From ae63043b99244eade066b5659a91f642ea12f8e4 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 30 Aug 2010 19:11:45 +0200
Subject: - Add test policy for mod_passenger

---
 mod_passanger.fc |  2 ++
 mod_passanger.if |  1 +
 mod_passanger.te | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 mod_passanger.fc
 create mode 100644 mod_passanger.if
 create mode 100644 mod_passanger.te

diff --git a/mod_passanger.fc b/mod_passanger.fc
new file mode 100644
index 0000000..15bc2af
--- /dev/null
+++ b/mod_passanger.fc
@@ -0,0 +1,2 @@
+
+/var/lib/passenger(/.*)?           gen_context(system_u:object_r:httpd_passenger_var_lib_t,s0)
diff --git a/mod_passanger.if b/mod_passanger.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/mod_passanger.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/mod_passanger.te b/mod_passanger.te
new file mode 100644
index 0000000..f8b3489
--- /dev/null
+++ b/mod_passanger.te
@@ -0,0 +1,72 @@
+
+policy_module(mod_passanger,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type httpd_passenger_t;
+type httpd_passenger_exec_t;
+domain_type(httpd_passenger_t)
+domain_entry_file(httpd_passenger_t, httpd_passenger_exec_t)
+role system_r types httpd_passenger_t;
+
+type httpd_passenger_tmp_t;
+files_tmp_file(httpd_passenger_tmp_t)
+
+type httpd_passenger_var_lib_t;
+files_type(httpd_passenger_var_lib_t)
+
+type httpd_passenger_rw_content_t;
+files_type(httpd_passenger_rw_content_t)
+
+permissive httpd_passenger_t;
+
+require{
+ type httpd_t;
+ type httpd_sys_content_t;
+ type httpd_log_t;
+}
+
+domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t)
+allow httpd_t httpd_passenger_t:unix_stream_socket shutdown;
+
+########################################
+#
+# Apache mod_passanger local policy
+#
+
+allow httpd_passenger_t self:capability { setuid fowner chown fsetid setgid };
+allow httpd_passenger_t self:process signal;
+
+allow httpd_passenger_t self:fifo_file rw_fifo_file_perms;
+allow httpd_passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# allow passenger to read and append to apache logfiles
+allow httpd_passenger_t httpd_log_t:file { append_file_perms };
+
+read_files_pattern(httpd_passenger_t, httpd_sys_content_t, httpd_sys_content_t)
+
+rw_dirs_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
+rw_files_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
+
+manage_fifo_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
+manage_sock_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
+manage_dirs_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
+manage_files_pattern(httpd_passenger_t, httpd_passenger_tmp_t, httpd_passenger_tmp_t)
+files_tmp_filetrans(httpd_passenger_t, httpd_passenger_tmp_t, { file dir fifo_file sock_file })
+
+manage_dirs_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
+manage_files_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
+
+kernel_read_kernel_sysctls(httpd_passenger_t)
+
+corecmd_exec_bin(httpd_passenger_t)
+
+dev_read_urand(httpd_passenger_t)
+
+files_read_etc_files(httpd_passenger_t)
+
+miscfiles_read_localization(httpd_passenger_t)
+
-- 
cgit