diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 2b57eda..f43158e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -940,6 +940,23 @@ interface(`dev_rw_cpu_microcode',`
########################################
##
+## Read and write the the hardware SSL accelerator.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_crypto',`
+ gen_require(`
+ type device_t, crypt_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 crypt_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
## Getattr the agp devices.
##
##
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 4f41c3e..155c9a3 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -302,9 +302,6 @@ template(`apache_per_userdomain_template', `
interface(`apache_domtrans',`
gen_require(`
type httpd_t, httpd_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -386,20 +383,51 @@ interface(`apache_read_config',`
########################################
##
-## Allow the specified domain to list
-## the contents of the apache modules
-## directory.
+## Execute the Apache helper program with
+## a domain transition.
##
##
## Domain allowed access.
##
#
-interface(`apache_list_modules',`
+interface(`apache_domtrans_helper',`
gen_require(`
- type httpd_modules_t;
+ type httpd_helper_t, httpd_helper_exec_t;
')
- allow $1 httpd_modules_t:dir r_dir_perms;
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
+
+ allow $1 httpd_helper_t:fd use;
+ allow httpd_helper_t $1:fd use;
+ allow httpd_helper_t $1:fifo_file rw_file_perms;
+ allow httpd_helper_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute the Apache helper program with
+## a domain transition, and allow the
+## specified role the dmidecode domain.
+##
+##
+## Domain allowed access.
+##
+##
+## The role to be allowed the dmidecode domain.
+##
+##
+## The type of the terminal allow the dmidecode domain to use.
+##
+#
+interface(`apache_run_helper',`
+ gen_require(`
+ type httpd_helper_t;
+ ')
+
+ apache_domtrans_helper($1)
+ role $2 types httpd_helper_t;
+ allow httpd_helper_t $3:chr_file rw_term_perms;
')
########################################
@@ -418,3 +446,48 @@ interface(`apache_dontaudit_append_log',`
dontaudit $1 httpd_log_t:file append;
')
+
+########################################
+##
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir r_dir_perms;
+')
+
+########################################
+##
+## Execute all web scripts in the system
+## script domain.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
+interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+ type httpd_sys_script_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
+
+ allow $1 httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t $1:fd use;
+ allow httpd_sys_script_t $1:fifo_file rw_file_perms;
+ allow httpd_sys_script_t $1:process sigchld;
+ ')
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index e96d8c9..0e4c007 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -77,6 +77,9 @@ domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
+# setup the system domain for system CGI scripts
+apache_content_template(sys)
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -110,6 +113,11 @@ ifdef(`distro_redhat',`
typealias httpd_log_t alias httpd_runtime_t;
')
+ifdef(`targeted_policy',`
+ typealias httpd_sys_content_t alias httpd_user_content_t;
+ typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+')
+
########################################
#
# Apache server local policy
@@ -154,6 +162,9 @@ files_create_lock(httpd_t,httpd_lock_t)
allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
allow httpd_t httpd_log_t:file { create ra_file_perms };
allow httpd_t httpd_log_t:lnk_file read;
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
+logging_create_log(httpd_t,httpd_log_t)
allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
@@ -208,6 +219,7 @@ corenet_tcp_bind_http_cache_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
+dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -371,40 +383,23 @@ optional_policy(`rhgb.te',`
rhgb_domain(httpd_t)
')
-allow httpd_t var_log_t:dir ra_dir_perms;
-type_transition httpd_t var_log_t:file httpd_log_t;
-
can_tcp_connect(web_client_domain, httpd_t)
-allow httpd_t crypt_device_t:chr_file rw_file_perms;
-
allow httpd_t home_root_t:dir getattr;
-
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+allow httpd_sys_script_t var_spool_t:dir getattr;
optional_policy(`mysql.te',`
allow httpd_t mysqld_db_t:dir search;
allow httpd_t mysqld_db_t:sock_file rw_file_perms;
')
-ifdef(`snmpd.te', `
- dontaudit httpd_t snmpd_var_lib_t:dir search;
- dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
-', `
- dontaudit httpd_t usr_t:dir write;
-')
-
-allow httpd_sys_script_t var_spool_t:dir getattr;
-
optional_policy(`mysql.te',`
allow httpd_sys_script_t mysqld_db_t:dir search;
allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms;
')
-ifdef(`targeted_policy', `
- typealias httpd_sys_content_t alias httpd_user_content_t;
- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-
+ifdef(`targeted_policy',`
if (httpd_enable_homedirs) {
allow httpd_t user_home_dir_t:dir { getattr search };
}
@@ -416,15 +411,6 @@ ifdef(`targeted_policy', `
}
')
-# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- ifdef(`targeted_policy', `', `
- domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
- ')
-')
-
optional_policy(`mta.te',`
# apache should set close-on-exec
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
@@ -452,10 +438,6 @@ allow httpd_helper_t httpd_log_t:file append;
libs_use_ld_so(httpd_helper_t)
libs_use_shared_libs(httpd_helper_t)
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block. for httpd_helper_t
-
########################################
#
# Apache PHP script local policy
@@ -612,9 +594,6 @@ optional_policy(`nis.te',`
# Apache system script local policy
#
-# setup the system domain for system CGI scripts
-apache_content_template(sys)
-
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2e42d4f..cc80db1 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -120,6 +120,12 @@ ifdef(`targeted_policy',`
domain_ptrace_all_domains(sysadm_t)
')
+ optional_policy(`apache.te',`
+ apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ # cjp: why is this not run
+ #apache_domtrans_sys_script(sysadm_t)
+ ')
+
optional_policy(`apm.te',`
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)