commit: 39cc094a67628edbc6539c8d0b9734de80a6c4a0 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sun Mar 30 14:09:11 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Tue Apr 8 15:55:05 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39cc094a
Support read/append/manage functions for various httpd content We make the web content types as defined by the apache module more generic in use so that other domains, who need to interact with these types, can do so without getting too many privileges assigned (like with apache_manage_all_content). Within the apache module, the apache_content_template() allows creation of additional derived types for "apache web content". But this is actually being used to label generic web content, and it creates additional types based on the prefix. When we want to support additional web servers (or parsers used by web servers, such as php-fpm) that do not run within the apache-provided domains, they have a hard time accessing the data. There is currently one interface available (apache_manage_all_content) but that is a lot of privileges for a parser that possibly just needs to read content. In this patch, we create additional attributes (httpd_ra_content for read/append data, and httpd_rw_content for read/write content) and define interfaces to manage the types that have these attributes assigned. This is the result of the discussion of June 2012, which was version 3 of the patchset (I never came to finish up the commit), see also http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> --- policy/modules/contrib/apache.if | 120 ++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/apache.te | 3 + 2 files changed, 121 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if index 655cbe1..1a07241 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -15,6 +15,7 @@ template(`apache_content_template',` gen_require(` attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_rw_content, httpd_ra_content; type httpd_t, httpd_suexec_t; ') @@ -48,11 +49,11 @@ template(`apache_content_template',` corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - type httpd_$1_rw_content_t, httpdcontent; # customizable + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; files_type(httpd_$1_rw_content_t) - type httpd_$1_ra_content_t, httpdcontent; # customizable + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) @@ -402,6 +403,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## <summary> +## Read all appendable content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + read_files_pattern($1, httpd_ra_content, httpd_ra_content) + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Append to all appendable web content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_append_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + append_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## <summary> +## Read all read/write content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + read_files_pattern($1, httpd_rw_content, httpd_rw_content) + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') + +######################################## +## <summary> +## Manage all read/write content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_manage_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) + manage_files_pattern($1, httpd_rw_content, httpd_rw_content) + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') +######################################## +## <summary> +## Read all web content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_read_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + read_files_pattern($1, httpdcontent, httpdcontent) + read_lnk_files_pattern($1, httpdcontent, httpdcontent) + + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +####################################### +## <summary> +## Search all apache content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_search_all_content',` + gen_require(` + attribute httpdcontent; + ') + + allow $1 httpdcontent:dir search_dir_perms; +') + +######################################## +## <summary> ## Create, read, write, and delete ## all httpd content. ## </summary> diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index de61615..ba6b285 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -257,6 +257,9 @@ attribute httpd_htaccess_type; # domains that can exec all scripts attribute httpd_exec_scripts; +attribute httpd_ra_content; +attribute httpd_rw_content; + attribute httpd_script_exec_type; # all script domains
