Within the apache module, the apache_content_template() allows creation of
additional derived types for "apache web content". But it is actually being
used to label generic web content, and it creates additional types based on
the prefix.
The most used and well known one is the "sys" derived type (through
apache_content_template(sys) within apache.te), which creates the types
httpd_sys_content_t (attribute httpdcontent)
httpd_sys_ra_content_t (attribute httpdcontent)
httpd_sys_rw_content_t (attribute httpdcontent)
When we want to support additional web servers (or parsers used by web
servers) that do not run within the apache-provided domains, they have a
hard time accessing the data. There is currently one interface available,
called "apache_manage_all_content" but that's a lot of privileges for a
parser that needs to read content.
In the below patch, I suggest to "tag" the created additional types with the
following attributes:
httpd_ra_content for the appendable content
httpd_rw_content for the read/write content
In other words, the previously mentioned types become:
httpd_sys_content_t (attribute httpdcontent)
httpd_sys_ra_content (attribute httpdcontent, attribute httpd_ra_content)
httpd_sys_rw_content (attribute httpdcontent, attribute httpd_rw_content)
Then the following interfaces are also supported so that other domains can
benefit from using these types:
apache_read_all_ra_content (reads httpd_ra_content)
apache_append_all_ra_content (appends to httpd_ra_content)
apache_read_all_rw_content (reads httpd_rw_content)
apache_manage_all_rw_content (manage httpd_rw_content)
apache_read_all_content (reads httpdcontent)
With these interfaces, we can then have additional web server domains to
access the files. Generally, this would mean (I use phpfpm_t as an example
here):
apache_append_all_ra_content(phpfpm_t)
apache_manage_all_rw_content(phpfpm_t)
apache_read_all_content(phpfpm_t)
So, what's your take on this?
--- refpolicy/policy/modules/services/apache.te 2011-07-26 14:10:40.000000000 +0200
+++ refpolicy/policy/modules/services/apache.te 2011-12-31 13:07:31.499729456 +0100
@@ -143,6 +143,8 @@
gen_tunable(httpd_use_nfs, false)
attribute httpdcontent;
+attribute httpd_ra_content;
+attribute httpd_rw_content;
attribute httpd_user_content_type;
# domains that can exec all users scripts
--- refpolicy/policy/modules/services/apache.if 2011-03-28 17:05:13.000000000 +0200
+++ refpolicy/policy/modules/services/apache.if 2011-12-31 13:18:04.040730813 +0100
@@ -41,11 +41,11 @@
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
@@ -447,6 +447,112 @@
')
########################################
+## <summary>
+## Read all appendable content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Append to all appendable web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_append_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Read all read/write content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+## Manage all read/write content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+## Read all web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ read_files_pattern($1, httpdcontent, httpdcontent)
+ read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+ read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
## <summary>
## Create, read, write, and delete all web content.
## </summary>
apache_read_all_content (reads httpdcontent)
On 12/31/11 07:29, Sven Vermeulen wrote:
> Within the apache module, the apache_content_template() allows creation of
> additional derived types for "apache web content". But it is actually being
> used to label generic web content, and it creates additional types based on
> the prefix.
>
> The most used and well known one is the "sys" derived type (through
> apache_content_template(sys) within apache.te), which creates the types
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content_t (attribute httpdcontent)
> httpd_sys_rw_content_t (attribute httpdcontent)
>
> When we want to support additional web servers (or parsers used by web
> servers) that do not run within the apache-provided domains, they have a
> hard time accessing the data. There is currently one interface available,
> called "apache_manage_all_content" but that's a lot of privileges for a
> parser that needs to read content.
