From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 Apr 2014 16:26:49 -0400
Subject: [refpolicy] [PATCH 2/3] Support read/append/manage functions
 for various httpd content
In-Reply-To: <1396188552-16007-3-git-send-email-sven.vermeulen@siphos.be>
References: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be>
	<1396188552-16007-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <533F1589.1070801@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> We make the web content types as defined by the apache module more
> generic in use so that other domains, who need to interact with these
> types, can do so without getting too many privileges assigned (like with
> apache_manage_all_content).
> 
> Within the apache module, the apache_content_template() allows creation
> of additional derived types for "apache web content". But this is
> actually being used to label generic web content, and it creates
> additional types based on the prefix.
> 
> When we want to support additional web servers (or parsers used by web
> servers, such as php-fpm) that do not run within the apache-provided
> domains, they have a hard time accessing the data. There is currently
> one interface available (apache_manage_all_content) but that is a lot of
> privileges for a parser that possibly just needs to read content.
> 
> In this patch, we create additional attributes (httpd_ra_content for
> read/append data, and httpd_rw_content for read/write content) and
> define interfaces to manage the types that have these attributes
> assigned.
> 
> This is the result of the discussion of June 2012, which was version 3
> of the patchset (I never came to finish up the commit), see also
> http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html

Merged.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.if | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>  apache.te |   3 ++
>  2 files changed, 121 insertions(+), 2 deletions(-)
> 
> diff --git a/apache.if b/apache.if
> index f6eb485..717c6f7 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -15,6 +15,7 @@ template(`apache_content_template',`
>  	gen_require(`
>  		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
>  		attribute httpd_script_domains, httpd_htaccess_type;
> +		attribute httpd_rw_content, httpd_ra_content;
>  		type httpd_t, httpd_suexec_t;
>  	')
>  
> @@ -48,11 +49,11 @@ template(`apache_content_template',`
>  	corecmd_shell_entry_type(httpd_$1_script_t)
>  	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>  
> -	type httpd_$1_rw_content_t, httpdcontent; # customizable
> +	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
>  	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
>  	files_type(httpd_$1_rw_content_t)
>  
> -	type httpd_$1_ra_content_t, httpdcontent; # customizable
> +	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
>  	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
>  	files_type(httpd_$1_ra_content_t)
>  
> @@ -391,6 +392,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>  
>  ########################################
>  ## <summary>
> +##	Read all appendable content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Append to all appendable web content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_append_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Read all read/write content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage all read/write content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_manage_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +########################################
> +## <summary>
> +##	Read all web content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_content',`
> +	gen_require(`
> +		attribute httpdcontent, httpd_script_exec_type;
> +	')
> +
> +	read_files_pattern($1, httpdcontent, httpdcontent)
> +	read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> +	read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +	read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
> +#######################################
> +## <summary>
> +##	Search all apache content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_search_all_content',`
> +	gen_require(`
> +		attribute httpdcontent;
> +	')
> +
> +	allow $1 httpdcontent:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete
>  ##	all httpd content.
>  ## </summary>
> diff --git a/apache.te b/apache.te
> index a9322c3..3645d88 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -257,6 +257,9 @@ attribute httpd_htaccess_type;
>  # domains that can exec all scripts
>  attribute httpd_exec_scripts;
>  
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> +
>  attribute httpd_script_exec_type;
>  
>  # all script domains
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com