From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 20 Jun 2012 19:12:23 +0200
Subject: [refpolicy] [PATCH 1/1] Support read/append/manage functions
 for various httpd content
In-Reply-To: <20120620161531.GE7987@siphos.be>
References: <20120620161531.GE7987@siphos.be>
Message-ID: <1340212343.9690.28.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Comments inline. 

On Wed, 2012-06-20 at 18:15 +0200, Sven Vermeulen wrote:
> Within the apache module, the apache_content_template() allows creation of
> additional derived types for "apache web content". But it is actually being
> used to label generic web content, and it creates additional types based on
> the prefix.
> 
> When we want to support additional web servers (or parsers used by web
> servers) that do not run within the apache-provided domains, they have a
> hard time accessing the data. There is currently one interface available,
> called "apache_manage_all_content" but that's a lot of privileges for a
> parser that needs to read content.
> 
> In this patch, we create additional attributes (like httpd_ra_content and
> httpd_rw_content) and define interfaces to manage the types that have these
> attributes assigned.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.if |  110 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 files changed, 108 insertions(+), 2 deletions(-)
> 
> diff --git a/apache.if b/apache.if
> index 6480167..53b982e 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -16,6 +16,8 @@ template(`apache_content_template',`
>  		attribute httpdcontent;
>  		attribute httpd_exec_scripts;
>  		attribute httpd_script_exec_type;
> +		attribute httpd_rw_content;
> +		attribute httpd_ra_content;
>  		type httpd_t, httpd_suexec_t, httpd_log_t;
>  	')
>  	# allow write access to public file transfer
> @@ -41,11 +43,11 @@ template(`apache_content_template',`
>  	corecmd_shell_entry_type(httpd_$1_script_t)
>  	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>  
> -	type httpd_$1_rw_content_t, httpdcontent; # customizable
> +	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
>  	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
>  	files_type(httpd_$1_rw_content_t)
>  
> -	type httpd_$1_ra_content_t, httpdcontent; # customizable
> +	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
>  	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
>  	files_type(httpd_$1_ra_content_t)
>  
> @@ -448,6 +450,110 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>  
>  ########################################
>  ## <summary>
> +##	Read all appendable content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Append to all appendable web content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_append_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
> +	append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')

Caller does not need to be able to list and add entry dirs to
httpd_ra_content dirs to be able to append to httpd_ra_content files.

Example:

########################################
## <summary>
##	Append to all appendable web content files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_append_all_ra_content_files',`
    gen_require(`
	attribute httpd_ra_content;
   ')

   apache_search_sys_content($1)
   append_files_pattern($1, httpd_ra_content, httpd_ra_content)
')

> +########################################
> +## <summary>
> +##	Read all read/write content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage all read/write content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_manage_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Read all web content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_content',`
> +	gen_require(`
> +		attribute httpdcontent, httpd_script_exec_type;
> +	')
> +
> +	read_files_pattern($1, httpdcontent, httpdcontent)
> +	read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> +	read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +	read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete all web content.
>  ## </summary>
>  ## <param name="domain">