- More fixes for mod_passenger policy (add boolean httpd_use_passenger)

2 files changed, 43 insertions, 10 deletions

diff --git a/mod_passanger.fc b/mod_passanger.fc
index 15bc2af..f925d50 100644
--- a/mod_passanger.fc
+++ b/mod_passanger.fc
@@ -1,2 +1,4 @@
 
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:httpd_passenger_exec_t,s0)
+
 /var/lib/passenger(/.*)?           gen_context(system_u:object_r:httpd_passenger_var_lib_t,s0)
diff --git a/mod_passanger.te b/mod_passanger.te
index f8b3489..ca0d9fe 100644
--- a/mod_passanger.te
+++ b/mod_passanger.te
@@ -6,6 +6,13 @@ policy_module(mod_passanger,1.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow httpd to use mod_passenger
+## </p>
+## </desc>
+gen_tunable(httpd_use_passenger, false)
+
 type httpd_passenger_t;
 type httpd_passenger_exec_t;
 domain_type(httpd_passenger_t)
@@ -21,28 +28,56 @@ files_type(httpd_passenger_var_lib_t)
 type httpd_passenger_rw_content_t;
 files_type(httpd_passenger_rw_content_t)
 
-permissive httpd_passenger_t;
+#permissive httpd_passenger_t;
+
+#### apache section ####
 
 require{
  type httpd_t;
  type httpd_sys_content_t;
  type httpd_log_t;
+ type httpd_tmp_t;
 }
 
-domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t)
-allow httpd_t httpd_passenger_t:unix_stream_socket shutdown;
+
+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { sock_file fifo_file })
+
+optional_policy(`
+        tunable_policy(`httpd_use_passenger',`
+
+		# needed by /tmp/passenger/ 
+		allow httpd_t self:capability { fowner fsetid };
+
+		allow httpd_t httpd_passenger_t:process signal;
+
+		domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t)
+		allow httpd_t httpd_passenger_t:unix_stream_socket { read write shutdown };
+
+		manage_dirs_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
+		manage_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
+		manage_fifo_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
+		manage_sock_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
+
+		read_files_pattern(httpd_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
+        ')
+')
 
 ########################################
 #
 # Apache mod_passanger local policy
 #
 
-allow httpd_passenger_t self:capability { setuid fowner chown fsetid setgid };
+# /tmp/passenger/
+allow httpd_passenger_t self:capability dac_override;
 allow httpd_passenger_t self:process signal;
 
 allow httpd_passenger_t self:fifo_file rw_fifo_file_perms;
 allow httpd_passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+allow httpd_passenger_t httpd_t:unix_stream_socket { read write };
+
 # allow passenger to read and append to apache logfiles
 allow httpd_passenger_t httpd_log_t:file { append_file_perms };
 
@@ -51,12 +86,6 @@ read_files_pattern(httpd_passenger_t, httpd_sys_content_t, httpd_sys_content_t)
 rw_dirs_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
 rw_files_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
 
-manage_fifo_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
-manage_sock_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
-manage_dirs_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
-manage_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
-files_tmp_filetrans(httpd_passenger_t, httpd_passenger_tmp_t, { file dir fifo_file sock_file })
-
 manage_dirs_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
 manage_files_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
 
@@ -68,5 +97,7 @@ dev_read_urand(httpd_passenger_t)
 
 files_read_etc_files(httpd_passenger_t)
 
+#auth_use_nsswitch(httpd_passenger_t)
+
 miscfiles_read_localization(httpd_passenger_t)