diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2010-09-02 16:47:14 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2010-09-02 16:47:14 +0200 |
commit | 8232f3574bdd332a5aeb046ed03642b3817591c7 (patch) | |
tree | bc3a4c6b25733d700a1ba28d62b0bb235486404a | |
parent | fc7ee0269afbb421f0b8ed33731ca42203cece46 (diff) | |
download | test_policy_modules-8232f3574bdd332a5aeb046ed03642b3817591c7.tar.gz test_policy_modules-8232f3574bdd332a5aeb046ed03642b3817591c7.tar.xz test_policy_modules-8232f3574bdd332a5aeb046ed03642b3817591c7.zip |
- More fixes for mod_passenger policy (add boolean httpd_use_passenger)
-rw-r--r-- | mod_passanger.fc | 2 | ||||
-rw-r--r-- | mod_passanger.te | 51 |
2 files changed, 43 insertions, 10 deletions
diff --git a/mod_passanger.fc b/mod_passanger.fc index 15bc2af..f925d50 100644 --- a/mod_passanger.fc +++ b/mod_passanger.fc @@ -1,2 +1,4 @@ +/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:httpd_passenger_exec_t,s0) + /var/lib/passenger(/.*)? gen_context(system_u:object_r:httpd_passenger_var_lib_t,s0) diff --git a/mod_passanger.te b/mod_passanger.te index f8b3489..ca0d9fe 100644 --- a/mod_passanger.te +++ b/mod_passanger.te @@ -6,6 +6,13 @@ policy_module(mod_passanger,1.0) # Declarations # +## <desc> +## <p> +## Allow httpd to use mod_passenger +## </p> +## </desc> +gen_tunable(httpd_use_passenger, false) + type httpd_passenger_t; type httpd_passenger_exec_t; domain_type(httpd_passenger_t) @@ -21,28 +28,56 @@ files_type(httpd_passenger_var_lib_t) type httpd_passenger_rw_content_t; files_type(httpd_passenger_rw_content_t) -permissive httpd_passenger_t; +#permissive httpd_passenger_t; + +#### apache section #### require{ type httpd_t; type httpd_sys_content_t; type httpd_log_t; + type httpd_tmp_t; } -domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t) -allow httpd_t httpd_passenger_t:unix_stream_socket shutdown; + +manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_fifo_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { sock_file fifo_file }) + +optional_policy(` + tunable_policy(`httpd_use_passenger',` + + # needed by /tmp/passenger/ + allow httpd_t self:capability { fowner fsetid }; + + allow httpd_t httpd_passenger_t:process signal; + + domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t) + allow httpd_t httpd_passenger_t:unix_stream_socket { read write shutdown }; + + manage_dirs_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_fifo_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_sock_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + + read_files_pattern(httpd_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) + ') +') ######################################## # # Apache mod_passanger local policy # -allow httpd_passenger_t self:capability { setuid fowner chown fsetid setgid }; +# /tmp/passenger/ +allow httpd_passenger_t self:capability dac_override; allow httpd_passenger_t self:process signal; allow httpd_passenger_t self:fifo_file rw_fifo_file_perms; allow httpd_passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow httpd_passenger_t httpd_t:unix_stream_socket { read write }; + # allow passenger to read and append to apache logfiles allow httpd_passenger_t httpd_log_t:file { append_file_perms }; @@ -51,12 +86,6 @@ read_files_pattern(httpd_passenger_t, httpd_sys_content_t, httpd_sys_content_t) rw_dirs_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t) rw_files_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t) -manage_fifo_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_sock_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_dirs_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -files_tmp_filetrans(httpd_passenger_t, httpd_passenger_tmp_t, { file dir fifo_file sock_file }) - manage_dirs_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) manage_files_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) @@ -68,5 +97,7 @@ dev_read_urand(httpd_passenger_t) files_read_etc_files(httpd_passenger_t) +#auth_use_nsswitch(httpd_passenger_t) + miscfiles_read_localization(httpd_passenger_t) |