[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sun, 22 Apr 2018 05:01:40 -0700 

commit:     0970480bdaa803f0540b597b5f386cc77461dccb
Author:     James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:35 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0970480b

Move use of httpd_t from mojomojo.te to apache.te

The type httpd_t is actually declared in apache.te.

Created apache.if:apache_rw_stream_sockets() which allows
reading and writing unix domain stream sockets labeled httpd_t.

Modified mojomojo.te to use the new interface instead of
This is needed by the module mojomojo which had been referring to
httpd_t directly.

Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>

 policy/modules/contrib/apache.if   | 19 +++++++++++++++++++
 policy/modules/contrib/mojomojo.te |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 135e2f51..94878d66 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -371,6 +371,25 @@ interface(`apache_dontaudit_rw_stream_sockets',`
        dontaudit $1 httpd_t:unix_stream_socket { read write };
 ')
 
+########################################
+## <summary>
+##     Read and write httpd unix domain
+##      stream sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+       gen_require(`
+               type httpd_t;
+       ')
+
+       allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read and

diff --git a/policy/modules/contrib/mojomojo.te 
b/policy/modules/contrib/mojomojo.te
index 8f4d4779..ea853ce1 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -12,7 +12,7 @@ apache_content_template(mojomojo)
 # Local policy
 #
 
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket 
rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
 
 corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
 corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)

Reply via email to