The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().
Changes since v2:
- Wrapped other calls towards rpc_* within apache.te
Changes since v1:
- Fixed wrong quotation mark
Signed-off-by: Sven Vermeulen <[email protected]>
---
apache.te | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/apache.te b/apache.te
index d5c74fd..dcc58af 100644
--- a/apache.te
+++ b/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
--
2.10.2
On 04/20/2017 11:07 AM, Sven Vermeulen via refpolicy wrote:
> The rpc module is not a core module. As such, calls towards rpc_*
> interfaces should be wrapped with optional_policy().
>
> Changes since v2:
> - Wrapped other calls towards rpc_* within apache.te
>
> Changes since v1:
> - Fixed wrong quotation mark
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> apache.te | 30 ++++++++++++++++++------------
> 1 file changed, 18 insertions(+), 12 deletions(-)
>
> diff --git a/apache.te b/apache.te
> index d5c74fd..dcc58af 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
> fs_exec_fusefs_files(httpd_t)
> ')
>
> -tunable_policy(`httpd_use_nfs',`
> - fs_list_auto_mountpoints(httpd_t)
> - rpc_manage_nfs_rw_content(httpd_t)
> - rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> + tunable_policy(`httpd_use_nfs',`
> + fs_list_auto_mountpoints(httpd_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> + ')
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
> fs_exec_fusefs_files(httpd_suexec_t)
> ')
>
> -tunable_policy(`httpd_use_nfs',`
> - fs_list_auto_mountpoints(httpd_suexec_t)
> - rpc_manage_nfs_rw_content(httpd_t)
> - rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> + tunable_policy(`httpd_use_nfs',`
> + fs_list_auto_mountpoints(httpd_suexec_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> + ')
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
> @@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
> fs_exec_fusefs_files(httpd_sys_script_t)
> ')
>
> -tunable_policy(`httpd_use_nfs',`
> - fs_list_auto_mountpoints(httpd_sys_script_t)
> - rpc_manage_nfs_rw_content(httpd_t)
> - rpc_read_nfs_content(httpd_t)
> +optional_policy(`
> + tunable_policy(`httpd_use_nfs',`
> + fs_list_auto_mountpoints(httpd_sys_script_t)
> + rpc_manage_nfs_rw_content(httpd_t)
> + rpc_read_nfs_content(httpd_t)
> + ')
> ')
>
> tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
Merged, though I moved blocks to proper locations.
--
Chris PeBenito