[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Jason Zaman]

commit:     1dfdf221ae0952dfcba50f8380b75150f07c2d8a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 20 15:07:37 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dfdf221

rpc_* interfaces should be wrapped by optional_policy()

The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().

Changes since v2:
- Wrapped other calls towards rpc_* within apache.te

Changes since v1:
- Fixed wrong quotation mark

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b418338c..ce6479e8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && 
httpd_builtin_scripting',`
        fs_exec_fusefs_files(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-       fs_list_auto_mountpoints(httpd_t)
-       rpc_manage_nfs_rw_content(httpd_t)
-       rpc_read_nfs_content(httpd_t)
+optional_policy(`
+       tunable_policy(`httpd_use_nfs',`
+               fs_list_auto_mountpoints(httpd_t)
+               rpc_manage_nfs_rw_content(httpd_t)
+               rpc_read_nfs_content(httpd_t)
+       ')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && 
httpd_builtin_scripting',`
        fs_exec_fusefs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-       fs_list_auto_mountpoints(httpd_suexec_t)
-       rpc_manage_nfs_rw_content(httpd_t)
-       rpc_read_nfs_content(httpd_t)
+optional_policy(`
+       tunable_policy(`httpd_use_nfs',`
+               fs_list_auto_mountpoints(httpd_suexec_t)
+               rpc_manage_nfs_rw_content(httpd_t)
+               rpc_read_nfs_content(httpd_t)
+       ')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && 
httpd_builtin_scripting',`
        fs_exec_fusefs_files(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-       fs_list_auto_mountpoints(httpd_sys_script_t)
-       rpc_manage_nfs_rw_content(httpd_t)
-       rpc_read_nfs_content(httpd_t)
+optional_policy(`
+       tunable_policy(`httpd_use_nfs',`
+               fs_list_auto_mountpoints(httpd_sys_script_t)
+               rpc_manage_nfs_rw_content(httpd_t)
+               rpc_read_nfs_content(httpd_t)
+       ')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`