From: František Dvořák <valtri@civ.zcu.cz>
Date: Wed, 31 Dec 2014 13:41:08 +0000 (+0100)
Subject: SELinux new allow rules for Fedora 22/rawhide.
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=c867835717fe397869a18fcf121642cc5f2b634f;p=rOCCI-packaging-fedora.git

SELinux new allow rules for Fedora 22/rawhide.
---

diff --git a/rocci_server.te b/rocci_server.te
index 3236818..875249a 100644
--- a/rocci_server.te
+++ b/rocci_server.te
@@ -1,4 +1,4 @@
-module rocci_server 1.0;
+module rocci_server 1.0.1;
 
 require {
 	type anon_inodefs_t;
@@ -9,18 +9,22 @@ require {
 	type locale_t;
 	type memcache_port_t;
 	type passenger_t;
+        type passenger_log_t;
+        type passenger_var_lib_t;
 	type passenger_tmp_t;
 	type passenger_var_run_t;
+	type pki_ocsp_port_t;
 	type sysfs_t;
 	type var_log_t;
 	type man_t;
 
+        class capability { fowner fsetid sys_resource sys_ptrace };
 	class capability2 block_suspend;
-	class dir { open read search };
-	class file { execute execute_no_trans getattr open read write };
+	class dir { add_name open read search write };
+	class file { create execute execute_no_trans getattr open read write };
 	class lnk_file read;
 	class sock_file write;
-	class tcp_socket { name_connect listen };
+	class tcp_socket { name_bind name_connect listen };
 	class unix_stream_socket { getattr read write };
 	class process { getsession signull };
 }
@@ -28,6 +32,26 @@ require {
 #============= httpd_t ==============
 allow httpd_t passenger_tmp_t:sock_file write;
 
+# Fedora >= 22
+allow httpd_t pki_ocsp_port_t:tcp_socket name_bind;
+allow httpd_t passenger_log_t:dir add_name;
+allow httpd_t passenger_log_t:dir write;
+allow httpd_t passenger_log_t:file create;
+allow httpd_t passenger_log_t:file open;
+# This avc can be allowed using the boolean 'httpd_run_stickshift' (if anybody
+# knows what that boolean does :-))
+allow httpd_t passenger_var_lib_t:dir read;
+# This avc can be allowed using one of the these booleans:
+# httpd_run_stickshift, httpd_setrlimit
+allow httpd_t self:capability { fowner sys_resource };
+# This avc can be allowed using the boolean 'httpd_run_stickshift'
+allow httpd_t self:capability fsetid;
+# This avc can be allowed using one of the these booleans:
+# httpd_can_network_relay, httpd_can_network_memcache, httpd_can_network_connect
+allow httpd_t memcache_port_t:tcp_socket name_connect;
+allow httpd_t self:capability sys_ptrace;
+
+
 #============= passenger_t ==============
 allow passenger_t anon_inodefs_t:file { write read };
 allow passenger_t home_root_t:dir search;