Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1483452 Details for
Bug 1164245
Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Munin patch for rhel 7.5 apache policy
policy-contrib-apache.patch (text/plain), 23.79 KB, created by
Tuomo Soini
on 2018-09-15 07:47:46 UTC
(
hide
)
Description:
Munin patch for rhel 7.5 apache policy
Filename:
MIME Type:
Creator:
Tuomo Soini
Created:
2018-09-15 07:47:46 UTC
Size:
23.79 KB
patch
obsolete
># uwsgi reads sysctl_net_t - this could be dontaudit but kernel doesn't have dontaudit interface >type=AVC audit(1412665567.526:6776): avc: denied { read } for pid=28214 comm="uwsgi" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file > ># httpd_can_network_connect_db didn't cover this >type=AVC audit(1429043191.788:39106): avc: denied { name_connect } for pid=5705 comm="uwsgi" dest=27017 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mongod_port_t:s0 tclass=tcp_socket > ># uwsgi doesn't require this so we dontaudit this >type=AVC msg=audit(1432646009.890:55): avc: denied { block_suspend } for pid=842 comm="uwsgi" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 > ># roundcubemail need to connect to sieve_port_t for sieve filtering >type=AVC msg=audit(1433250636.689:61367): avc: denied { name_connect } for pid=20124 comm="php-fpm" dest=4190 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sieve_port_t:s0 tclass=tcp_socket > ># httpd_can_network_relay didn't cover varnishd >type=AVC msg=audit(1461088092.555:384): avc: denied { name_connect } for pid=1308 comm="nginx" dest=6081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:varnishd_port_t:s0 tclass=tcp_socket > ># redis unix domain socket access >type=AVC msg=audit(1461238769.297:27137): avc: denied { write } for pid=22870 comm="php-fpm" name="redis.sock" dev="tmpfs" ino=1846708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file > ># use of amqp >type=AVC msg=audit(1461747474.399:3832): avc: denied { name_connect } for pid=1641 comm="php-fpm" dest=5672 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket > ># httpd can be required to read cups config for printing >type=AVC msg=audit(1461873191.697:10069): avc: denied { read } for pid=26728 comm="php-fpm" name="ppd" dev="dm-0" ino=1054271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=dir >type=AVC msg=audit(1461913441.866:16234): avc: denied { read } for pid=10909 comm="lpr" name="lpoptions" dev="dm-0" ino=537756622 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file >type=AVC msg=audit(1461913441.866:16234): avc: denied { open } for pid=10909 comm="lpr" path="/etc/cups/lpoptions" dev="dm-0" ino=537756622 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file >type=AVC msg=audit(1461913646.006:16313): avc: denied { getattr } for pid=11638 comm="lpr" path="/run/cups/cups.sock" dev="tmpfs" ino=447088 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file >type=AVC msg=audit(1461913646.010:16314): avc: denied { write } for pid=11638 comm="lpr" name="cups.sock" dev="tmpfs" ino=447088 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file >type=AVC msg=audit(1461913646.010:16314): avc: denied { connectto } for pid=11638 comm="lpr" path="/run/cups/cups.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket > ># sftp, need new boolean can_connect_ssh >type=AVC msg=audit(1471950041.448:13574360): avc: denied { name_connect } for pid=27482 comm="php-fpm" dest=22222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket > ># httpd_t need to be able to talk with munin via unix socket >type=AVC msg=audit(1484815597.927:24854): avc: denied { write } for pid=1757 comm="nginx" name="munin-cgi-html.sock" dev="tmpfs" ino=14413 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_var_run_t:s0 tclass=sock_file > ># httpd_t (uwsgi) needs ptrace so enabled that for httpd_run_stickshift >type=AVC msg=audit(1496818290.087:305756): avc: denied { ptrace } for pid=2025 comm="uwsgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process > ># wordpress needs rw access to plugins and themes subdirs > ># httpd_t needs access to dovecot