Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sun, 30 Apr 2017 14:20:19
Message-Id: 1493561864.3962c65a06ae9026ea3746c8603f39a828a5a9aa.perfinion@gentoo
1 commit: 3962c65a06ae9026ea3746c8603f39a828a5a9aa
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Thu Apr 20 15:07:37 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Apr 30 14:17:44 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3962c65a
7
8 rpc_* interfaces should be wrapped by optional_policy()
9
10 The rpc module is not a core module. As such, calls towards rpc_*
11 interfaces should be wrapped with optional_policy().
12
13 Changes since v2:
14 - Wrapped other calls towards rpc_* within apache.te
15
16 Changes since v1:
17 - Fixed wrong quotation mark
18
19 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
20
21 policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
22 1 file changed, 18 insertions(+), 12 deletions(-)
23
24 diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
25 index b418338c..ce6479e8 100644
26 --- a/policy/modules/contrib/apache.te
27 +++ b/policy/modules/contrib/apache.te
28 @@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
29 fs_exec_fusefs_files(httpd_t)
30 ')
31
32 -tunable_policy(`httpd_use_nfs',`
33 - fs_list_auto_mountpoints(httpd_t)
34 - rpc_manage_nfs_rw_content(httpd_t)
35 - rpc_read_nfs_content(httpd_t)
36 +optional_policy(`
37 + tunable_policy(`httpd_use_nfs',`
38 + fs_list_auto_mountpoints(httpd_t)
39 + rpc_manage_nfs_rw_content(httpd_t)
40 + rpc_read_nfs_content(httpd_t)
41 + ')
42 ')
43
44 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
45 @@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
46 fs_exec_fusefs_files(httpd_suexec_t)
47 ')
48
49 -tunable_policy(`httpd_use_nfs',`
50 - fs_list_auto_mountpoints(httpd_suexec_t)
51 - rpc_manage_nfs_rw_content(httpd_t)
52 - rpc_read_nfs_content(httpd_t)
53 +optional_policy(`
54 + tunable_policy(`httpd_use_nfs',`
55 + fs_list_auto_mountpoints(httpd_suexec_t)
56 + rpc_manage_nfs_rw_content(httpd_t)
57 + rpc_read_nfs_content(httpd_t)
58 + ')
59 ')
60
61 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
62 @@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
63 fs_exec_fusefs_files(httpd_sys_script_t)
64 ')
65
66 -tunable_policy(`httpd_use_nfs',`
67 - fs_list_auto_mountpoints(httpd_sys_script_t)
68 - rpc_manage_nfs_rw_content(httpd_t)
69 - rpc_read_nfs_content(httpd_t)
70 +optional_policy(`
71 + tunable_policy(`httpd_use_nfs',`
72 + fs_list_auto_mountpoints(httpd_sys_script_t)
73 + rpc_manage_nfs_rw_content(httpd_t)
74 + rpc_read_nfs_content(httpd_t)
75 + ')
76 ')
77
78 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`