From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-512890-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 16633138010
	for <garchives@archives.gentoo.org>; Mon,  8 Oct 2012 18:18:40 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7D81CE0444;
	Mon,  8 Oct 2012 18:17:47 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id B12C8E0477
	for <gentoo-commits@lists.gentoo.org>; Mon,  8 Oct 2012 18:17:46 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B117633C4EE
	for <gentoo-commits@lists.gentoo.org>; Mon,  8 Oct 2012 18:17:45 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 5B5EFE543E
	for <gentoo-commits@lists.gentoo.org>; Mon,  8 Oct 2012 18:17:44 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349719823.1dbaf4779b15dde82d7635b37f6c57d31ede631f.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/apache.if policy/modules/contrib/apache.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 1dbaf4779b15dde82d7635b37f6c57d31ede631f
X-VCS-Branch: master
Date: Mon,  8 Oct 2012 18:17:44 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b50c4c4e-6ae8-43d5-86d3-e70af541407d
X-Archives-Hash: 5aa9692f972f5672369da0b0d7dcc9aa

commit:     1dbaf4779b15dde82d7635b37f6c57d31ede631f
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct  8 08:15:42 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct  8 18:10:23 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1dbaf477

Changes to the apache policy module

Make apache_role a bit more compact
Make callers of the apache_role create the various httpd content with a
type transition

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/apache.if |   50 +++++++++++++++++--------------------
 policy/modules/contrib/apache.te |    2 +-
 2 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 166bce6..82e0d63 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -234,33 +234,29 @@ interface(`apache_role',`
 
 	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
 
-	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
-	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
-
-	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-
-	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-
-	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
+	allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
+	allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
+	allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
+	allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
+	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
+	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
+
+	filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
+	filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+	filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
 
 	tunable_policy(`httpd_enable_cgi',`
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 18c433c..cdd3610 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.5.3)
+policy_module(apache, 2.5.4)
 
 #
 # NOTES: