diff options
Diffstat (limited to 'mod_passanger.te')
-rw-r--r-- | mod_passanger.te | 51 |
1 files changed, 41 insertions, 10 deletions
diff --git a/mod_passanger.te b/mod_passanger.te index f8b3489..ca0d9fe 100644 --- a/mod_passanger.te +++ b/mod_passanger.te @@ -6,6 +6,13 @@ policy_module(mod_passanger,1.0) # Declarations # +## <desc> +## <p> +## Allow httpd to use mod_passenger +## </p> +## </desc> +gen_tunable(httpd_use_passenger, false) + type httpd_passenger_t; type httpd_passenger_exec_t; domain_type(httpd_passenger_t) @@ -21,28 +28,56 @@ files_type(httpd_passenger_var_lib_t) type httpd_passenger_rw_content_t; files_type(httpd_passenger_rw_content_t) -permissive httpd_passenger_t; +#permissive httpd_passenger_t; + +#### apache section #### require{ type httpd_t; type httpd_sys_content_t; type httpd_log_t; + type httpd_tmp_t; } -domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t) -allow httpd_t httpd_passenger_t:unix_stream_socket shutdown; + +manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_fifo_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { sock_file fifo_file }) + +optional_policy(` + tunable_policy(`httpd_use_passenger',` + + # needed by /tmp/passenger/ + allow httpd_t self:capability { fowner fsetid }; + + allow httpd_t httpd_passenger_t:process signal; + + domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t) + allow httpd_t httpd_passenger_t:unix_stream_socket { read write shutdown }; + + manage_dirs_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_fifo_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + manage_sock_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t) + + read_files_pattern(httpd_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) + ') +') ######################################## # # Apache mod_passanger local policy # -allow httpd_passenger_t self:capability { setuid fowner chown fsetid setgid }; +# /tmp/passenger/ +allow httpd_passenger_t self:capability dac_override; allow httpd_passenger_t self:process signal; allow httpd_passenger_t self:fifo_file rw_fifo_file_perms; allow httpd_passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow httpd_passenger_t httpd_t:unix_stream_socket { read write }; + # allow passenger to read and append to apache logfiles allow httpd_passenger_t httpd_log_t:file { append_file_perms }; @@ -51,12 +86,6 @@ read_files_pattern(httpd_passenger_t, httpd_sys_content_t, httpd_sys_content_t) rw_dirs_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t) rw_files_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t) -manage_fifo_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_sock_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_dirs_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -manage_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t) -files_tmp_filetrans(httpd_passenger_t, httpd_passenger_tmp_t, { file dir fifo_file sock_file }) - manage_dirs_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) manage_files_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t) @@ -68,5 +97,7 @@ dev_read_urand(httpd_passenger_t) files_read_etc_files(httpd_passenger_t) +#auth_use_nsswitch(httpd_passenger_t) + miscfiles_read_localization(httpd_passenger_t) |