From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 5 Jan 2012 20:40:40 +0100
Subject: [refpolicy] [PATCH/RFC 1/1] Supporting read/append/manage
functions for the various httpd_*_(ra_|rw_|)content
In-Reply-To: <4F044282.4000304@tresys.com>
References: <20111231122945.GA11176@siphos.be>
<4F044282.4000304@tresys.com>
Message-ID: <20120105194040.GA29153@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Wed, Jan 04, 2012 at 07:13:54AM -0500, Christopher J. PeBenito wrote:
> > +interface(`apache_manage_all_rw_content',`
> > + gen_require(`
> > + attribute httpd_rw_content;
> > + ')
> > +
> > + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> > + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> > + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> > +')
>
> Also seems to have excessive perms.
How's that? It is not different from what we grant to the
httpd_$1_script_t domain (towards its httpd_$1_rw_content_t type):
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
The httpd_*_rw_content_t types are generally used to host the content that a
webserver should be able to read, write and manage (including creating new
ones or deleting existing ones). Given that, I'd imagine that
manage_*_pattern for at least dirs and files is needed. I don't have
immediate need myself to manage symbolic links from a web application, but I
can imagine that is equally wanted?
> > +########################################
> > +##
> > +## Read all web content.
> > +##
> > +##
> > +##
> > +## Domain allowed access.
> > +##
> > +##
> > +##
> > +#
> > +interface(`apache_read_all_content',`
> > + gen_require(`
> > + attribute httpdcontent, httpd_script_exec_type;
> > + ')
> > +
> > + read_files_pattern($1, httpdcontent, httpdcontent)
> > + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> > +
> > + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> > + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> > +')
> > +
>
> Doesn't seem appropriate to include the script type here.
Actually I based this one on the already existing apache_manage_all_content:
interface(`apache_manage_all_content',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
manage_dirs_pattern($1, httpdcontent, httpdcontent)
manage_files_pattern($1, httpdcontent, httpdcontent)
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
')
I changed the manage_ with read_ and dropped the one on directories as the
necessary privileges are part of the other pattern definitions already
(well, at least search privileges, not sure if we need to list directories
here as well).
If we keep the script type out here, I think we might need to introduce an
apache_read_all_scripts then (just like there already is an
apache_read_user_scripts) since the other web servers (like phpfpm) might
need to read in the scripts in order to properly parse and execute them.
Wkr,
Sven Vermeulen