packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!154 allow httpd to create files in /etc/httpd

Browse Source 
From: @HuaxinLuGitee 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2022-06-25 09:27:14 +00:00 committed by Gitee
commit 4a316b5b63
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
allow-httpd-to-put-files-in-httpd-config-dir.patch Normal file
View File

@ -0,0 +1,29 @@
From cf6c809927dfc258f44e55116556625b4ecc7b5d Mon Sep 17 00:00:00 2001
From: luhuaxin <luhuaxin1@huawei.com>
Date: Fri, 24 Jun 2022 15:03:25 +0800
Subject: [PATCH] allow httpd to put files in httpd config dir
Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
---
policy/modules/contrib/apache.te | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 0e4d4bf..b264818 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -516,9 +516,8 @@ files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
allow httpd_t httpd_cache_t:file map;
# Allow the httpd_t to read the web servers config files
-allow httpd_t httpd_config_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
-read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+# and put files in /etc/httpd
+apache_manage_config(httpd_t)
allow httpd_t httpd_config_t:file map;
can_exec(httpd_t, httpd_exec_t)
--
1.8.3.1

7
selinux-policy.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.14.2 Version: 3.14.2
Release: 76 Release: 77
License: GPLv2+ License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/ URL: https://github.com/fedora-selinux/selinux-policy/
@ -113,6 +113,8 @@ Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
Patch6039: backport-Add-file-context-for-.config-Yubico.patch Patch6039: backport-Add-file-context-for-.config-Yubico.patch
Patch6040: backport-Change-transitions-for-.config-Yubico.patch Patch6040: backport-Change-transitions-for-.config-Yubico.patch
Patch9000: allow-httpd-to-put-files-in-httpd-config-dir.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -777,6 +779,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sat Jun 25 2022 luhuaxin <luhuaxin1@huawei.com> - 3.14.2-77
- allow httpd create files in /etc/httpd
* Sat Dec 25 2021 gaoyusong <gaoyusong1@huawei.com> - 3.14.2-76 * Sat Dec 25 2021 gaoyusong <gaoyusong1@huawei.com> - 3.14.2-76
- Fix CVE-2020-24612 - Fix CVE-2020-24612