From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 4 Jan 2012 07:13:54 -0500
Subject: [refpolicy] [PATCH/RFC 1/1] Supporting read/append/manage
functions for the various httpd_*_(ra_|rw_|)content
In-Reply-To: <20111231122945.GA11176@siphos.be>
References: <20111231122945.GA11176@siphos.be>
Message-ID: <4F044282.4000304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 12/31/11 07:29, Sven Vermeulen wrote:
> Within the apache module, the apache_content_template() allows creation of
> additional derived types for "apache web content". But it is actually being
> used to label generic web content, and it creates additional types based on
> the prefix.
>
> The most used and well known one is the "sys" derived type (through
> apache_content_template(sys) within apache.te), which creates the types
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content_t (attribute httpdcontent)
> httpd_sys_rw_content_t (attribute httpdcontent)
>
> When we want to support additional web servers (or parsers used by web
> servers) that do not run within the apache-provided domains, they have a
> hard time accessing the data. There is currently one interface available,
> called "apache_manage_all_content" but that's a lot of privileges for a
> parser that needs to read content.
>
> In the below patch, I suggest to "tag" the created additional types with the
> following attributes:
> httpd_ra_content for the appendable content
> httpd_rw_content for the read/write content
>
> In other words, the previously mentioned types become:
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content (attribute httpdcontent, attribute httpd_ra_content)
> httpd_sys_rw_content (attribute httpdcontent, attribute httpd_rw_content)
>
> Then the following interfaces are also supported so that other domains can
> benefit from using these types:
> apache_read_all_ra_content (reads httpd_ra_content)
> apache_append_all_ra_content (appends to httpd_ra_content)
> apache_read_all_rw_content (reads httpd_rw_content)
> apache_manage_all_rw_content (manage httpd_rw_content)
> apache_read_all_content (reads httpdcontent)
>
> With these interfaces, we can then have additional web server domains to
> access the files. Generally, this would mean (I use phpfpm_t as an example
> here):
> apache_append_all_ra_content(phpfpm_t)
> apache_manage_all_rw_content(phpfpm_t)
> apache_read_all_content(phpfpm_t)
>
> So, what's your take on this?
Generally I'm ok with this, but there are issues in the patch.
> --- refpolicy/policy/modules/services/apache.te 2011-07-26 14:10:40.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.te 2011-12-31 13:07:31.499729456 +0100
> @@ -143,6 +143,8 @@
> gen_tunable(httpd_use_nfs, false)
>
> attribute httpdcontent;
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> attribute httpd_user_content_type;
>
> # domains that can exec all users scripts
> --- refpolicy/policy/modules/services/apache.if 2011-03-28 17:05:13.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.if 2011-12-31 13:18:04.040730813 +0100
> @@ -41,11 +41,11 @@
> corecmd_shell_entry_type(httpd_$1_script_t)
> domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>
> - type httpd_$1_rw_content_t, httpdcontent; # customizable
> + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
> typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
> files_type(httpd_$1_rw_content_t)
>
> - type httpd_$1_ra_content_t, httpdcontent; # customizable
> + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
> typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
> files_type(httpd_$1_ra_content_t)
>
> @@ -447,6 +447,112 @@
> ')
>
> ########################################
> +##
> +## Read all appendable content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`apache_read_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +##
> +## Append to all appendable web content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`apache_append_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
There should be no read files perms here.
> +########################################
> +##
> +## Read all read/write content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`apache_read_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +##
> +## Manage all read/write content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`apache_manage_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
Also seems to have excessive perms.
> +########################################
> +##
> +## Read all web content.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`apache_read_all_content',`
> + gen_require(`
> + attribute httpdcontent, httpd_script_exec_type;
> + ')
> +
> + read_files_pattern($1, httpdcontent, httpdcontent)
> + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
Doesn't seem appropriate to include the script type here.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com