From be6893bb6042b2fbca83224d7fb871b697df5ea0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Oct 30 2012 21:56:36 +0000
Subject: Add httpd_verify_dns boolean


---

diff --git a/permissivedomains.pp b/permissivedomains.pp
index 47fed92..71adce4 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 904ffa3..099990f 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -10,14 +10,6 @@ optional_policy(`
 
 optional_policy(`
     gen_require(`
-                type dkim_t;
-        ')
-
-        permissive dkim_t;
-')
-
-optional_policy(`
-    gen_require(`
                 type rngd_t;
         ')
 
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index f495c39..30b1348 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -3005,7 +3005,7 @@ index 6480167..e77ad76 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 0833afb..08c3720 100644
+index 0833afb..c1e855c 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3132,7 +3132,7 @@ index 0833afb..08c3720 100644
  ## Allow httpd to read home directories
  ## </p>
  ## </desc>
-@@ -100,6 +173,20 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
  
  ## <desc>
  ## <p>
@@ -3150,10 +3150,17 @@ index 0833afb..08c3720 100644
 +
 +## <desc>
 +## <p>
++## Allow Apache to query NS records
++## </p>
++## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
  ## Allow httpd daemon to change its resource limits
  ## </p>
  ## </desc>
-@@ -114,6 +201,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
  
  ## <desc>
  ## <p>
@@ -3167,7 +3174,7 @@ index 0833afb..08c3720 100644
  ## Unify HTTPD to communicate with the terminal.
  ## Needed for entering the passphrase for certificates at
  ## the terminal.
-@@ -130,12 +224,26 @@ gen_tunable(httpd_unified, false)
+@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
  
  ## <desc>
  ## <p>
@@ -3194,7 +3201,7 @@ index 0833afb..08c3720 100644
  ## <p>
  ## Allow httpd to run gpg
  ## </p>
-@@ -149,12 +257,28 @@ gen_tunable(httpd_use_gpg, false)
+@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
  ## </desc>
  gen_tunable(httpd_use_nfs, false)
  
@@ -3223,7 +3230,7 @@ index 0833afb..08c3720 100644
  attribute httpd_script_exec_type;
  attribute httpd_user_script_exec_type;
  
-@@ -173,7 +297,7 @@ files_type(httpd_cache_t)
+@@ -173,7 +304,7 @@ files_type(httpd_cache_t)
  
  # httpd_config_t is the type given to the configuration files
  type httpd_config_t;
@@ -3232,7 +3239,7 @@ index 0833afb..08c3720 100644
  
  type httpd_helper_t;
  type httpd_helper_exec_t;
-@@ -184,6 +308,9 @@ role system_r types httpd_helper_t;
+@@ -184,6 +315,9 @@ role system_r types httpd_helper_t;
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
  
@@ -3242,7 +3249,7 @@ index 0833afb..08c3720 100644
  type httpd_lock_t;
  files_lock_file(httpd_lock_t)
  
-@@ -223,7 +350,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -223,7 +357,21 @@ files_tmp_file(httpd_suexec_tmp_t)
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -3265,7 +3272,7 @@ index 0833afb..08c3720 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -233,6 +374,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -233,6 +381,11 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -3277,7 +3284,7 @@ index 0833afb..08c3720 100644
  userdom_user_home_content(httpd_user_content_t)
  userdom_user_home_content(httpd_user_htaccess_t)
  userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -240,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
  userdom_user_home_content(httpd_user_rw_content_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -3285,7 +3292,7 @@ index 0833afb..08c3720 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -261,14 +408,23 @@ files_type(httpd_var_lib_t)
+@@ -261,14 +415,23 @@ files_type(httpd_var_lib_t)
  type httpd_var_run_t;
  files_pid_file(httpd_var_run_t)
  
@@ -3309,7 +3316,7 @@ index 0833afb..08c3720 100644
  ########################################
  #
  # Apache server local policy
-@@ -288,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -288,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
  allow httpd_t self:udp_socket create_socket_perms;
@@ -3323,7 +3330,7 @@ index 0833afb..08c3720 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -3335,7 +3342,7 @@ index 0833afb..08c3720 100644
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -3346,7 +3353,7 @@ index 0833afb..08c3720 100644
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +530,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -3358,7 +3365,7 @@ index 0833afb..08c3720 100644
  corenet_all_recvfrom_netlabel(httpd_t)
  corenet_tcp_sendrecv_generic_if(httpd_t)
  corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +542,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -3379,7 +3386,7 @@ index 0833afb..08c3720 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +563,14 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -3394,7 +3401,7 @@ index 0833afb..08c3720 100644
  # execute perl
  corecmd_exec_bin(httpd_t)
  corecmd_exec_shell(httpd_t)
-@@ -396,61 +572,112 @@ domain_use_interactive_fds(httpd_t)
+@@ -396,61 +579,112 @@ domain_use_interactive_fds(httpd_t)
  
