This patch curbs on userdomain file read and/or write permissions
for the apache http daemon module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/apache.te | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- refpolicy-2.20170204-orig/policy/modules/contrib/apache.te 2017-02-04 19:30:39.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/apache.te 2017-04-20 00:42:04.560442582 +0200
@@ -224,6 +224,10 @@ gen_tunable(httpd_unified, false)
## <p>
## Determine whether httpd can use
## cifs file systems.
+## When the user home directories
+## use the cifs file system, this
+## implies httpd_enable_home_dirs
+## and httpd_read_user_content.
## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
@@ -232,6 +236,10 @@ gen_tunable(httpd_use_cifs, false)
## <p>
## Determine whether httpd can
## use fuse file systems.
+## When the user home directories
+## use the fuse file system, this
+## implies httpd_enable_home_dirs
+## and httpd_read_user_content.
## </p>
## </desc>
gen_tunable(httpd_use_fusefs, false)
@@ -247,6 +255,10 @@ gen_tunable(httpd_use_gpg, false)
## <p>
## Determine whether httpd can use
## nfs file systems.
+## When the user home directories
+## use the nfs file system, this
+## implies httpd_enable_home_dirs
+## and httpd_read_user_content.
## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -692,6 +704,8 @@ optional_policy(`
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(httpd_t)
')
tunable_policy(`httpd_setrlimit',`
@@ -1096,6 +1110,8 @@ optional_policy(`
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_suexec_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs',`
@@ -1264,6 +1280,8 @@ tunable_policy(`httpd_execmem',`
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_sys_script_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(httpd_sys_script_t)
')
tunable_policy(`httpd_use_cifs',`
@@ -1367,6 +1385,8 @@ tunable_policy(`httpd_enable_homedirs &&
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_user_script_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(httpd_user_script_t)
')
optional_policy(`