From: jwcart2@tycho.nsa.gov (James Carter)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 05/13] Move use of httpd_t from mojomojo.te to apache.te
Date: Wed, 11 Apr 2018 14:56:35 -0400 [thread overview]
Message-ID: <20180411185639.23547-6-jwcart2@tycho.nsa.gov> (raw)
In-Reply-To: <20180411185639.23547-1-jwcart2@tycho.nsa.gov>
The type httpd_t is actually declared in apache.te.
Created apache.if:apache_rw_stream_sockets() which allows
reading and writing unix domain stream sockets labeled httpd_t.
Modified mojomojo.te to use the new interface instead of
This is needed by the module mojomojo which had been referring to
httpd_t directly.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
apache.if | 19 +++++++++++++++++++
mojomojo.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/apache.if b/apache.if
index 135e2f5..94878d6 100644
--- a/apache.if
+++ b/apache.if
@@ -373,6 +373,25 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
+## Read and write httpd unix domain
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read and
## write httpd TCP sockets.
## </summary>
diff --git a/mojomojo.te b/mojomojo.te
index 8f4d477..ea853ce 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -12,7 +12,7 @@ apache_content_template(mojomojo)
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
--
2.13.6
next prev parent reply other threads:[~2018-04-11 18:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 18:56 [refpolicy] [PATCH 00/13] Fix issues identified by spt_lint.lua to contrib James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 01/13] Remove unnecessary semicolons James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 02/13] Mark unused parameter as unused James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 03/13] Add unused parameter and mark " James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 04/13] Remove use of undeclared attribute from portage.te James Carter
2018-04-11 18:56 ` James Carter [this message]
2018-04-11 18:56 ` [refpolicy] [PATCH 06/13] Move use of sendmail_exec_t from sendmail.te to mta.te James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 07/13] Fix typos in identifier names James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 08/13] Remove undeclared identifiers from shorewall interfaces James Carter
2018-04-11 18:56 ` [refpolicy] [PATCH 09/13] Fix interfaces that use an undeclared identifier James Carter
2018-04-12 22:47 ` [refpolicy] [PATCH 00/13] Fix issues identified by spt_lint.lua to contrib Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180411185639.23547-6-jwcart2@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).