  files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
@@ -3515,7 +3522,7 @@ index 0833afb..08c3720 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -3579,7 +3586,7 @@ index 0833afb..08c3720 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3602,7 +3609,7 @@ index 0833afb..08c3720 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +787,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +794,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -3623,7 +3630,7 @@ index 0833afb..08c3720 100644
  ')
  
  optional_policy(`
-@@ -525,6 +811,9 @@ optional_policy(`
+@@ -525,6 +818,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3633,7 +3640,7 @@ index 0833afb..08c3720 100644
  	cobbler_search_lib(httpd_t)
  ')
  
-@@ -540,6 +829,24 @@ optional_policy(`
+@@ -540,6 +836,24 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -3658,7 +3665,7 @@ index 0833afb..08c3720 100644
   optional_policy(`
  	dbus_system_bus_client(httpd_t)
  
-@@ -549,13 +856,24 @@ optional_policy(`
+@@ -549,13 +863,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3684,7 +3691,7 @@ index 0833afb..08c3720 100644
  ')
  
  optional_policy(`
-@@ -573,7 +891,21 @@ optional_policy(`
+@@ -573,7 +898,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3706,7 +3713,7 @@ index 0833afb..08c3720 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -584,6 +916,7 @@ optional_policy(`
+@@ -584,6 +923,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -3714,7 +3721,7 @@ index 0833afb..08c3720 100644
  ')
  
  optional_policy(`
-@@ -594,6 +927,36 @@ optional_policy(`
+@@ -594,6 +934,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3751,7 +3758,7 @@ index 0833afb..08c3720 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -608,6 +971,11 @@ optional_policy(`
+@@ -608,6 +978,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3763,7 +3770,7 @@ index 0833afb..08c3720 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -620,6 +988,12 @@ optional_policy(`
+@@ -620,6 +995,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -3776,13 +3783,17 @@ index 0833afb..08c3720 100644
  ########################################
  #
  # Apache helper local policy
-@@ -633,7 +1007,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1014,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
 -userdom_use_user_terminals(httpd_helper_t)
 +userdom_use_inherited_user_terminals(httpd_helper_t)
 +
++tunable_policy(`httpd_verify_dns',`
++	corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
 +tunable_policy(`httpd_run_stickshift', `
 +	allow httpd_t self:capability { fowner fsetid sys_resource };
 +	dontaudit httpd_t self:capability sys_ptrace;
@@ -3816,7 +3827,7 @@ index 0833afb..08c3720 100644
  
  ########################################
  #
-@@ -671,28 +1076,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1087,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -3860,7 +3871,7 @@ index 0833afb..08c3720 100644
  ')
  
  ########################################
-@@ -702,6 +1109,7 @@ optional_policy(`
+@@ -702,6 +1120,7 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -3868,7 +3879,7 @@ index 0833afb..08c3720 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1124,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1135,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -3897,7 +3908,7 @@ index 0833afb..08c3720 100644
  files_read_usr_files(httpd_suexec_t)
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
-@@ -738,15 +1154,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1165,14 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -3915,7 +3926,7 @@ index 0833afb..08c3720 100644
  	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
  	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
  	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1172,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1183,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -3948,7 +3959,7 @@ index 0833afb..08c3720 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1219,25 @@ optional_policy(`
+@@ -786,6 +1230,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3974,7 +3985,7 @@ index 0833afb..08c3720 100644
  ########################################
  #
  # Apache system script local policy
-@@ -806,12 +1258,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1269,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -3992,7 +4003,7 @@ index 0833afb..08c3720 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -820,18 +1277,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1288,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -4051,7 +4062,7 @@ index 0833afb..08c3720 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1328,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1339,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -4092,7 +4103,7 @@ index 0833afb..08c3720 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1373,20 @@ optional_policy(`
+@@ -859,10 +1384,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4113,7 +4124,7 @@ index 0833afb..08c3720 100644
  ')
  
  ########################################
-@@ -878,11 +1402,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1413,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
  kernel_dontaudit_list_proc(httpd_rotatelogs_t)
  kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
  
@@ -4125,7 +4136,7 @@ index 0833afb..08c3720 100644
  
  ########################################
  #
-@@ -908,11 +1430,138 @@ optional_policy(`
+@@ -908,11 +1441,138 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;