From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 30 Mar 2014 16:09:11 +0200 Subject: [refpolicy] [PATCH 2/3] Support read/append/manage functions for various httpd content In-Reply-To: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be> References: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1396188552-16007-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com We make the web content types as defined by the apache module more generic in use so that other domains, who need to interact with these types, can do so without getting too many privileges assigned (like with apache_manage_all_content). Within the apache module, the apache_content_template() allows creation of additional derived types for "apache web content". But this is actually being used to label generic web content, and it creates additional types based on the prefix. When we want to support additional web servers (or parsers used by web servers, such as php-fpm) that do not run within the apache-provided domains, they have a hard time accessing the data. There is currently one interface available (apache_manage_all_content) but that is a lot of privileges for a parser that possibly just needs to read content. In this patch, we create additional attributes (httpd_ra_content for read/append data, and httpd_rw_content for read/write content) and define interfaces to manage the types that have these attributes assigned. This is the result of the discussion of June 2012, which was version 3 of the patchset (I never came to finish up the commit), see also http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html Signed-off-by: Sven Vermeulen --- apache.if | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- apache.te | 3 ++ 2 files changed, 121 insertions(+), 2 deletions(-) diff --git a/apache.if b/apache.if index f6eb485..717c6f7 100644 --- a/apache.if +++ b/apache.if @@ -15,6 +15,7 @@ template(`apache_content_template',` gen_require(` attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_rw_content, httpd_ra_content; type httpd_t, httpd_suexec_t; ') @@ -48,11 +49,11 @@ template(`apache_content_template',` corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - type httpd_$1_rw_content_t, httpdcontent; # customizable + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; files_type(httpd_$1_rw_content_t) - type httpd_$1_ra_content_t, httpdcontent; # customizable + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) @@ -391,6 +392,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## +## Read all appendable content +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_read_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + read_files_pattern($1, httpd_ra_content, httpd_ra_content) + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## +## Append to all appendable web content +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_append_all_ra_content',` + gen_require(` + attribute httpd_ra_content; + ') + + append_files_pattern($1, httpd_ra_content, httpd_ra_content) +') + +######################################## +## +## Read all read/write content +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_read_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + read_files_pattern($1, httpd_rw_content, httpd_rw_content) + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') + +######################################## +## +## Manage all read/write content +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_manage_all_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) + manage_files_pattern($1, httpd_rw_content, httpd_rw_content) + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) +') +######################################## +## +## Read all web content. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_read_all_content',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; + ') + + read_files_pattern($1, httpdcontent, httpdcontent) + read_lnk_files_pattern($1, httpdcontent, httpdcontent) + + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) +') + +####################################### +## +## Search all apache content. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_search_all_content',` + gen_require(` + attribute httpdcontent; + ') + + allow $1 httpdcontent:dir search_dir_perms; +') + +######################################## +## ## Create, read, write, and delete ## all httpd content. ## diff --git a/apache.te b/apache.te index a9322c3..3645d88 100644 --- a/apache.te +++ b/apache.te @@ -257,6 +257,9 @@ attribute httpd_htaccess_type; # domains that can exec all scripts attribute httpd_exec_scripts; +attribute httpd_ra_content; +attribute httpd_rw_content; + attribute httpd_script_exec_type; # all script domains -- 1.8.3.2