From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 26 Jun 2012 09:22:53 -0400
Subject: [refpolicy] [PATCH v3 1/3] Support read/append/manage functions
 for various httpd content
In-Reply-To: <20120624110826.GB995@siphos.be>
References: <20120624110736.GA995@siphos.be> <20120624110826.GB995@siphos.be>
Message-ID: <4FE9B7AD.6010707@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/24/12 07:08, Sven Vermeulen wrote:
> Within the apache module, the apache_content_template() allows creation of
> additional derived types for "apache web content". But it is actually being
> used to label generic web content, and it creates additional types based on
> the prefix.
> 
> When we want to support additional web servers (or parsers used by web
> servers) that do not run within the apache-provided domains, they have a
> hard time accessing the data. There is currently one interface available,
> called "apache_manage_all_content" but that's a lot of privileges for a
> parser that needs to read content.
> 
> In this patch, we create additional attributes (like httpd_ra_content and
> httpd_rw_content) and define interfaces to manage the types that have these
> attributes assigned.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.if |  128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 files changed, 126 insertions(+), 2 deletions(-)
> 
> diff --git a/apache.if b/apache.if
> index 6480167..a1d1905 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -16,6 +16,8 @@ template(`apache_content_template',`
>  		attribute httpdcontent;
>  		attribute httpd_exec_scripts;
>  		attribute httpd_script_exec_type;
> +		attribute httpd_rw_content;
> +		attribute httpd_ra_content;
>  		type httpd_t, httpd_suexec_t, httpd_log_t;
>  	')
>  	# allow write access to public file transfer
> @@ -41,11 +43,11 @@ template(`apache_content_template',`
>  	corecmd_shell_entry_type(httpd_$1_script_t)
>  	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>  
> -	type httpd_$1_rw_content_t, httpdcontent; # customizable
> +	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
>  	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
>  	files_type(httpd_$1_rw_content_t)
>  
> -	type httpd_$1_ra_content_t, httpdcontent; # customizable
> +	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
>  	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
>  	files_type(httpd_$1_ra_content_t)
>  
> @@ -448,6 +450,128 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>  
>  ########################################
>  ## <summary>
> +##	Read all appendable content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Append to all appendable web content files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_append_all_ra_content_files',`

Inconsistent interface naming.  I'm ok w/o the _files.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com