From 371d11ec046fb4a1193a086476cde907d0088ced Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 26 Jul 2007 19:48:40 +0000 Subject: [PATCH] trunk: add 3rd party interface for apache cgi. --- Changelog | 1 + policy/modules/services/apache.if | 54 +++++++++++++++++++++++++++++++ policy/modules/services/apache.te | 2 +- 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 072d4ae84..677f0c47b 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add third-party interface for Apache CGI. - Add getserv and shmemserv nscd permissions. - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. - Added modules: diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 932386f72..2c8a6b742 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -985,6 +985,24 @@ interface(`apache_read_sys_content',` read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) ') +######################################## +## +## Search apache system CGI directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_search_sys_scripts',` + gen_require(` + type httpd_sys_content_t, httpd_sys_script_exec_t; + ') + + search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) +') + ######################################## ## ## Search system script state directory. @@ -1002,3 +1020,39 @@ interface(`apache_search_sys_script_state',` allow $1 httpd_sys_script_t:dir search_dir_perms; ') + +######################################## +## +## Execute CGI in the specified domain. +## +## +##

+## Execute CGI in the specified domain. +##

+##

+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Domain run the cgi script in. +## +## +## +## +## Type of the executable to enter the cgi domain. +## +## +# +interface(`apache_cgi_domain',` + gen_require(` + type httpd_t, httpd_sys_script_exec_t; + ') + + domtrans_pattern(httpd_t, $2, $1) + apache_search_sys_scripts($1) + + allow httpd_t $1:process signal; +') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index d582fb6cf..a6395e9e6 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.7.0) +policy_module(apache,1.7.1) # # NOTES: