From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 06 Nov 2008 11:31:49 -0500
Subject: [refpolicy] services_cvs.patch
In-Reply-To: <1225986183.12285.33.camel@gorn.columbia.tresys.com>
References: <48F5056C.4090008@redhat.com>
	<1225986183.12285.33.camel@gorn.columbia.tresys.com>
Message-ID: <49131BF5.6040303@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
>>
>> Needs
>>
>> +       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
> 
> Conflicting type transition with httpd_cvs_script_rw_t.
> 
Alright I guess the problem here is in my version of the apache interface

My apache_content_template eliminates a lot of the rules that were
specific to httpd_sys_script_t and moves them into the te file.  This
allows me to more easily write a confined cgi script that is much
tighter then the Reference policy

########################################
## <summary>
##	Create a set of derived types for apache
##	web content.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix to be used for deriving type names.
##	</summary>
## </param>
#
template(`apache_content_template',`
	gen_require(`
		attribute httpd_exec_scripts;
		attribute httpd_script_exec_type;
		type httpd_t, httpd_suexec_t, httpd_log_t;
	')
	#This type is for webpages
	type httpd_$1_content_t;
	files_type(httpd_$1_content_t)

	# This type is used for .htaccess files
	type httpd_$1_htaccess_t;
	files_type(httpd_$1_htaccess_t)

	# Type that CGI scripts run as
	type httpd_$1_script_t;
	domain_type(httpd_$1_script_t)
	role system_r types httpd_$1_script_t;

	# This type is used for executable scripts files
	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
	corecmd_shell_entry_type(httpd_$1_script_t)
	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)

	# The following three are the only areas that
	# scripts can read, read/write, or append to
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;

	type httpd_$1_content_rw_t;
	files_type(httpd_$1_content_rw_t)
	typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;

	type httpd_$1_content_ra_t;
	files_type(httpd_$1_content_ra_t)
	typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;

	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;
	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;

	allow httpd_$1_script_t self:fifo_file rw_file_perms;
	allow httpd_$1_script_t self:unix_stream_socket connectto;

	allow httpd_$1_script_t httpd_t:fifo_file write;
	# apache should set close-on-exec
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };

	# Allow the script process to search the cgi directory, and users directory
	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)

	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
	logging_search_logs(httpd_$1_script_t)

	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;

	allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

	dev_read_rand(httpd_$1_script_t)
	dev_read_urand(httpd_$1_script_t)

	corecmd_exec_all_executables(httpd_$1_script_t)
	application_exec_all(httpd_$1_script_t)

	files_exec_etc_files(httpd_$1_script_t)
	files_read_etc_files(httpd_$1_script_t)
	files_search_home(httpd_$1_script_t)

	libs_use_ld_so(httpd_$1_script_t)
	libs_use_shared_libs(httpd_$1_script_t)
	libs_exec_ld_so(httpd_$1_script_t)
	libs_exec_lib_files(httpd_$1_script_t)

	miscfiles_read_fonts(httpd_$1_script_t)
	miscfiles_read_public_files(httpd_$1_script_t)

	seutil_dontaudit_search_config(httpd_$1_script_t)

	# Allow the web server to run scripts and serve pages
	tunable_policy(`httpd_builtin_scripting',`
		manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
		manage_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

		allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
		read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
		append_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
	')

	tunable_policy(`httpd_enable_cgi',`
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

		# privileged users run the script:
		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t,
httpd_$1_script_t)

		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;

		# apache runs the script:
		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;

		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;

		allow httpd_$1_script_t self:process { setsched signal_perms };
		allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;

		allow httpd_$1_script_t httpd_t:fd use;
		allow httpd_$1_script_t httpd_t:process sigchld;

		kernel_read_system_state(httpd_$1_script_t)

		dev_read_urand(httpd_$1_script_t)

		fs_getattr_xattr_fs(httpd_$1_script_t)

		files_read_etc_runtime_files(httpd_$1_script_t)
		files_read_usr_files(httpd_$1_script_t)

		libs_read_lib_files(httpd_$1_script_t)

		miscfiles_read_localization(httpd_$1_script_t)
	')

	optional_policy(`
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			nis_use_ypbind_uncond(httpd_$1_script_t)
		')
	')

	optional_policy(`
		postgresql_unpriv_client(httpd_$1_script_t)
	')

	optional_policy(`
		nscd_socket_use(httpd_$1_script_t)
	')
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1
9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22
=xesH
-----END PGP SIGNATURE-----