commit: 99a1aee5df78c8da42caa7bf1df6bc8110898f81
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=99a1aee5
apache: Move blocks. No rule changes.
policy/modules/contrib/apache.te | 58 +++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ce6479e8..9593175b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,14 +745,6 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_t)
')
@@ -877,6 +869,12 @@ optional_policy(`
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
+
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
optional_policy(`
@@ -1016,6 +1014,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_cifs_files(httpd_suexec_t)
@@ -1040,6 +1042,10 @@ tunable_policy(`httpd_execmem',`
allow httpd_suexec_t self:process { execmem execstack };
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_tmp_exec',`
can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')
@@ -1072,14 +1078,6 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -1106,12 +1104,12 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
########################################
@@ -1311,14 +1309,6 @@ tunable_policy(`httpd_use_fusefs &&
httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_sys_script_t)
')
@@ -1331,6 +1321,14 @@ optional_policy(`
postgresql_unpriv_client(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
+')
+
########################################
#
# Rotatelogs local policy
