From: Daniel J Walsh <dwalsh@redhat.com>
To: Jim Carter <jwcart2@epoch.ncsc.mil>
Cc: SELinux <SELinux@tycho.nsa.gov>
Subject: Re: Latest diff.
Date: Tue, 22 Mar 2005 15:20:55 -0500 [thread overview]
Message-ID: <42407E27.7020901@redhat.com> (raw)
In-Reply-To: <424062D4.8090708@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 57 bytes --]
Diff to previous diff for unconfined apache policy.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 1349 bytes --]
-+++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 12:19:28.267021536 -0500
++++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 13:41:52.893324080 -0500
@@ -42,6 +42,9 @@
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
@@ -200,18 +205,28 @@
can_ypbind(httpd_t)
###################
-@@ -352,3 +360,8 @@
+@@ -352,3 +360,18 @@
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)
+
++#
++# unconfined domain for apache scripts. Only to be used as a last resort
++#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-+type httpd_unconfined_t, domain;
-+unconfined_domain(httpd_unconfined_t)
-+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_t)
++type httpd_unconfined_script_t, domain, nscd_client_domain;
++role system_r types httpd_unconfined_script_t;
++unconfined_domain(httpd_unconfined_script_t)
++if (httpd_enable_cgi) {
++domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
++allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
++}
++
next prev parent reply other threads:[~2005-03-22 20:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-22 18:24 Latest diff Daniel J Walsh
2005-03-22 20:20 ` Daniel J Walsh [this message]
2005-03-23 18:25 ` James Carter
-- strict thread matches above, loose matches on Subject: below --
2006-01-27 6:37 Daniel J Walsh
2006-01-27 20:07 ` Christopher J. PeBenito
2006-01-28 21:17 ` Daniel J Walsh
2006-01-24 21:58 Latest Diff Daniel J Walsh
2006-01-25 18:41 ` Christopher J. PeBenito
2006-01-17 4:06 latest diff Daniel J Walsh
2006-01-17 18:35 ` Christopher J. PeBenito
2005-05-19 18:51 Latest Diff Daniel J Walsh
2005-05-19 21:36 ` Ivan Gyurdiev
2005-03-19 6:53 latest diff Daniel J Walsh
2005-03-19 16:14 ` Christopher J. PeBenito
2005-03-19 16:36 ` Daniel J Walsh
2005-03-23 11:10 ` Thomas Bleher
2005-03-23 13:51 ` Stephen Smalley
2005-04-20 12:22 ` Russell Coker
2005-03-21 19:40 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42407E27.7020901@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=jwcart2@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.