[COMMIT]refpolicy-contrib branch, master, updated. RELEASE_2_20120215-28-g4670530

Reference Policy commits mail list refpolicy-commits at oss.tresys.com
Fri May 4 06:31:52 CDT 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy-contrib".

The branch, master has been updated
       via  4670530024cc8d5ada3026b47b0f0c1e330fce95 (commit)
       via  653d08eb18aa46bf30d4e4122f7cc0b41b37e5f8 (commit)
       via  251918db5a34fa3360c099729d9ef016fd46b0f0 (commit)
      from  6c192c747802a866038f470f8f60d5d664507a4f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4670530024cc8d5ada3026b47b0f0c1e330fce95
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri May 4 08:42:12 2012 -0400

    Module version bump for apache and MTA dontaudits from Sven Vermeulen.

commit 653d08eb18aa46bf30d4e4122f7cc0b41b37e5f8
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date:   Sat Apr 21 18:17:13 2012 +0200

    Adding dontaudit on mta
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>

commit 251918db5a34fa3360c099729d9ef016fd46b0f0
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date:   Fri Apr 20 17:45:15 2012 +0200

    Allow httpd_t to change its system resources
    
    When using lighttpd and server.max-fds is set, then the httpd_t domain requires the setrlimit (process) and sys_resource
    (capability) privileges. As per fedora's (and now also Gentoo's) implementation we support this through a boolean called
    "httpd_setrlimit" which is by default off).
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>

-----------------------------------------------------------------------

Summary of changes:
 apache.te |   14 +++++++++++++-
 mta.if    |    2 ++
 mta.te    |    2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

Detailed diffset:
:100644 100644 5b02edb... cf8ee79... M	apache.te
:100644 100644 343cee3... 4e2a5ba... M	mta.if
:100644 100644 51be8ac... 08f017d... M	mta.te

diff --git a/apache.te b/apache.te
index 5b02edb..cf8ee79 100644
--- a/apache.te
+++ b/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.3.0)
+policy_module(apache, 2.3.1)
 
 #
 # NOTES:
@@ -100,6 +100,13 @@ gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
 ## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
+## <desc>
+## <p>
 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 ## </p>
 ## </desc>
@@ -487,6 +494,11 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_t)
 ')
 
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
+
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
diff --git a/mta.if b/mta.if
index 343cee3..4e2a5ba 100644
--- a/mta.if
+++ b/mta.if
@@ -362,6 +362,8 @@ interface(`mta_send_mail',`
 	allow mta_user_agent $1:fd use;
 	allow mta_user_agent $1:process sigchld;
 	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+
+	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
diff --git a/mta.te b/mta.te
index 51be8ac..08f017d 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.4.0)
+policy_module(mta, 2.4.1)
 
 ########################################
 #


hooks/post-receive
--
refpolicy-contrib

More information about the Refpolicy-commits mailing list