From c25ab3c8ea72e12af9375b24d18fe76997a33a64 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 15 2012 23:08:50 +0000 Subject: Add missing gen_tunable(httpd_run_stickshift, false) --- diff --git a/policy-F16.patch b/policy-F16.patch index 9c62993..07b5233 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -26362,15 +26362,22 @@ index 6480167..eeb2953 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..a0b6de0 100644 +index 3136c6a..a77ef51 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,246 @@ policy_module(apache, 2.2.1) # Declarations # +selinux_genbool(httpd_bool_t) + ++## ++##

++## Allow Apache to run in stickshift mode, not transition to passenger ++##

++## ++gen_tunable(httpd_run_stickshift, false) ++ ## -##

-## Allow Apache to modify public files @@ -26502,17 +26509,17 @@ index 3136c6a..a0b6de0 100644 +## +gen_tunable(httpd_can_connect_zabbix, false) + -+## + ## +-##

+-## Allow Apache to communicate with avahi service via dbus +-##

+##

+## Allow http daemon to check spam +##

+## +gen_tunable(httpd_can_check_spam, false) + - ## --##

--## Allow Apache to communicate with avahi service via dbus --##

++## +##

+## Allow Apache to communicate with avahi service via dbus +##

@@ -26661,7 +26668,7 @@ index 3136c6a..a0b6de0 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +275,7 @@ files_type(httpd_cache_t) +@@ -166,7 +282,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26670,7 +26677,7 @@ index 3136c6a..a0b6de0 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +286,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +293,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26680,7 +26687,7 @@ index 3136c6a..a0b6de0 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +328,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +335,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26699,7 +26706,7 @@ index 3136c6a..a0b6de0 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +348,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +355,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26710,7 +26717,7 @@ index 3136c6a..a0b6de0 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +359,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +366,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26718,7 +26725,7 @@ index 3136c6a..a0b6de0 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +381,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +388,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26742,7 +26749,7 @@ index 3136c6a..a0b6de0 100644 ######################################## # # Apache server local policy -@@ -281,11 +417,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +424,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26756,7 +26763,7 @@ index 3136c6a..a0b6de0 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +467,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +474,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26767,7 +26774,7 @@ index 3136c6a..a0b6de0 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +478,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +485,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26778,7 +26785,7 @@ index 3136c6a..a0b6de0 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +495,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +502,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26788,7 +26795,7 @@ index 3136c6a..a0b6de0 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +508,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +515,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26809,7 +26816,7 @@ index 3136c6a..a0b6de0 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +529,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +536,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26825,7 +26832,7 @@ index 3136c6a..a0b6de0 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +542,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +549,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26833,7 +26840,7 @@ index 3136c6a..a0b6de0 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +554,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +561,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26937,7 +26944,7 @@ index 3136c6a..a0b6de0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +659,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +666,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -27001,7 +27008,7 @@ index 3136c6a..a0b6de0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +723,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +730,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -27024,7 +27031,7 @@ index 3136c6a..a0b6de0 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +753,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +760,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -27045,7 +27052,7 @@ index 3136c6a..a0b6de0 100644 ') optional_policy(` -@@ -513,7 +777,13 @@ optional_policy(` +@@ -513,7 +784,13 @@ optional_policy(` ') optional_policy(` @@ -27060,7 +27067,7 @@ index 3136c6a..a0b6de0 100644 ') optional_policy(` -@@ -528,7 +798,19 @@ optional_policy(` +@@ -528,7 +805,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -27081,7 +27088,7 @@ index 3136c6a..a0b6de0 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +819,13 @@ optional_policy(` +@@ -537,8 +826,13 @@ optional_policy(` ') optional_policy(` @@ -27096,7 +27103,7 @@ index 3136c6a..a0b6de0 100644 ') ') -@@ -556,7 +843,21 @@ optional_policy(` +@@ -556,7 +850,21 @@ optional_policy(` ') optional_policy(` @@ -27118,7 +27125,7 @@ index 3136c6a..a0b6de0 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +868,7 @@ optional_policy(` +@@ -567,6 +875,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -27126,7 +27133,7 @@ index 3136c6a..a0b6de0 100644 ') optional_policy(` -@@ -577,6 +879,47 @@ optional_policy(` +@@ -577,6 +886,47 @@ optional_policy(` ') optional_policy(` @@ -27174,7 +27181,7 @@ index 3136c6a..a0b6de0 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +934,11 @@ optional_policy(` +@@ -591,6 +941,11 @@ optional_policy(` ') optional_policy(` @@ -27186,7 +27193,7 @@ index 3136c6a..a0b6de0 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +951,12 @@ optional_policy(` +@@ -603,6 +958,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -27199,7 +27206,7 @@ index 3136c6a..a0b6de0 100644 ######################################## # # Apache helper local policy -@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +977,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -27212,7 +27219,7 @@ index 3136c6a..a0b6de0 100644 ######################################## # -@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1019,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27256,7 +27263,7 @@ index 3136c6a..a0b6de0 100644 ') ######################################## -@@ -685,6 +1045,8 @@ optional_policy(` +@@ -685,6 +1052,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27265,7 +27272,7 @@ index 3136c6a..a0b6de0 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1068,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27291,7 +27298,7 @@ index 3136c6a..a0b6de0 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1114,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27324,7 +27331,7 @@ index 3136c6a..a0b6de0 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1154,25 @@ optional_policy(` +@@ -769,6 +1161,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27350,7 +27357,7 @@ index 3136c6a..a0b6de0 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1200,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27368,7 +27375,7 @@ index 3136c6a..a0b6de0 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1219,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27425,7 +27432,7 @@ index 3136c6a..a0b6de0 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1270,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27466,7 +27473,7 @@ index 3136c6a..a0b6de0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1308,20 @@ optional_policy(` +@@ -842,10 +1315,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27487,7 +27494,7 @@ index 3136c6a..a0b6de0 100644 ') ######################################## -@@ -891,11 +1367,49 @@ optional_policy(` +@@ -891,11 +1374,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint;