From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:15 +0200 Subject: [refpolicy] [PATCH 3/33] apache: curb on userdom permissions Message-ID: <1492650015.14733.73.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the apache http daemon module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/apache.te | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- refpolicy-2.20170204-orig/policy/modules/contrib/apache.te 2017-02-04 19:30:39.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/apache.te 2017-04-20 00:42:04.560442582 +0200 @@ -224,6 +224,10 @@ gen_tunable(httpd_unified, false) ##

## Determine whether httpd can use ## cifs file systems. +## When the user home directories +## use the cifs file system, this +## implies httpd_enable_home_dirs +## and httpd_read_user_content. ##

## gen_tunable(httpd_use_cifs, false) @@ -232,6 +236,10 @@ gen_tunable(httpd_use_cifs, false) ##

## Determine whether httpd can ## use fuse file systems. +## When the user home directories +## use the fuse file system, this +## implies httpd_enable_home_dirs +## and httpd_read_user_content. ##

## gen_tunable(httpd_use_fusefs, false) @@ -247,6 +255,10 @@ gen_tunable(httpd_use_gpg, false) ##

## Determine whether httpd can use ## nfs file systems. +## When the user home directories +## use the nfs file system, this +## implies httpd_enable_home_dirs +## and httpd_read_user_content. ##

## gen_tunable(httpd_use_nfs, false) @@ -692,6 +704,8 @@ optional_policy(` tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_t) +',` + userdom_dontaudit_read_user_home_content_files(httpd_t) ') tunable_policy(`httpd_setrlimit',` @@ -1096,6 +1110,8 @@ optional_policy(` tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_suexec_t) +',` + userdom_dontaudit_read_user_home_content_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs',` @@ -1264,6 +1280,8 @@ tunable_policy(`httpd_execmem',` tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_sys_script_t) +',` + userdom_dontaudit_read_user_home_content_files(httpd_sys_script_t) ') tunable_policy(`httpd_use_cifs',` @@ -1367,6 +1385,8 @@ tunable_policy(`httpd_enable_homedirs && tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_user_script_t) +',` + userdom_dontaudit_read_user_home_content_files(httpd_user_script_t) ') optional_policy(`