configs for dovecot password hashing via doveadm >type=AVC msg=audit(1521494802.916:1889): avc: denied { getattr } for pid=9728 comm="doveadm" path="/etc/dovecot/dovecot.conf" dev="sda3" ino=100667300 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file >type=AVC msg=audit(1521494802.916:1890): avc: denied { read } for pid=9728 comm="doveadm" name="dovecot.conf" dev="sda3" ino=100667300 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file > >diff -up serefpolicy-contrib-3.13.1/apache.fc.apache serefpolicy-contrib-3.13.1/apache.fc >--- serefpolicy-contrib-3.13.1/apache.fc.apache 2018-04-10 11:23:10.032468454 +0300 >+++ serefpolicy-contrib-3.13.1/apache.fc 2018-04-10 11:23:10.798347407 +0300 >@@ -6,6 +6,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) >+/etc/adiscon-loganalyzer(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >@@ -25,6 +26,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) > > /etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0) >+/etc/uwsgi.ini -- gen_context(system_u:object_r:httpd_config_t,s0) >+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) > /etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >@@ -35,8 +38,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) > /usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) > /usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) >-/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) >+/usr/lib/systemd/system/(php[0-9]+-)?php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) > /usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) >+/usr/lib/systemd/system/uwsgi.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) > > /usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) > >@@ -47,6 +51,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > > /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) > /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) >+/usr/bin/spawn-fcgi -- gen_context(system_u:object_r:httpd_exec_t,s0) > > /usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >@@ -60,6 +65,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) > /usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) > /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) >+/usr/lib/uwsgi(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) > > /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) >@@ -73,6 +79,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) > /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) >+/usr/sbin/uwsgi -- gen_context(system_u:object_r:httpd_exec_t,s0) > > ifdef(`distro_suse', ` > /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) >@@ -91,6 +98,8 @@ ifdef(`distro_suse', ` > /usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >+/usr/share/wordpress/wp-content/plugins(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >+/usr/share/wordpress/wp-content/themes(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) >@@ -105,10 +114,11 @@ ifdef(`distro_suse', ` > /var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) >+/var/cache/nginx(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) >-/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) >+/var/cache/rt(3|4)?(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) > > /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) >@@ -120,6 +130,7 @@ ifdef(`distro_suse', ` > /var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >+/var/lib/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) > /var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) >@@ -138,7 +149,8 @@ ifdef(`distro_suse', ` > /var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) >-/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) >+/var/lib/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >+/var/lib/rt(3|4)?/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) > /var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) >@@ -160,6 +172,7 @@ ifdef(`distro_suse', ` > /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) >+/var/log/uwsgi(/.