[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sat, 21 Jun 2014 11:37:33 -0700 

commit:     0a38de932f0c01b5d7850f72437215fa50dc97d7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 21 18:35:44 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 21 18:35:44 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a38de93

Fix bug #513362 - Support hiawatha within httpd_t domain

---
 policy/modules/contrib/apache.fc | 15 +++++++++++++++
 policy/modules/contrib/apache.te | 17 +++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index ff4abce..ab4a625 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -166,4 +166,19 @@ ifdef(`distro_suse',`
 
 ifdef(`distro_gentoo',`
 /usr/share/build-1/libtool     --      gen_context(system_u:object_r:bin_t,s0)
+
+# Support for Hiawatha bug 513362
+/etc/hiawatha(/.*)?    gen_context(system_u:object_r:httpd_config_t,s0)
+
+/etc/rc\.d/init\.d/hiawatha    --      
gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/usr/bin/ssi-cgi       --      gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/sbin/cgi-wrapper  --      gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha     --      gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/wigwam       --      gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/var/lib/hiawatha(/.*)?        
gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/hiawatha(/.*)?        gen_context(system_u:object_r:httpd_log_t,s0)
 ')

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 4faa22c..c4264c4 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1427,6 +1427,19 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-       init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
-       init_daemon_run_dir(httpd_var_run_t, "apache2")
+## <desc>
+##     <p>
+##     Enable specific permissions for the Hiawatha web server
+##     </p>
+## </desc>
+gen_tunable(hiawatha_httpd, false)
+
+init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
+init_daemon_run_dir(httpd_var_run_t, "apache2")
+
+tunable_policy(`hiawatha_httpd',`
+       # bug 513362
+       allow httpd_t self:capability fowner;
+')
+
 ')

Reply via email to