From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 20 Apr 2017 16:59:27 +0200
Subject: [refpolicy] [PATCH 1/1] rpc_* interfaces should be wrapped by
	optional_policy()
Message-ID: <20170420145927.3285-1-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 apache.te | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apache.te b/apache.te
index d5c74fd..bae14a8 100644
--- a/apache.te
+++ b/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 	fs_exec_fusefs_files(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_t)
-	rpc_manage_nfs_rw_content(httpd_t)
-	rpc_read_nfs_content(httpd_t)
+optional_policy('
+	tunable_policy(`httpd_use_nfs',`
+		fs_list_auto_mountpoints(httpd_t)
+		rpc_manage_nfs_rw_content(httpd_t)
+		rpc_read_nfs_content(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- 
2.10.2