From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 11 Feb 2013 20:02:33 +0100
Subject: [refpolicy] [PATCH/RFC] Reintroduce httpd_user_content_type and
httpd_user_script_exec_type attributes
Message-ID: <20130211190233.GA11417@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hi all,
The httpd_user_content_type and httpd_user_script_exec_type attributes were
erroneously removed a while ago, but while trying to reintroduce them I did
notice that they were removed because there was no way for users to actually
use them (or I'm completely misreading the policy code).
Below a first attempt at the patch, which also introduces two interfaces:
apache_user_content_type() and apache_user_script_exec_type(), which assigns
the given types the attributes again.
However, when trying to find out if/when the Apache domain (httpd_t) should
be able to execute the httpd_user_script_exec_type-labeled files (and read
httpd_user_content_type-labeled files) I'm getting a bit lost and hopefully
you can give me some guidance...
Should I allow execute rights on httpd_user_script_exec_type if
httpd_enable_cgi (boolean) and httpd_enable_homedirs (boolean) is set? And
httpd_enable_homedirs (boolean) for reading httpd_user_content_type?
Wkr,
Sven Vermeulen
diff --git a/apache.if b/apache.if
index 83e899c..aacf98e 100644
--- a/apache.if
+++ b/apache.if
@@ -124,6 +124,42 @@ template(`apache_content_template',`
########################################
##
+## Mark the selected type as an apache user content type
+##
+##
+##
+## Type to mark as apache user content
+##
+##
+#
+interface(`apache_user_content_type',`
+ gen_require(`
+ attribute httpd_user_content_type;
+ ')
+
+ typeattribute $1 httpd_user_content_type;
+')
+
+########################################
+##
+## Mark the selected type as an apache user script exec type
+##
+##
+##
+## Type to mark as apache user script exec type
+##
+##
+#
+interface(`apache_user_script_exec_type',`
+ gen_require(`
+ attribute httpd_user_script_exec_type;
+ ')
+
+ typeattribute $1 httpd_user_script_exec_type;
+')
+
+########################################
+##
## Role access for apache.
##
##
@@ -1070,8 +1106,17 @@ interface(`apache_search_sys_scripts',`
##
#
interface(`apache_manage_all_user_content',`
- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
- apache_manage_all_content($1)
+ gen_require(`
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
+ ')
+
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
')
########################################
diff --git a/apache.te b/apache.te
index 1a82e29..9b95119 100644
--- a/apache.te
+++ b/apache.te
@@ -252,12 +252,14 @@ gen_tunable(httpd_use_gpg, false)
gen_tunable(httpd_use_nfs, false)
attribute httpdcontent;
+attribute httpd_user_content_type;
attribute httpd_htaccess_type;
# domains that can exec all scripts
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
# all script domains
attribute httpd_script_domains;
@@ -322,6 +324,8 @@ type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
+apache_user_content_type(httpd_user_content_t)
+apache_user_script_exec_type(httpd_user_script_exec_t)
ubac_constrained(httpd_user_script_t)
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)