 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -184,6 +308,9 @@ role system_r types httpd_helper_t;
+@@ -184,6 +315,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -3242,7 +3249,7 @@ index 0833afb..08c3720 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -223,7 +350,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -223,7 +357,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -3265,7 +3272,7 @@ index 0833afb..08c3720 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -233,6 +374,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -233,6 +381,11 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -3277,7 +3284,7 @@ index 0833afb..08c3720 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -240,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -3285,7 +3292,7 @@ index 0833afb..08c3720 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -261,14 +408,23 @@ files_type(httpd_var_lib_t)
+@@ -261,14 +415,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -3309,7 +3316,7 @@ index 0833afb..08c3720 100644
########################################
#
# Apache server local policy
-@@ -288,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -288,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -3323,7 +3330,7 @@ index 0833afb..08c3720 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -3335,7 +3342,7 @@ index 0833afb..08c3720 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -3346,7 +3353,7 @@ index 0833afb..08c3720 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +530,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3358,7 +3365,7 @@ index 0833afb..08c3720 100644
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +542,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -3379,7 +3386,7 @@ index 0833afb..08c3720 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +563,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -3394,7 +3401,7 @@ index 0833afb..08c3720 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -396,61 +572,112 @@ domain_use_interactive_fds(httpd_t)
+@@ -396,61 +579,112 @@ domain_use_interactive_fds(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
@@ -3515,7 +3522,7 @@ index 0833afb..08c3720 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3579,7 +3586,7 @@ index 0833afb..08c3720 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3602,7 +3609,7 @@ index 0833afb..08c3720 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +787,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +794,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3623,7 +3630,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -525,6 +811,9 @@ optional_policy(`
+@@ -525,6 +818,9 @@ optional_policy(`
')
optional_policy(`
@@ -3633,7 +3640,7 @@ index 0833afb..08c3720 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +829,24 @@ optional_policy(`
+@@ -540,6 +836,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3658,7 +3665,7 @@ index 0833afb..08c3720 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +856,24 @@ optional_policy(`
+@@ -549,13 +863,24 @@ optional_policy(`
')
optional_policy(`
@@ -3684,7 +3691,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -573,7 +891,21 @@ optional_policy(`
+@@ -573,7 +898,21 @@ optional_policy(`
')
optional_policy(`
@@ -3706,7 +3713,7 @@ index 0833afb..08c3720 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +916,7 @@ optional_policy(`
+@@ -584,6 +923,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3714,7 +3721,7 @@ index 0833afb..08c3720 100644
')
optional_policy(`
-@@ -594,6 +927,36 @@ optional_policy(`
+@@ -594,6 +934,36 @@ optional_policy(`
')
optional_policy(`
@@ -3751,7 +3758,7 @@ index 0833afb..08c3720 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +971,11 @@ optional_policy(`
+@@ -608,6 +978,11 @@ optional_policy(`
')
optional_policy(`
@@ -3763,7 +3770,7 @@ index 0833afb..08c3720 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +988,12 @@ optional_policy(`
+@@ -620,6 +995,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3776,13 +3783,17 @@ index 0833afb..08c3720 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1007,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1014,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
@@ -3816,7 +3827,7 @@ index 0833afb..08c3720 100644
########################################
#
-@@ -671,28 +1076,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1087,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3860,7 +3871,7 @@ index 0833afb..08c3720 100644
')
########################################
-@@ -702,6 +1109,7 @@ optional_policy(`
+@@ -702,6 +1120,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3868,7 +3879,7 @@ index 0833afb..08c3720 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1124,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1135,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3897,7 +3908,7 @@ index 0833afb..08c3720 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1154,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1165,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3915,7 +3926,7 @@ index 0833afb..08c3720 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1172,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1183,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3948,7 +3959,7 @@ index 0833afb..08c3720 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1219,25 @@ optional_policy(`
+@@ -786,6 +1230,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3974,7 +3985,7 @@ index 0833afb..08c3720 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1258,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1269,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3992,7 +4003,7 @@ index 0833afb..08c3720 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1277,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1288,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4051,7 +4062,7 @@ index 0833afb..08c3720 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1328,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1339,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4092,7 +4103,7 @@ index 0833afb..08c3720 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1373,20 @@ optional_policy(`
+@@ -859,10 +1384,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4113,7 +4124,7 @@ index 0833afb..08c3720 100644
')
########################################
-@@ -878,11 +1402,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1413,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4125,7 +4136,7 @@ index 0833afb..08c3720 100644
########################################
#
-@@ -908,11 +1430,138 @@ optional_policy(`
+@@ -908,11 +1441,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;