Within this patch set, we make the web content types as defined by the apache
module more generic in use so that other domains, who need to interact with
these types, can do so without getting too many privileges assigned (like with
apache_manage_all_content).
Since v1, the following changes have been incorporated:
- Adding apache_search_all_content within the apache_append_all_ra_content_files
interface
- Adding phpfpm_t domain as an example user for these interfaces
With thanks to Dominick Grift for his feedback.
Wkr,
Sven Vermeulen
Within the apache module, the apache_content_template() allows creation of
additional derived types for "apache web content". But it is actually being
used to label generic web content, and it creates additional types based on
the prefix.
When we want to support additional web servers (or parsers used by web
servers) that do not run within the apache-provided domains, they have a
hard time accessing the data. There is currently one interface available,
called "apache_manage_all_content" but that's a lot of privileges for a
parser that needs to read content.
In this patch, we create additional attributes (like httpd_ra_content and
httpd_rw_content) and define interfaces to manage the types that have these
attributes assigned.
Signed-off-by: Sven Vermeulen <[email protected]>
---
apache.if | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 126 insertions(+), 2 deletions(-)
diff --git a/apache.if b/apache.if
index 6480167..a1d1905 100644
--- a/apache.if
+++ b/apache.if
@@ -16,6 +16,8 @@ template(`apache_content_template',`
attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
+ attribute httpd_rw_content;
+ attribute httpd_ra_content;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
# allow write access to public file transfer
@@ -41,11 +43,11 @@ template(`apache_content_template',`
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
@@ -448,6 +450,128 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
+## Read all appendable content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Append to all appendable web content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_append_all_ra_content_files',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ apache_search_all_content($1)
+ append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Read all read/write content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+## Manage all read/write content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+## Read all web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ read_files_pattern($1, httpdcontent, httpdcontent)
+ read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+ read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
+## <summary>
+## Search all apache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_all_content',`
+ gen_require(`
+ attribute httpdcontent;
+ ')
+
+ allow $1 httpdcontent:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
--
1.7.3.4
The PHP FactCGI Process Manager is a standalone daemon capable of handling web
content and is specifically targeting high-traffic, dynamic sites.
Since it too is a web server, it needs access to the various http content types
as declared through the apache module.
Signed-off-by: Sven Vermeulen <[email protected]>
---
phpfpm.fc | 5 +++
phpfpm.if | 30 +++++++++++++++++++++
phpfpm.te | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 121 insertions(+), 0 deletions(-)
create mode 100644 phpfpm.fc
create mode 100644 phpfpm.if
create mode 100644 phpfpm.te
diff --git a/phpfpm.fc b/phpfpm.fc
new file mode 100644
index 0000000..536a5c7
--- /dev/null
+++ b/phpfpm.fc
@@ -0,0 +1,5 @@
+/usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0)
+
+/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
+/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+
diff --git a/phpfpm.if b/phpfpm.if
new file mode 100644
index 0000000..2038ed5
--- /dev/null
+++ b/phpfpm.if
@@ -0,0 +1,30 @@
+# <summary>PHP FastCGI Process Manager</summary>
+
+#################################################
+## <summary>
+## Administrate a phpfpm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`phpfpm_admin',`
+ gen_require(`
+ type phpfpm_t;
+ type phpfpm_log_t, phpfpm_tmp_t, phpfpm_var_run_t;
+ ')
+
+ allow $1 phpfpm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, phpfpm_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, phpfpm_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, phpfpm_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, phpfpm_var_run_t)
+')
diff --git a/phpfpm.te b/phpfpm.te
new file mode 100644
index 0000000..2bd30d7
--- /dev/null
+++ b/phpfpm.te
@@ -0,0 +1,86 @@
+policy_module(phpfpm, 1.0)
+
+#######################################
+#
+# Declarations
+#
+
+type phpfpm_t;
+type phpfpm_exec_t;
+init_daemon_domain(phpfpm_t, phpfpm_exec_t)
+
+type phpfpm_tmp_t;
+files_tmp_file(phpfpm_tmp_t)
+
+type phpfpm_var_run_t;
+files_pid_file(phpfpm_var_run_t)
+
+type phpfpm_log_t;
+logging_log_file(phpfpm_log_t)
+
+#######################################
+#
+# Local policy
+#
+
+
+allow phpfpm_t self:process signal;
+allow phpfpm_t self:capability { setuid setgid kill };
+allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
+allow phpfpm_t self:udp_socket connected_socket_perms;
+allow phpfpm_t self:unix_stream_socket accept;
+
+manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
+logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
+
+manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
+manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
+files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
+
+manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
+
+kernel_read_kernel_sysctls(phpfpm_t)
+
+corecmd_read_bin_symlinks(phpfpm_t)
+corecmd_search_bin(phpfpm_t)
+
+corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
+corenet_tcp_bind_generic_node(phpfpm_t)
+corenet_tcp_bind_generic_port(phpfpm_t)
+# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
+# Also, if it was optional because the application optionally does it, perhaps
+# introduce a tunable for this? phpfpm_allow_ldap?
+corenet_tcp_connect_ldap_port(phpfpm_t)
+
+dev_read_rand(phpfpm_t)
+dev_read_urand(phpfpm_t)
+
+files_read_etc_files(phpfpm_t)
+files_read_usr_files(phpfpm_t)
+files_search_var_lib(phpfpm_t)
+
+miscfiles_read_localization(phpfpm_t)
+
+sysnet_dns_name_resolve(phpfpm_t)
+sysnet_read_config(phpfpm_t)
+
+userdom_search_user_home_dirs(phpfpm_t)
+
+apache_append_all_ra_content(phpfpm_t)
+apache_manage_all_rw_content(phpfpm_t)
+apache_read_sys_content(phpfpm_t)
+apache_dontaudit_search_modules(phpfpm_t)
+
+optional_policy(`
+ mysql_tcp_connect(phpfpm_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(phpfpm_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(phpfpm_t)
+')
+
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..0c30596 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -260,6 +260,10 @@ optional_policy(`
')
optional_policy(`
+ phpfpm_admin(sysadm_t)
+')
+
+optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
--
1.7.3.4
Meh, didn't use double-comment in the interface' <summary>..</summary>
block. Will report soonish.