From: dominick.grift@gmail.com (grift) Date: Sun, 09 Dec 2012 14:59:07 +0100 Subject: [refpolicy] [PATCH 06/11] Apache should not depend on gpg In-Reply-To: <1355000222-7297-7-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> <1355000222-7297-7-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355061547.1797.70.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote: > Currently, a few calls to gpg functions are without optional_policy statements. > This makes the gpg module a hard requirement for apache, something which > shouldn't be the case. This was merged, thanks > Signed-off-by: Sven Vermeulen > --- > apache.te | 18 +++++++++++------- > 1 files changed, 11 insertions(+), 7 deletions(-) > > diff --git a/apache.te b/apache.te > index 940256e..8fec985 100644 > --- a/apache.te > +++ b/apache.te > @@ -357,7 +357,6 @@ role system_r types httpd_passwd_t; > > type httpd_gpg_t; > domain_type(httpd_gpg_t) > -gpg_entry_type(httpd_gpg_t) > role system_r types httpd_gpg_t; > > optional_policy(` > @@ -581,10 +580,6 @@ tunable_policy(`httpd_enable_cgi',` > allow httpd_t httpd_script_exec_type:dir list_dir_perms; > ') > > -tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` > - gpg_spec_domtrans(httpd_t, httpd_gpg_t) > -') > - > tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` > fs_nfs_domtrans(httpd_t, httpd_sys_script_t) > ') > @@ -672,6 +667,12 @@ tunable_policy(`httpd_graceful_shutdown',` > ') > > optional_policy(` > + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` > + gpg_spec_domtrans(httpd_t, httpd_gpg_t) > + ') > +') > + > +optional_policy(` > tunable_policy(`httpd_mod_auth_ntlm_winbind',` > samba_domtrans_winbind_helper(httpd_t) > ') > @@ -1393,8 +1394,6 @@ files_read_usr_files(httpd_gpg_t) > > miscfiles_read_localization(httpd_gpg_t) > > -gpg_exec(httpd_gpg_t) > - > tunable_policy(`httpd_gpg_anon_write',` > miscfiles_manage_public_files(httpd_gpg_t) > ') > @@ -1402,3 +1401,8 @@ tunable_policy(`httpd_gpg_anon_write',` > optional_policy(` > apache_manage_sys_rw_content(httpd_gpg_t) > ') > + > +optional_policy(` > + gpg_entry_type(httpd_gpg_t) > + gpg_exec(httpd_gpg_t) > +')