1 |
commit: 3962c65a06ae9026ea3746c8603f39a828a5a9aa |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Apr 20 15:07:37 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 14:17:44 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3962c65a |
7 |
|
8 |
rpc_* interfaces should be wrapped by optional_policy() |
9 |
|
10 |
The rpc module is not a core module. As such, calls towards rpc_* |
11 |
interfaces should be wrapped with optional_policy(). |
12 |
|
13 |
Changes since v2: |
14 |
- Wrapped other calls towards rpc_* within apache.te |
15 |
|
16 |
Changes since v1: |
17 |
- Fixed wrong quotation mark |
18 |
|
19 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
20 |
|
21 |
policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------ |
22 |
1 file changed, 18 insertions(+), 12 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
25 |
index b418338c..ce6479e8 100644 |
26 |
--- a/policy/modules/contrib/apache.te |
27 |
+++ b/policy/modules/contrib/apache.te |
28 |
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
29 |
fs_exec_fusefs_files(httpd_t) |
30 |
') |
31 |
|
32 |
-tunable_policy(`httpd_use_nfs',` |
33 |
- fs_list_auto_mountpoints(httpd_t) |
34 |
- rpc_manage_nfs_rw_content(httpd_t) |
35 |
- rpc_read_nfs_content(httpd_t) |
36 |
+optional_policy(` |
37 |
+ tunable_policy(`httpd_use_nfs',` |
38 |
+ fs_list_auto_mountpoints(httpd_t) |
39 |
+ rpc_manage_nfs_rw_content(httpd_t) |
40 |
+ rpc_read_nfs_content(httpd_t) |
41 |
+ ') |
42 |
') |
43 |
|
44 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |
45 |
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
46 |
fs_exec_fusefs_files(httpd_suexec_t) |
47 |
') |
48 |
|
49 |
-tunable_policy(`httpd_use_nfs',` |
50 |
- fs_list_auto_mountpoints(httpd_suexec_t) |
51 |
- rpc_manage_nfs_rw_content(httpd_t) |
52 |
- rpc_read_nfs_content(httpd_t) |
53 |
+optional_policy(` |
54 |
+ tunable_policy(`httpd_use_nfs',` |
55 |
+ fs_list_auto_mountpoints(httpd_suexec_t) |
56 |
+ rpc_manage_nfs_rw_content(httpd_t) |
57 |
+ rpc_read_nfs_content(httpd_t) |
58 |
+ ') |
59 |
') |
60 |
|
61 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |
62 |
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` |
63 |
fs_exec_fusefs_files(httpd_sys_script_t) |
64 |
') |
65 |
|
66 |
-tunable_policy(`httpd_use_nfs',` |
67 |
- fs_list_auto_mountpoints(httpd_sys_script_t) |
68 |
- rpc_manage_nfs_rw_content(httpd_t) |
69 |
- rpc_read_nfs_content(httpd_t) |
70 |
+optional_policy(` |
71 |
+ tunable_policy(`httpd_use_nfs',` |
72 |
+ fs_list_auto_mountpoints(httpd_sys_script_t) |
73 |
+ rpc_manage_nfs_rw_content(httpd_t) |
74 |
+ rpc_read_nfs_content(httpd_t) |
75 |
+ ') |
76 |
') |
77 |
|
78 |
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` |