- add filecontexts
- add reload interface (e.g. for logrotate)
- remove old aliases
- use new userdom_use_inherited_user_terminals
v2:
- full dontaudits in tunables
- nextcloud filecontexts
- drop alias removals
---
apache.fc | 11 +++++++++++
apache.if | 19 +++++++++++++++++++
apache.te | 18 ++++++++++++------
3 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/apache.fc b/apache.fc
index 16fb1a6..67bf2a2 100644
--- a/apache.fc
+++ b/apache.fc
@@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
@@ -144,6 +145,8 @@ ifdef(`distro_suse',`
/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
+
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -177,6 +180,8 @@ ifdef(`distro_suse',`
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -188,7 +193,13 @@ ifdef(`distro_suse',`
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/config(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/data(.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/apps(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/\.htaccess -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/apache.if b/apache.if
index 91191ec..135e2f5 100644
--- a/apache.if
+++ b/apache.if
@@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
dontaudit $1 httpd_t:tcp_socket { read write };
')
+########################################
+## <summary>
+## Reload the httpd service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_reload',`
+ gen_require(`
+ type httpd_unit_t;
+ class service { reload status };
+ ')
+
+ allow $1 httpd_unit_t:service { reload status };
+')
+
########################################
## <summary>
## Read all appendable content
diff --git a/apache.te b/apache.te
index 1c10521..0fe5438 100644
--- a/apache.te
+++ b/apache.te
@@ -407,7 +407,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -530,8 +533,6 @@ miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
-userdom_use_unpriv_users_fds(httpd_t)
-
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -656,6 +657,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
+',`
+ dontaudit httpd_t self:process { execmem execstack };
')
tunable_policy(`httpd_can_sendmail',`
@@ -707,6 +710,9 @@ tunable_policy(`httpd_read_user_content',`
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
+',`
+ dontaudit httpd_t self:process setrlimit;
+ dontaudit httpd_t self:capability sys_resource;
')
tunable_policy(`httpd_ssi_exec',`
@@ -718,7 +724,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
')
@@ -919,7 +925,7 @@ logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
',`
userdom_dontaudit_use_user_terminals(httpd_helper_t)
')
@@ -1051,7 +1057,7 @@ tunable_policy(`httpd_tmp_exec',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
--
2.14.1
On 09/18/2017 11:01 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - add reload interface (e.g. for logrotate)
> - remove old aliases
> - use new userdom_use_inherited_user_terminals
>
> v2:
> - full dontaudits in tunables
> - nextcloud filecontexts
> - drop alias removals
> ---
> apache.fc | 11 +++++++++++
> apache.if | 19 +++++++++++++++++++
> apache.te | 18 ++++++++++++------
> 3 files changed, 42 insertions(+), 6 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 16fb1a6..67bf2a2 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
>
> @@ -144,6 +145,8 @@ ifdef(`distro_suse',`
> /var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
> +
> /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> @@ -177,6 +180,8 @@ ifdef(`distro_suse',`
>
> /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -188,7 +193,13 @@ ifdef(`distro_suse',`
> /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> /var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/config(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/data(.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/apps(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/\.htaccess -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> /var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> diff --git a/apache.if b/apache.if
> index 91191ec..135e2f5 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
> dontaudit $1 httpd_t:tcp_socket { read write };
> ')
>
> +########################################
> +## <summary>
> +## Reload the httpd service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_reload',`
> + gen_require(`
> + type httpd_unit_t;
> + class service { reload status };
> + ')
> +
> + allow $1 httpd_unit_t:service { reload status };
> +')
> +
> ########################################
> ## <summary>
> ## Read all appendable content
> diff --git a/apache.te b/apache.te
> index 1c10521..0fe5438 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -407,7 +407,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> logging_log_filetrans(httpd_t, httpd_log_t, file)
>
> @@ -530,8 +533,6 @@ miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> -userdom_use_unpriv_users_fds(httpd_t)
> -
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> @@ -656,6 +657,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
>
> tunable_policy(`httpd_execmem',`
> allow httpd_t self:process { execmem execstack };
> +',`
> + dontaudit httpd_t self:process { execmem execstack };
> ')
>
> tunable_policy(`httpd_can_sendmail',`
> @@ -707,6 +710,9 @@ tunable_policy(`httpd_read_user_content',`
> tunable_policy(`httpd_setrlimit',`
> allow httpd_t self:process setrlimit;
> allow httpd_t self:capability sys_resource;
> +',`
> + dontaudit httpd_t self:process setrlimit;
> + dontaudit httpd_t self:capability sys_resource;
> ')
>
> tunable_policy(`httpd_ssi_exec',`
> @@ -718,7 +724,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_t)
> + userdom_use_inherited_user_terminals(httpd_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_t)
> ')
> @@ -919,7 +925,7 @@ logging_search_logs(httpd_helper_t)
> logging_send_syslog_msg(httpd_helper_t)
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_helper_t)
> + userdom_use_inherited_user_terminals(httpd_helper_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_helper_t)
> ')
> @@ -1051,7 +1057,7 @@ tunable_policy(`httpd_tmp_exec',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_suexec_t)
> + userdom_use_inherited_user_terminals(httpd_suexec_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_suexec_t)
> ')
Merged.
--
Chris PeBenito