From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 20 Apr 2017 20:08:56 -0400
Subject: [refpolicy] [PATCH v3 1/1] rpc_* interfaces should be wrapped
 by optional_policy()
In-Reply-To: <20170420150737.4317-1-sven.vermeulen@siphos.be>
References: <20170420150737.4317-1-sven.vermeulen@siphos.be>
Message-ID: <5f1fa4a1-b0c4-f03c-62b1-ff2465cbef25@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/20/2017 11:07 AM, Sven Vermeulen via refpolicy wrote:
> The rpc module is not a core module. As such, calls towards rpc_*
> interfaces should be wrapped with optional_policy().
>
> Changes since v2:
> - Wrapped other calls towards rpc_* within apache.te
>
> Changes since v1:
> - Fixed wrong quotation mark
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.te | 30 ++++++++++++++++++------------
>  1 file changed, 18 insertions(+), 12 deletions(-)
>
> diff --git a/apache.te b/apache.te
> index d5c74fd..dcc58af 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
>  	fs_exec_fusefs_files(httpd_t)
>  ')
>
> -tunable_policy(`httpd_use_nfs',`
> -	fs_list_auto_mountpoints(httpd_t)
> -	rpc_manage_nfs_rw_content(httpd_t)
> -	rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> +	tunable_policy(`httpd_use_nfs',`
> +		fs_list_auto_mountpoints(httpd_t)
> +		rpc_manage_nfs_rw_content(httpd_t)
> +		rpc_read_nfs_content(httpd_t)
> +	')
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
>  	fs_exec_fusefs_files(httpd_suexec_t)
>  ')
>
> -tunable_policy(`httpd_use_nfs',`
> -	fs_list_auto_mountpoints(httpd_suexec_t)
> -	rpc_manage_nfs_rw_content(httpd_t)
> -	rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> +	tunable_policy(`httpd_use_nfs',`
> +		fs_list_auto_mountpoints(httpd_suexec_t)
> +		rpc_manage_nfs_rw_content(httpd_t)
> +		rpc_read_nfs_content(httpd_t)
> +	')
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
>  	fs_exec_fusefs_files(httpd_sys_script_t)
>  ')
>
> -tunable_policy(`httpd_use_nfs',`
> -	fs_list_auto_mountpoints(httpd_sys_script_t)
> -	rpc_manage_nfs_rw_content(httpd_t)
> -	rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> +	tunable_policy(`httpd_use_nfs',`
> +		fs_list_auto_mountpoints(httpd_sys_script_t)
> +		rpc_manage_nfs_rw_content(httpd_t)
> +		rpc_read_nfs_content(httpd_t)
> +	')
>  ')
>
>  tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`

Merged, though I moved blocks to proper locations.

-- 
Chris PeBenito