*)? -- gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > ifdef(`distro_debian', ` >@@ -177,6 +190,8 @@ ifdef(`distro_debian', ` > /var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) >+/var/run/spawn-fcgi(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) >+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) > > /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) >diff -up serefpolicy-contrib-3.13.1/apache.if.apache serefpolicy-contrib-3.13.1/apache.if >--- serefpolicy-contrib-3.13.1/apache.if.apache 2018-04-10 11:23:10.034468138 +0300 >+++ serefpolicy-contrib-3.13.1/apache.if 2018-04-10 11:23:10.799347249 +0300 >@@ -1664,6 +1664,23 @@ interface(`apache_admin',` > > ######################################## > ## <summary> >+## dontaudit searching httpd_var_run_t directory >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+# >+interface(`apache_dontaudit_var_run_dir_search',` >+ gen_require(` >+ type httpd_var_run_t; >+ ') >+ dontaudit $1 httpd_var_run_t:dir search; >+') >+ >+######################################## >+## <summary> > ## dontaudit read and write an leaked file descriptors > ## </summary> > ## <param name="domain"> >diff -up serefpolicy-contrib-3.13.1/apache.te.apache serefpolicy-contrib-3.13.1/apache.te >--- serefpolicy-contrib-3.13.1/apache.te.apache 2018-04-10 11:23:10.036467822 +0300 >+++ serefpolicy-contrib-3.13.1/apache.te 2018-04-10 11:26:19.417536193 +0300 >@@ -74,6 +74,13 @@ gen_tunable(httpd_can_network_connect, f > > ## <desc> > ## <p> >+## Allow httpd to connect to amqp server >+## </p> >+## </desc> >+gen_tunable(httpd_can_network_amqp, false) >+ >+## <desc> >+## <p> > ## Allow HTTPD scripts and modules to connect to cobbler over the network. > ## </p> > ## </desc> >@@ -109,6 +116,13 @@ gen_tunable(httpd_can_network_memcache, > > ## <desc> > ## <p> >+## Allow httpd to connect to redis server >+## </p> >+## </desc> >+gen_tunable(httpd_can_network_redis, false) >+ >+## <desc> >+## <p> > ## Allow httpd to act as a relay > ## </p> > ## </desc> >@@ -187,6 +201,21 @@ gen_tunable(httpd_can_connect_ftp, false > gen_tunable(httpd_can_connect_ldap, false) > > ## <desc> >+## <p> >+## Allow httpd to connect to printer ports >+## </p> >+## </desc> >+gen_tunable(httpd_can_connect_printer, false) >+ >+## <desc> >+## <p> >+## Allow httpd to act as a SSH/SFTP client >+## connecting to the ssh ports >+## </p> >+## </desc> >+gen_tunable(httpd_can_connect_ssh, false) >+ >+## <desc> > ## <p> > ## Allow httpd to read home directories > ## </p> >@@ -202,12 +231,25 @@ gen_tunable(httpd_read_user_content, fal > > ## <desc> > ## <p> >+## Allow httpd to read dovecot config >+## </p> >+## </desc> >+gen_tunable(httpd_read_dovecot_config, false) >+ >+## <desc> >+## <p> >+## Allow httpd to use local printer >+## </p> >+## </desc> >+gen_tunable(httpd_enable_local_printer, false) >+ >+## <desc> >+## <p> > ## Allow Apache to run in stickshift mode, not transition to passenger > ## </p> > ## </desc> > gen_tunable(httpd_run_stickshift, false) > >- > ## <desc> > ## <p> > ## Allow Apache to run preupgrade >@@ -475,7 +517,8 @@ role system_r types httpd_passwd_t; > # > > allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; >-dontaudit httpd_t self:capability { net_admin sys_tty_config }; >+dontaudit httpd_t self:capability2 { block_suspend }; >+dontaudit httpd_t self:capability { net_admin }; > allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow httpd_t self:fd use; > allow httpd_t self:sock_file read_sock_file_perms; >@@ -575,6 +618,8 @@ kernel_read_kernel_sysctls(httpd_t) > kernel_read_system_state(httpd_t) > kernel_read_network_state(httpd_t) > kernel_search_network_sysctl(httpd_t) >+# uwsgi reads sysctl_net_t >+kernel_read_net_sysctls(httpd_t) > > corenet_all_recvfrom_netlabel(httpd_t) > corenet_tcp_sendrecv_generic_if(httpd_t) >@@ -696,6 +741,10 @@ tunable_policy(`httpd_can_network_connec > corenet_tcp_connect_all_ports(httpd_t) > ') > >+tunable_policy(`httpd_can_network_amqp',` >+ corenet_tcp_connect_amqp_port(httpd_t) >+') >+ > tunable_policy(`httpd_can_network_connect_db',` > corenet_tcp_connect_gds_db_port(httpd_t) > corenet_tcp_connect_mssql_port(httpd_t) >@@ -703,12 +752,17 @@ tunable_policy(`httpd_can_network_connec > corenet_sendrecv_mssql_client_packets(httpd_t) > corenet_tcp_connect_oracle_port(httpd_t) > corenet_sendrecv_oracle_client_packets(httpd_t) >+ corenet_tcp_connect_mongod_port(httpd_t) > ') > > tunable_policy(`httpd_can_network_memcache',` > corenet_tcp_connect_memcache_port(httpd_t) > ') > >+tunable_policy(`httpd_can_network_redis',` >+ corenet_tcp_connect_redis_port(httpd_t) >+') >+ > tunable_policy(`httpd_can_network_relay',` > # allow httpd to work as a relay > corenet_tcp_connect_gopher_port(httpd_t) >@@ -717,11 +771,13 @@ tunable_policy(`httpd_can_network_relay' > corenet_tcp_connect_http_cache_port(httpd_t) > corenet_tcp_connect_squid_port(httpd_t) > corenet_tcp_connect_memcache_port(httpd_t) >+ corenet_tcp_connect_varnishd_port(httpd_t) > corenet_sendrecv_gopher_client_packets(httpd_t) > corenet_sendrecv_ftp_client_packets(httpd_t) > corenet_sendrecv_http_client_packets(httpd_t) > corenet_sendrecv_http_cache_client_packets(httpd_t) > corenet_sendrecv_squid_client_packets(httpd_t) >+ corenet_sendrecv_varnishd_client_packets(httpd_t) > corenet_tcp_connect_all_ephemeral_ports(httpd_t) > ') > >@@ -765,6 +821,19 @@ tunable_policy(`httpd_enable_cgi && http > manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) > ') > >+tunable_policy(`httpd_enable_local_printer',` >+ cups_read_rw_config(httpd_t) >+ cups_stream_connect(httpd_t) >+') >+ >+tunable_policy(`httpd_can_connect_printer',` >+ corenet_tcp_connect_printer_port(httpd_t) >+') >+ >+tunable_policy(`httpd_can_connect_ssh',` >+ corenet_tcp_connect_ssh_port(httpd_t) >+') >+ > tunable_policy(`httpd_can_connect_ftp',` > corenet_tcp_connect_ftp_port(httpd_t) > corenet_tcp_connect_all_ephemeral_ports(httpd_t) >@@ -826,6 +895,8 @@ tunable_policy(`httpd_can_sendmail',` > corenet_sendrecv_smtp_client_packets(httpd_t) > corenet_tcp_connect_pop_port(httpd_t) > corenet_sendrecv_pop_client_packets(httpd_t) >+ corenet_tcp_connect_sieve_port(httpd_t) >+ corenet_sendrecv_sieve_client_packets(httpd_t) > ') > > optional_policy(` >@@ -1039,6 +1110,7 @@ optional_policy(` > > optional_policy(` > munin_read_config(httpd_t) >+ munin_stream_connect(httpd_t) > ') > > optional_policy(` >@@ -1047,16 +1119,20 @@ optional_policy(` > mysql_stream_connect(httpd_t) > mysql_rw_db_sockets(httpd_t) > >- optional_policy(` >- postgresql_stream_connect(httpd_t) >- ') >- > tunable_policy(`httpd_can_network_connect_db',` > mysql_tcp_connect(httpd_t) > ') > ') > > optional_policy(` >+ postgresql_stream_connect(httpd_t) >+') >+ >+optional_policy(` >+ redis_stream_connect(httpd_t) >+') >+ >+optional_policy(` > nagios_read_config(httpd_t) > nagios_read_lib(httpd_t) > nagios_read_log(httpd_t) >@@ -1184,7 +1260,7 @@ tunable_policy(`httpd_verify_dns',` > tunable_policy(`httpd_run_stickshift', ` > allow httpd_t self:capability { fowner fsetid sys_resource }; > dontaudit httpd_t self:capability sys_ptrace; >- allow httpd_t self:process setexec; >+ allow httpd_t self:process { ptrace setexec }; > > files_dontaudit_getattr_all_files(httpd_t) > domain_getpgid_all_domains(httpd_t) >@@ -1263,12 +1339,34 @@ libs_exec_lib_files(httpd_php_t) > > userdom_use_unpriv_users_fds(httpd_php_t) > >+tunable_policy(`httpd_can_connect_printer',` >+ corenet_tcp_connect_printer_port(httpd_php_t) >+') >+ >+tunable_policy(`httpd_can_connect_ssh',` >+ corenet_tcp_connect_ssh_port(httpd_php_t) >+') >+ >+tunable_policy(`httpd_can_network_amqp',` >+ corenet_tcp_connect_amqp_port(httpd_php_t) >+') >+ > tunable_policy(`httpd_can_network_connect_db',` > corenet_tcp_connect_gds_db_port(httpd_php_t) > corenet_tcp_connect_mssql_port(httpd_php_t) > corenet_sendrecv_mssql_client_packets(httpd_php_t) > corenet_tcp_connect_oracle_port(httpd_php_t) > corenet_sendrecv_oracle_client_packets(httpd_php_t) >+ corenet_tcp_connect_mongod_port(httpd_php_t) >+') >+ >+tunable_policy(`httpd_can_network_redis',` >+ corenet_tcp_connect_redis_port(httpd_php_t) >+') >+ >+tunable_policy(`httpd_enable_local_printer',` >+ cups_read_rw_config(httpd_php_t) >+ cups_stream_connect(httpd_php_t) > ') > > optional_policy(` >@@ -1290,6 +1388,10 @@ optional_policy(` > ') > ') > >+optional_policy(` >+ redis_stream_connect(httpd_php_t) >+') >+ > ######################################## > # > # Apache suexec local policy >@@ -1359,12 +1461,29 @@ tunable_policy(`httpd_can_network_connec > corenet_sendrecv_all_client_packets(httpd_suexec_t) > ') > >+tunable_policy(`httpd_can_network_amqp',` >+ corenet_tcp_connect_amqp_port(httpd_suexec_t) >+') >+ > tunable_policy(`httpd_can_network_connect_db',` > corenet_tcp_connect_gds_db_port(httpd_suexec_t) > corenet_tcp_connect_mssql_port(httpd_suexec_t) > corenet_sendrecv_mssql_client_packets(httpd_suexec_t) > corenet_tcp_connect_oracle_port(httpd_suexec_t) > corenet_sendrecv_oracle_client_packets(httpd_suexec_t) >+ corenet_tcp_connect_mongod_port(httpd_suexec_t) >+') >+ >+tunable_policy(`httpd_can_connect_printer',` >+ corenet_tcp_connect_printer_port(httpd_suexec_t) >+') >+ >+tunable_policy(`httpd_can_connect_ssh',` >+ corenet_tcp_connect_ssh_port(httpd_suexec_t) >+') >+ >+tunable_policy(`httpd_can_network_redis',` >+ corenet_tcp_connect_redis_port(httpd_suexec_t) > ') > > domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) >@@ -1395,6 +1514,11 @@ tunable_policy(`httpd_enable_homedirs && > fs_exec_cifs_files(httpd_suexec_t) > ') > >+tunable_policy(`httpd_enable_local_printer',` >+ cups_read_rw_config(httpd_suexec_t) >+ cups_stream_connect(httpd_suexec_t) >+') >+ > optional_policy(` > apache_rw_stream_sockets(httpd_suexec_t) > ') >@@ -1429,6 +1553,10 @@ optional_policy(` > ') > ') > >+optional_policy(` >+ redis_stream_connect(httpd_suexec_t) >+') >+ > ######################################## > # > # Apache system script local policy >@@ -1477,14 +1605,31 @@ optional_policy(` > ') > ') > >+tunable_policy(`httpd_can_network_amqp',` >+ corenet_tcp_connect_amqp_port(httpd_sys_script_t) >+') >+ > tunable_policy(`httpd_can_network_connect_db',` > corenet_tcp_connect_gds_db_port(httpd_sys_script_t) > corenet_tcp_connect_mssql_port(httpd_sys_script_t) > corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) > corenet_tcp_connect_oracle_port(httpd_sys_script_t) > corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) >+ corenet_tcp_connect_mongod_port(httpd_sys_script_t) > ') > >+tunable_policy(`httpd_can_network_redis',` >+ corenet_tcp_connect_redis_port(httpd_sys_script_t) >+') >+ >+tunable_policy(`httpd_can_connect_printer',` >+ corenet_tcp_connect_printer_port(httpd_sys_script_t) >+') >+ >+tunable_policy(`httpd_can_connect_ssh',` >+ corenet_tcp_connect_ssh_port(httpd_sys_script_t) >+') >+ > fs_cifs_entry_type(httpd_sys_script_t) > fs_read_iso9660_files(httpd_sys_script_t) > fs_nfs_entry_type(httpd_sys_script_t) >@@ -1532,10 +1677,19 @@ tunable_policy(`httpd_enable_homedirs && > fs_read_nfs_symlinks(httpd_sys_script_t) > ') > >+tunable_policy(`httpd_enable_local_printer',` >+ cups_read_rw_config(httpd_sys_script_t) >+ cups_stream_connect(httpd_sys_script_t) >+') >+ > tunable_policy(`httpd_read_user_content',` > userdom_read_user_home_content_files(httpd_sys_script_t) > ') > >+tunable_policy(`httpd_read_dovecot_config',` >+ dovecot_read_config(httpd_sys_script_t) >+') >+ > tunable_policy(`httpd_use_cifs',` > fs_manage_cifs_dirs(httpd_sys_script_t) > fs_manage_cifs_files(httpd_sys_script_t) >@@ -1586,6 +1740,10 @@ optional_policy(` > ') > > optional_policy(` >+ redis_stream_connect(httpd_sys_script_t) >+') >+ >+optional_policy(` > snmp_read_snmp_var_lib_files(httpd_sys_script_t) > ') > >@@ -1655,6 +1813,13 @@ tunable_policy(`httpd_read_user_content' > userdom_read_user_home_content_files(httpd_user_script_t) > ') > >+tunable_policy(`httpd_read_dovecot_config',` >+ dovecot_read_config(httpd_t) >+ dovecot_read_config(httpd_suexec_t) >+ dovecot_read_config(httpd_user_script_t) >+') >+ >+ > ######################################## > # > # httpd_passwd local policy
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1483452">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1164245
: 1483452 |
1483453
|
1483454
|
1483455