>
> In the below patch, I suggest to "tag" the created additional types with the
> following attributes:
> httpd_ra_content for the appendable content
> httpd_rw_content for the read/write content
>
> In other words, the previously mentioned types become:
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content (attribute httpdcontent, attribute httpd_ra_content)
> httpd_sys_rw_content (attribute httpdcontent, attribute httpd_rw_content)
>
> Then the following interfaces are also supported so that other domains can
> benefit from using these types:
> apache_read_all_ra_content (reads httpd_ra_content)
> apache_append_all_ra_content (appends to httpd_ra_content)
> apache_read_all_rw_content (reads httpd_rw_content)
> apache_manage_all_rw_content (manage httpd_rw_content)
> apache_read_all_content (reads httpdcontent)
>
> With these interfaces, we can then have additional web server domains to
> access the files. Generally, this would mean (I use phpfpm_t as an example
> here):
> apache_append_all_ra_content(phpfpm_t)
> apache_manage_all_rw_content(phpfpm_t)
> apache_read_all_content(phpfpm_t)
>
> So, what's your take on this?
Generally I'm ok with this, but there are issues in the patch.
> --- refpolicy/policy/modules/services/apache.te 2011-07-26 14:10:40.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.te 2011-12-31 13:07:31.499729456 +0100
> @@ -143,6 +143,8 @@
> gen_tunable(httpd_use_nfs, false)
>
> attribute httpdcontent;
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> attribute httpd_user_content_type;
>
> # domains that can exec all users scripts
> --- refpolicy/policy/modules/services/apache.if 2011-03-28 17:05:13.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.if 2011-12-31 13:18:04.040730813 +0100
> @@ -41,11 +41,11 @@
> corecmd_shell_entry_type(httpd_$1_script_t)
> domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>
> - type httpd_$1_rw_content_t, httpdcontent; # customizable
> + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
> typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
> files_type(httpd_$1_rw_content_t)
>
> - type httpd_$1_ra_content_t, httpdcontent; # customizable
> + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
> typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
> files_type(httpd_$1_ra_content_t)
>
> @@ -447,6 +447,112 @@
> ')
>
> ########################################
> +## <summary>
> +## Read all appendable content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +## Append to all appendable web content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_append_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
There should be no read files perms here.
> +########################################
> +## <summary>
> +## Read all read/write content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all read/write content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_manage_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
Also seems to have excessive perms.
> +########################################
> +## <summary>
> +## Read all web content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_content',`
> + gen_require(`
> + attribute httpdcontent, httpd_script_exec_type;
> + ')
> +
> + read_files_pattern($1, httpdcontent, httpdcontent)
> + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
Doesn't seem appropriate to include the script type here.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, Jan 04, 2012 at 07:13:54AM -0500, Christopher J. PeBenito wrote:
> > +interface(`apache_manage_all_rw_content',`
> > + gen_require(`
> > + attribute httpd_rw_content;
> > + ')
> > +
> > + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> > + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> > + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> > +')
>
> Also seems to have excessive perms.
How's that? It is not different from what we grant to the
httpd_$1_script_t domain (towards its httpd_$1_rw_content_t type):
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
The httpd_*_rw_content_t types are generally used to host the content that a
webserver should be able to read, write and manage (including creating new
ones or deleting existing ones). Given that, I'd imagine that
manage_*_pattern for at least dirs and files is needed. I don't have
immediate need myself to manage symbolic links from a web application, but I
can imagine that is equally wanted?
> > +########################################
> > +## <summary>
> > +## Read all web content.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`apache_read_all_content',`
> > + gen_require(`
> > + attribute httpdcontent, httpd_script_exec_type;
> > + ')
> > +
> > + read_files_pattern($1, httpdcontent, httpdcontent)
> > + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> > +
> > + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> > + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> > +')
> > +
>
> Doesn't seem appropriate to include the script type here.
Actually I based this one on the already existing apache_manage_all_content:
interface(`apache_manage_all_content',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
manage_dirs_pattern($1, httpdcontent, httpdcontent)
manage_files_pattern($1, httpdcontent, httpdcontent)
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
')
I changed the manage_ with read_ and dropped the one on directories as the
necessary privileges are part of the other pattern definitions already
(well, at least search privileges, not sure if we need to list directories
here as well).
If we keep the script type out here, I think we might need to introduce an
apache_read_all_scripts then (just like there already is an
apache_read_user_scripts) since the other web servers (like phpfpm) might
need to read in the scripts in order to properly parse and execute them.
Wkr,
Sven Vermeulen