From b11ba46f3809127ed4af1fc300aa6d8f795434d4 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 17 2010 12:32:47 +0000 Subject: Use entry_file as entry_point to domain transition. Squash with e9f4178aa052c15ac7919a06e0c226b846ef7c7b Duplicate TE rule. --- diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2244b11..a06a8dd 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -50,8 +50,6 @@ template(`apache_content_template',` read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; @@ -132,6 +130,8 @@ template(`apache_content_template',` tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index a6f4e2a..509a71a 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -946,10 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') -tunable_policy(`httpd_enable_cgi',` - domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) -') - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t)