diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index a11c412..87445c7 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -201,14 +201,10 @@ template(`apache_content_template',` corenet_non_ipsec_sendrecv(httpd_$1_script_t) corenet_tcp_sendrecv_all_if(httpd_$1_script_t) corenet_udp_sendrecv_all_if(httpd_$1_script_t) - corenet_raw_sendrecv_all_if(httpd_$1_script_t) corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_raw_sendrecv_all_nodes(httpd_$1_script_t) corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_tcp_bind_all_nodes(httpd_$1_script_t) - corenet_udp_bind_all_nodes(httpd_$1_script_t) corenet_tcp_connect_postgresql_port(httpd_$1_script_t) corenet_tcp_connect_mysqld_port(httpd_$1_script_t) @@ -219,30 +215,19 @@ template(`apache_content_template',` allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; allow httpd_$1_script_t self:udp_socket create_socket_perms; + corenet_non_ipsec_sendrecv(httpd_$1_script_t) corenet_tcp_sendrecv_all_if(httpd_$1_script_t) corenet_udp_sendrecv_all_if(httpd_$1_script_t) - corenet_raw_sendrecv_all_if(httpd_$1_script_t) corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_raw_sendrecv_all_nodes(httpd_$1_script_t) corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_non_ipsec_sendrecv(httpd_$1_script_t) - corenet_tcp_bind_all_nodes(httpd_$1_script_t) - corenet_udp_bind_all_nodes(httpd_$1_script_t) corenet_tcp_connect_all_ports(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t) ') optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - mount_send_nfs_client_request(httpd_$1_script_t) - ') - ') - - - optional_policy(` mta_send_mail(httpd_$1_script_t) ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index f012917..5e7e5c1 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.8) +policy_module(apache,1.3.9) # # NOTES: @@ -141,17 +141,11 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; -allow httpd_t self:unix_dgram_socket create_socket_perms; -allow httpd_t self:unix_stream_socket create_stream_socket_perms; -allow httpd_t self:unix_dgram_socket sendto; -allow httpd_t self:unix_stream_socket connectto; +allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom }; - -allow httpd_t self:tcp_socket create_stream_socket_perms; -allow httpd_t self:udp_socket { connect }; -allow httpd_t self:tcp_socket connected_socket_perms; -allow httpd_t self:udp_socket connected_socket_perms; +allow httpd_t self:tcp_socket { create_stream_socket_perms acceptfrom connectto recvfrom }; +allow httpd_t self:udp_socket create_socket_perms; # Allow httpd_t to put files in /var/cache/httpd etc allow httpd_t httpd_cache_t:dir create_dir_perms; @@ -218,15 +212,13 @@ kernel_tcp_recvfrom(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +corenet_non_ipsec_sendrecv(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) corenet_udp_sendrecv_all_if(httpd_t) -corenet_raw_sendrecv_all_if(httpd_t) corenet_tcp_sendrecv_all_nodes(httpd_t) corenet_udp_sendrecv_all_nodes(httpd_t) -corenet_raw_sendrecv_all_nodes(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) -corenet_non_ipsec_sendrecv(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) corenet_udp_bind_all_nodes(httpd_t) corenet_tcp_bind_http_port(httpd_t) @@ -302,23 +294,7 @@ tunable_policy(`allow_httpd_anon_write',` ') tunable_policy(`httpd_can_network_connect',` - allow httpd_t self:tcp_socket create_socket_perms; - allow httpd_t self:udp_socket create_socket_perms; - - corenet_tcp_sendrecv_all_if(httpd_t) - corenet_udp_sendrecv_all_if(httpd_t) - corenet_raw_sendrecv_all_if(httpd_t) - corenet_tcp_sendrecv_all_nodes(httpd_t) - corenet_udp_sendrecv_all_nodes(httpd_t) - corenet_raw_sendrecv_all_nodes(httpd_t) - corenet_tcp_sendrecv_all_ports(httpd_t) - corenet_udp_sendrecv_all_ports(httpd_t) - corenet_non_ipsec_sendrecv(httpd_t) - corenet_tcp_bind_all_nodes(httpd_t) - corenet_udp_bind_all_nodes(httpd_t) corenet_tcp_connect_all_ports(httpd_t) - - sysnet_read_config(httpd_t) ') tunable_policy(`httpd_can_network_connect_db',` @@ -597,17 +573,13 @@ tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; + corenet_non_ipsec_sendrecv(httpd_suexec_t) corenet_tcp_sendrecv_all_if(httpd_suexec_t) corenet_udp_sendrecv_all_if(httpd_suexec_t) - corenet_raw_sendrecv_all_if(httpd_suexec_t) corenet_tcp_sendrecv_all_nodes(httpd_suexec_t) corenet_udp_sendrecv_all_nodes(httpd_suexec_t) - corenet_raw_sendrecv_all_nodes(httpd_suexec_t) corenet_tcp_sendrecv_all_ports(httpd_suexec_t) corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_non_ipsec_sendrecv(httpd_suexec_t) - corenet_tcp_bind_all_nodes(httpd_suexec_t) - corenet_udp_bind_all_nodes(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) sysnet_read_config(httpd_suexec_t) @@ -653,12 +625,6 @@ optional_policy(` ') optional_policy(` - tunable_policy(`httpd_can_network_connect',` - mount_send_nfs_client_request(httpd_suexec_t) - ') -') - -optional_policy(` mta_stub(httpd_suexec_t) # apache should set close-on-exec