diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 74d94fb..c40c2ab 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -523,6 +523,11 @@ tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) +') + tunable_policy(`httpd_can_network_memcache',` corenet_tcp_connect_memcache_port(httpd_t) ') @@ -742,7 +747,6 @@ optional_policy(` tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) - postgresql_tcp_connect(httpd_sys_script_t) ') ') @@ -827,28 +831,27 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mysqld_port(httpd_t) - corenet_sendrecv_mysqld_client_packets(httpd_t) - corenet_tcp_connect_mysqld_port(httpd_sys_script_t) - corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) - corenet_tcp_connect_mysqld_port(httpd_suexec_t) - corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) - - corenet_tcp_connect_mssql_port(httpd_t) - corenet_sendrecv_mssql_client_packets(httpd_t) - corenet_tcp_connect_mssql_port(httpd_sys_script_t) - corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) ') optional_policy(` mysql_stream_connect(httpd_php_t) + mysql_rw_db_sockets(httpd_php_t) mysql_read_config(httpd_php_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_php_t) + ') ') optional_policy(` postgresql_stream_connect(httpd_php_t) + postgresql_unpriv_client(httpd_php_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') ') ######################################## @@ -914,6 +917,11 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) +') + read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -959,6 +967,19 @@ optional_policy(` mysql_stream_connect(httpd_suexec_t) mysql_rw_db_sockets(httpd_suexec_t) mysql_read_config(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_suexec_t) + ') +') + +optional_policy(` + postgresql_stream_connect(httpd_suexec_t) + postgresql_unpriv_client(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_suexec_t) + ') ') ######################################## @@ -1009,6 +1030,11 @@ fs_cifs_entry_type(httpd_sys_script_t) fs_read_iso9660_files(httpd_sys_script_t) fs_nfs_entry_type(httpd_sys_script_t) +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) +') + tunable_policy(`httpd_use_nfs',` fs_manage_nfs_dirs(httpd_sys_script_t) fs_manage_nfs_files(httpd_sys_script_t) @@ -1075,10 +1101,19 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) mysql_read_config(httpd_sys_script_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_sys_script_t) + ') ') optional_policy(` postgresql_stream_connect(httpd_sys_script_t) + postgresql_unpriv_client(httpd_sys_script_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_sys_script_t) + ') ') ########################################