From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 13 Oct 2008 11:10:06 -0400
Subject: [refpolicy] services_cvs.patch
In-Reply-To: <48EFBB83.7060601@redhat.com>
References: <48DA9C28.8000109@redhat.com>
	<1223575785.2165.138.camel@gorn.columbia.tresys.com>
	<48EFBB83.7060601@redhat.com>
Message-ID: <1223910606.21012.12.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-10-10 at 16:30 -0400, Daniel J Walsh wrote:
> Add httpd cgi policy and kerberos_keytab support

Merged.

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (services_cvs.patch)
> 
> --- nsaserefpolicy/policy/modules/services/cvs.fc       2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.fc   2008-10-10 16:08:15.000000000 -0400
> @@ -5,3 +5,6 @@
>  
>  /var/cvs(/.*)?         gen_context(system_u:object_r:cvs_data_t,s0)
>  
> +#CVSWeb file context
> +/usr/share/cvsweb/cvsweb\.cgi  --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> +/var/www/cgi-bin/cvsweb\.cgi   --      gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/cvs.if       2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.if   2008-10-10 16:08:15.000000000 -0400
> @@ -69,4 +69,13 @@
>         domain_system_change_exemption($1)
>         role_transition $2 cvs_initrc_exec_t system_r;
>         allow $2 system_r;
> +
> +       files_list_tmp($1)
> +       admin_pattern($1, cvs_tmp_t)
> +
> +       admin_pattern($1, cvs_data_t)
> +
> +       files_list_pids($1)
> +       admin_pattern($1, cvs_var_run_t)
>  ')
> +
> --- nsaserefpolicy/policy/modules/services/cvs.te       2008-09-24 09:07:28.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cvs.te   2008-10-10 16:08:15.000000000 -0400
> @@ -99,7 +99,17 @@
>  ')
>  
>  optional_policy(`
> -       kerberos_read_keytab(cvs_t)
> +       kerberos_keytab_template(cvs, cvs_t)
>         kerberos_read_config(cvs_t)
>         kerberos_dontaudit_write_config(cvs_t)
>  ')
> +
> +########################################
> +# CVSWeb policy
> +
> +apache_content_template(cvs)
> +
> +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
> +manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
> +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150