From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 8 Dec 2012 21:56:57 +0100 Subject: [refpolicy] [PATCH 06/11] Apache should not depend on gpg In-Reply-To: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355000222-7297-7-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Currently, a few calls to gpg functions are without optional_policy statements. This makes the gpg module a hard requirement for apache, something which shouldn't be the case. Signed-off-by: Sven Vermeulen --- apache.te | 18 +++++++++++------- 1 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apache.te b/apache.te index 940256e..8fec985 100644 --- a/apache.te +++ b/apache.te @@ -357,7 +357,6 @@ role system_r types httpd_passwd_t; type httpd_gpg_t; domain_type(httpd_gpg_t) -gpg_entry_type(httpd_gpg_t) role system_r types httpd_gpg_t; optional_policy(` @@ -581,10 +580,6 @@ tunable_policy(`httpd_enable_cgi',` allow httpd_t httpd_script_exec_type:dir list_dir_perms; ') -tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_spec_domtrans(httpd_t, httpd_gpg_t) -') - tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -672,6 +667,12 @@ tunable_policy(`httpd_graceful_shutdown',` ') optional_policy(` + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_spec_domtrans(httpd_t, httpd_gpg_t) + ') +') + +optional_policy(` tunable_policy(`httpd_mod_auth_ntlm_winbind',` samba_domtrans_winbind_helper(httpd_t) ') @@ -1393,8 +1394,6 @@ files_read_usr_files(httpd_gpg_t) miscfiles_read_localization(httpd_gpg_t) -gpg_exec(httpd_gpg_t) - tunable_policy(`httpd_gpg_anon_write',` miscfiles_manage_public_files(httpd_gpg_t) ') @@ -1402,3 +1401,8 @@ tunable_policy(`httpd_gpg_anon_write',` optional_policy(` apache_manage_sys_rw_content(httpd_gpg_t) ') + +optional_policy(` + gpg_entry_type(httpd_gpg_t) + gpg_exec(httpd_gpg_t) +') -- 1.7.8.6