From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 20 Apr 2017 17:07:37 +0200
Subject: [refpolicy] [PATCH v3 1/1] rpc_* interfaces should be wrapped by
	optional_policy()
Message-ID: <20170420150737.4317-1-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().

Changes since v2:
- Wrapped other calls towards rpc_* within apache.te

Changes since v1:
- Fixed wrong quotation mark

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 apache.te | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/apache.te b/apache.te
index d5c74fd..dcc58af 100644
--- a/apache.te
+++ b/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 	fs_exec_fusefs_files(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_t)
-	rpc_manage_nfs_rw_content(httpd_t)
-	rpc_read_nfs_content(httpd_t)
+optional_policy(`
+	tunable_policy(`httpd_use_nfs',`
+		fs_list_auto_mountpoints(httpd_t)
+		rpc_manage_nfs_rw_content(httpd_t)
+		rpc_read_nfs_content(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 	fs_exec_fusefs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	rpc_manage_nfs_rw_content(httpd_t)
-	rpc_read_nfs_content(httpd_t)
+optional_policy(`
+	tunable_policy(`httpd_use_nfs',`
+		fs_list_auto_mountpoints(httpd_suexec_t)
+		rpc_manage_nfs_rw_content(httpd_t)
+		rpc_read_nfs_content(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
 	fs_exec_fusefs_files(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
-	rpc_manage_nfs_rw_content(httpd_t)
-	rpc_read_nfs_content(httpd_t)
+optional_policy(`
+	tunable_policy(`httpd_use_nfs',`
+		fs_list_auto_mountpoints(httpd_sys_script_t)
+		rpc_manage_nfs_rw_content(httpd_t)
+		rpc_read_nfs_content(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- 
2.10.2