diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 6542902..6067b85 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -106,8 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_user_home_content(vpnc_t) userdom_read_home_certs(vpnc_t) +userdom_search_admin_dir(vpnc_t) optional_policy(` dbus_system_bus_client(vpnc_t) diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc new file mode 100644 index 0000000..bf872ef --- /dev/null +++ b/policy/modules/apps/mediawiki.fc @@ -0,0 +1,10 @@ + +/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) +/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) + +/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) + +/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) + +/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if new file mode 100644 index 0000000..1c1d012 --- /dev/null +++ b/policy/modules/apps/mediawiki.if @@ -0,0 +1,40 @@ +## Mediawiki policy + +####################################### +## +## Allow the specified domain to read +## mediawiki tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mediawiki_read_tmp_files',` + gen_require(` + type httpd_mediawiki_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) + read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') + +####################################### +## +## Delete mediawiki tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mediawiki_delete_tmp_files',` + gen_require(` + type httpd_mediawiki_tmp_t; + ') + + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te new file mode 100644 index 0000000..b7f569d --- /dev/null +++ b/policy/modules/apps/mediawiki.te @@ -0,0 +1,35 @@ + +policy_module(mediawiki, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(mediawiki) + +type httpd_mediawiki_tmp_t; +files_tmp_file(httpd_mediawiki_tmp_t) + +permissive httpd_mediawiki_script_t; + +######################################## +# +# mediawiki local policy +# + +manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file }) + +files_search_var_lib(httpd_mediawiki_script_t) + +userdom_read_user_tmp_files(httpd_mediawiki_script_t) + +miscfiles_read_tetex_data(httpd_mediawiki_script_t) + +optional_policy(` + apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t) +') + diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 46af2a4..217bd0d 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -273,6 +273,7 @@ ifdef(`distro_gentoo',` /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) +/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 1a47bdc..410ff39 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -719,6 +719,11 @@ optional_policy(` ') optional_policy(` + mediawiki_read_tmp_files(httpd_t) + mediawiki_delete_tmp_files(httpd_t) +') + +optional_policy(` # Allow httpd to work with mysql mysql_read_config(httpd_t) mysql_stream_connect(httpd_t)