| 1 |
commit: 8eeb1e0ecc08f34090e3614cbbafa37cfe523833 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Wed Oct 31 09:47:09 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Wed Oct 31 18:04:37 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8eeb1e0e |
| 7 |
|
| 8 |
Changes to the webadm policy modules |
| 9 |
|
| 10 |
Module clean up |
| 11 |
There should not be generic web lock files |
| 12 |
|
| 13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 14 |
|
| 15 |
--- |
| 16 |
policy/modules/contrib/webadm.if | 2 +- |
| 17 |
policy/modules/contrib/webadm.te | 22 ++++++++++++---------- |
| 18 |
2 files changed, 13 insertions(+), 11 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/webadm.if b/policy/modules/contrib/webadm.if |
| 21 |
index cc34f8b..e1a7350 100644 |
| 22 |
--- a/policy/modules/contrib/webadm.if |
| 23 |
+++ b/policy/modules/contrib/webadm.if |
| 24 |
@@ -1,4 +1,4 @@ |
| 25 |
-## <summary>Web administrator role</summary> |
| 26 |
+## <summary>Web administrator role.</summary> |
| 27 |
|
| 28 |
######################################## |
| 29 |
## <summary> |
| 30 |
|
| 31 |
diff --git a/policy/modules/contrib/webadm.te b/policy/modules/contrib/webadm.te |
| 32 |
index 0ecc786..708254f 100644 |
| 33 |
--- a/policy/modules/contrib/webadm.te |
| 34 |
+++ b/policy/modules/contrib/webadm.te |
| 35 |
@@ -1,4 +1,4 @@ |
| 36 |
-policy_module(webadm, 1.1.0) |
| 37 |
+policy_module(webadm, 1.1.1) |
| 38 |
|
| 39 |
######################################## |
| 40 |
# |
| 41 |
@@ -6,16 +6,18 @@ policy_module(webadm, 1.1.0) |
| 42 |
# |
| 43 |
|
| 44 |
## <desc> |
| 45 |
-## <p> |
| 46 |
-## Allow webadm to manage files in users home directories |
| 47 |
-## </p> |
| 48 |
+## <p> |
| 49 |
+## Determine whether webadm can |
| 50 |
+## manage generic user files. |
| 51 |
+## </p> |
| 52 |
## </desc> |
| 53 |
gen_tunable(webadm_manage_user_files, false) |
| 54 |
|
| 55 |
## <desc> |
| 56 |
-## <p> |
| 57 |
-## Allow webadm to read files in users home directories |
| 58 |
-## </p> |
| 59 |
+## <p> |
| 60 |
+## Determine whether webadm can |
| 61 |
+## read generic user files. |
| 62 |
+## </p> |
| 63 |
## </desc> |
| 64 |
gen_tunable(webadm_read_user_files, false) |
| 65 |
|
| 66 |
@@ -25,18 +27,18 @@ userdom_base_user_template(webadm) |
| 67 |
|
| 68 |
######################################## |
| 69 |
# |
| 70 |
-# webadmin local policy |
| 71 |
+# Local policy |
| 72 |
# |
| 73 |
|
| 74 |
-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; |
| 75 |
+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; |
| 76 |
|
| 77 |
files_dontaudit_search_all_dirs(webadm_t) |
| 78 |
-files_manage_generic_locks(webadm_t) |
| 79 |
files_list_var(webadm_t) |
| 80 |
|
| 81 |
selinux_get_enforce_mode(webadm_t) |
| 82 |
seutil_domtrans_setfiles(webadm_t) |
| 83 |
|
| 84 |
+logging_send_audit_msgs(webadm_t) |
| 85 |
logging_send_syslog_msg(webadm_t) |
| 86 |
|
| 87 |
userdom_dontaudit_search_user_home_dirs(webadm_t) |
Archives