From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CD4AA1392EF for ; Sat, 21 Jun 2014 18:36:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 98033E07F1; Sat, 21 Jun 2014 18:36:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2CA70E07F1 for ; Sat, 21 Jun 2014 18:36:43 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4A9E033FDBE for ; Sat, 21 Jun 2014 18:36:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 08E6218D35 for ; Sat, 21 Jun 2014 18:36:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1403375744.0a38de932f0c01b5d7850f72437215fa50dc97d7.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apache.fc policy/modules/contrib/apache.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0a38de932f0c01b5d7850f72437215fa50dc97d7 X-VCS-Branch: master Date: Sat, 21 Jun 2014 18:36:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 185f0eb7-f6fb-40a8-8ea4-ad5c545ad475 X-Archives-Hash: e94888b25d39cdfc3fbbaae4c4f586ba commit: 0a38de932f0c01b5d7850f72437215fa50dc97d7 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jun 21 18:35:44 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Jun 21 18:35:44 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a38de93 Fix bug #513362 - Support hiawatha within httpd_t domain --- policy/modules/contrib/apache.fc | 15 +++++++++++++++ policy/modules/contrib/apache.te | 17 +++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc index ff4abce..ab4a625 100644 --- a/policy/modules/contrib/apache.fc +++ b/policy/modules/contrib/apache.fc @@ -166,4 +166,19 @@ ifdef(`distro_suse',` ifdef(`distro_gentoo',` /usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0) + +# Support for Hiawatha bug 513362 +/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + +/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + +/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0) + +/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) + +/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 4faa22c..c4264c4 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -1427,6 +1427,19 @@ optional_policy(` ') ifdef(`distro_gentoo',` - init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex") - init_daemon_run_dir(httpd_var_run_t, "apache2") +## +##

+## Enable specific permissions for the Hiawatha web server +##

+## +gen_tunable(hiawatha_httpd, false) + +init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex") +init_daemon_run_dir(httpd_var_run_t, "apache2") + +tunable_policy(`hiawatha_httpd',` + # bug 513362 + allow httpd_t self:capability fowner; +') + ')