From 83caba3eb915f9f4d27b93a7a7f4d7cf1d46cfd9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 1 Apr 2010 08:17:50 -0400 Subject: [PATCH] First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files. --- policy/modules/services/apache.fc | 43 +++++++++++- policy/modules/services/apache.if | 106 ++++++++++++++---------------- policy/modules/services/apache.te | 23 +++---- policy/modules/services/git.fc | 2 +- policy/modules/services/ntop.fc | 1 - policy/modules/services/ntop.te | 2 +- 6 files changed, 105 insertions(+), 72 deletions(-) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index afcb9bdd9..ff18506bc 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -2,29 +2,40 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) @@ -32,14 +43,30 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') +/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) @@ -47,6 +74,7 @@ ifdef(`distro_suse', ` /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -57,6 +85,9 @@ ifdef(`distro_suse', ` /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') @@ -64,11 +95,17 @@ ifdef(`distro_debian', ` /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2dc0a81da..997b2b0c1 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -24,6 +24,7 @@ template(`apache_content_template',` #This type is for webpages type httpd_$1_content_t, httpdcontent; # customizable + typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) # This type is used for .htaccess files @@ -40,22 +41,19 @@ template(`apache_content_template',` corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - # The following three are the only areas that - # scripts can read, read/write, or append to - type httpd_$1_script_ro_t, httpdcontent; # customizable - files_type(httpd_$1_script_ro_t) + type httpd_$1_rw_content_t, httpdcontent; # customizable + typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; + files_type(httpd_$1_rw_content_t) - type httpd_$1_script_rw_t, httpdcontent; # customizable - files_type(httpd_$1_script_rw_t) - - type httpd_$1_script_ra_t, httpdcontent; # customizable - files_type(httpd_$1_script_ra_t) + type httpd_$1_ra_content_t, httpdcontent; # customizable + typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; + files_type(httpd_$1_ra_content_t) allow httpd_t httpd_$1_htaccess_t:file read_file_perms; domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; @@ -73,21 +71,21 @@ template(`apache_content_template',` can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; - allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) + allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) + allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -124,19 +122,19 @@ template(`apache_content_template',` # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) + manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) + allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -258,8 +256,7 @@ interface(`apache_role',` attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_script_ra_t, httpd_user_script_ro_t; - type httpd_user_script_rw_t; + type httpd_user_ra_content_t, httpd_user_rw_content_t; ') role $1 types httpd_user_script_t; @@ -268,26 +265,19 @@ interface(`apache_role',` allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) - manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) - manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) - relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) - relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) - relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t) + manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t) - - manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) - manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) - manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) - relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) - relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) - relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t) + manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) + relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) @@ -1092,11 +1082,17 @@ interface(`apache_admin',` type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; + type httpd_initrc_exec_t; ') allow $1 httpd_t:process { getattr ptrace signal_perms }; ps_process_pattern($1, httpd_t) + init_labeled_script_domtrans($1, httpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 httpd_initrc_exec_t system_r; + allow $2 system_r; + apache_manage_all_content($1) miscfiles_manage_public_files($1) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 014ee4454..91d8e0868 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -140,6 +140,9 @@ domain_type(httpd_helper_t) domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; +type httpd_initrc_exec_t; +init_script_file(httpd_initrc_exec_t) + type httpd_lock_t; files_lock_file(httpd_lock_t) @@ -191,24 +194,23 @@ ubac_constrained(httpd_user_script_t) userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -userdom_user_home_content(httpd_user_script_ra_t) -userdom_user_home_content(httpd_user_script_ro_t) -userdom_user_home_content(httpd_user_script_rw_t) +userdom_user_home_content(httpd_user_ra_content_t) +userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; +typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; +typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; -typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; -typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; -typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; -typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; -typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; +typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; +typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; +typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; +typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; # for apache2 memory mapped files type httpd_var_lib_t; @@ -463,8 +465,7 @@ optional_policy(` ') optional_policy(` - kerberos_use(httpd_t) - kerberos_read_kdc_config(httpd_t) + kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc index 28215650d..54f0737ca 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc @@ -1,3 +1,3 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) /var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc index 0d836ae63..183843241 100644 --- a/policy/modules/services/ntop.fc +++ b/policy/modules/services/ntop.fc @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) /usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0) /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index 6588a4dc7..45d23d5b5 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -1,5 +1,5 @@ -policy_module(ntop, 1.8.0) +policy_module(ntop, 1.8.1) ######################################## #