apache, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/roles/guest.te

@@ -17,7 +17,7 @@ kernel_read_system_state(guest_t)
 #
 
 optional_policy(`
-	apache_role(guest_r, guest_t)
+	apache_role(guest, guest_t, guest_application_exec_domain, guest_r)
 ')
 
 optional_policy(`

policy/modules/roles/staff.te

@@ -16,7 +16,7 @@ userdom_unpriv_user_template(staff)
 corenet_ib_access_unlabeled_pkeys(staff_t)
 
 optional_policy(`
-	apache_role(staff_r, staff_t)
+	apache_role(staff, staff_t, staff_application_exec_domain, staff_r)
 ')
 
 optional_policy(`

policy/modules/roles/sysadm.te

@@ -140,7 +140,7 @@ optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
 	#apache_run_all_scripts(sysadm_t, sysadm_r)
 	#apache_domtrans_sys_script(sysadm_t)
-	apache_role(sysadm_r, sysadm_t)
+	apache_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
 optional_policy(`

policy/modules/roles/unprivuser.te

@@ -13,7 +13,7 @@ policy_module(unprivuser, 2.12.1)
 userdom_unpriv_user_template(user)
 
 optional_policy(`
-	apache_role(user_r, user_t)
+	apache_role(user, user_t, user_application_exec_domain, user_r)
 ')
 
 optional_policy(`

policy/modules/roles/xguest.te

@@ -86,7 +86,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	apache_role(xguest_r, xguest_t)
+	apache_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
 ')
 
 optional_policy(`

policy/modules/services/apache.if

@@ -106,18 +106,29 @@ template(`apache_content_template',`
 ## <summary>
 ##	Role access for apache.
 ## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
 #
-interface(`apache_role',`
+template(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
 		type httpd_user_content_t, httpd_user_htaccess_t;
@@ -125,7 +136,7 @@ interface(`apache_role',`
 		type httpd_user_ra_content_t, httpd_user_rw_content_t;
 	')
 
-	role $1 types httpd_user_script_t;
+	role $4 types httpd_user_script_t;
 
 	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
 
@@ -154,11 +165,15 @@ interface(`apache_role',`
 	filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
 
 	tunable_policy(`httpd_enable_cgi',`
-		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+		domtrans_pattern($3, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
+		domtrans_pattern($3, httpdcontent, httpd_user_script_t)
+	')
+
+	optional_policy(`
+		systemd_user_app_status($1, httpd_user_script_t)
 	')
 ')
 

policy/modules/system/unconfined.te

@@ -72,7 +72,7 @@ ifdef(`init_systemd',`
 
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
-	apache_role(unconfined_r, unconfined_t)
+	apache_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
 optional_policy(`