From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 31 Dec 2011 13:29:45 +0100
Subject: [refpolicy] [PATCH/RFC 1/1] Supporting read/append/manage functions
for the various httpd_*_(ra_|rw_|)content
Message-ID: <20111231122945.GA11176@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Within the apache module, the apache_content_template() allows creation of
additional derived types for "apache web content". But it is actually being
used to label generic web content, and it creates additional types based on
the prefix.
The most used and well known one is the "sys" derived type (through
apache_content_template(sys) within apache.te), which creates the types
httpd_sys_content_t (attribute httpdcontent)
httpd_sys_ra_content_t (attribute httpdcontent)
httpd_sys_rw_content_t (attribute httpdcontent)
When we want to support additional web servers (or parsers used by web
servers) that do not run within the apache-provided domains, they have a
hard time accessing the data. There is currently one interface available,
called "apache_manage_all_content" but that's a lot of privileges for a
parser that needs to read content.
In the below patch, I suggest to "tag" the created additional types with the
following attributes:
httpd_ra_content for the appendable content
httpd_rw_content for the read/write content
In other words, the previously mentioned types become:
httpd_sys_content_t (attribute httpdcontent)
httpd_sys_ra_content (attribute httpdcontent, attribute httpd_ra_content)
httpd_sys_rw_content (attribute httpdcontent, attribute httpd_rw_content)
Then the following interfaces are also supported so that other domains can
benefit from using these types:
apache_read_all_ra_content (reads httpd_ra_content)
apache_append_all_ra_content (appends to httpd_ra_content)
apache_read_all_rw_content (reads httpd_rw_content)
apache_manage_all_rw_content (manage httpd_rw_content)
apache_read_all_content (reads httpdcontent)
With these interfaces, we can then have additional web server domains to
access the files. Generally, this would mean (I use phpfpm_t as an example
here):
apache_append_all_ra_content(phpfpm_t)
apache_manage_all_rw_content(phpfpm_t)
apache_read_all_content(phpfpm_t)
So, what's your take on this?
--- refpolicy/policy/modules/services/apache.te 2011-07-26 14:10:40.000000000 +0200
+++ refpolicy/policy/modules/services/apache.te 2011-12-31 13:07:31.499729456 +0100
@@ -143,6 +143,8 @@
gen_tunable(httpd_use_nfs, false)
attribute httpdcontent;
+attribute httpd_ra_content;
+attribute httpd_rw_content;
attribute httpd_user_content_type;
# domains that can exec all users scripts
--- refpolicy/policy/modules/services/apache.if 2011-03-28 17:05:13.000000000 +0200
+++ refpolicy/policy/modules/services/apache.if 2011-12-31 13:18:04.040730813 +0100
@@ -41,11 +41,11 @@
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
@@ -447,6 +447,112 @@
')
########################################
+##
+## Read all appendable content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+##
+## Append to all appendable web content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_append_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+##
+## Read all read/write content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+##
+## Manage all read/write content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_manage_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+##
+## Read all web content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_read_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ read_files_pattern($1, httpdcontent, httpdcontent)
+ read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+ read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
##
## Create, read, write, and delete all web content.
##
apache_read_all_content (reads httpdcontent)