From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 20 Apr 2017 03:00:15 +0200
Subject: [refpolicy] [PATCH 3/33] apache: curb on userdom permissions
Message-ID: <1492650015.14733.73.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch curbs on userdomain file read and/or write permissions
for the apache http daemon module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/apache.te |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- refpolicy-2.20170204-orig/policy/modules/contrib/apache.te	2017-02-04 19:30:39.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/apache.te	2017-04-20 00:42:04.560442582 +0200
@@ -224,6 +224,10 @@ gen_tunable(httpd_unified, false)
 ##	<p>
 ##	Determine whether httpd can use
 ##	cifs file systems.
+##	When the user home directories
+##	use the cifs file system, this
+##	implies httpd_enable_home_dirs
+##	and httpd_read_user_content.
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_cifs, false)
@@ -232,6 +236,10 @@ gen_tunable(httpd_use_cifs, false)
 ##	<p>
 ##	Determine whether httpd can
 ##	use fuse file systems.
+##	When the user home directories
+##	use the fuse file system, this
+##	implies httpd_enable_home_dirs
+##	and httpd_read_user_content.
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_fusefs, false)
@@ -247,6 +255,10 @@ gen_tunable(httpd_use_gpg, false)
 ##	<p>
 ##	Determine whether httpd can use
 ##	nfs file systems.
+##	When the user home directories
+##	use the nfs file system, this
+##	implies httpd_enable_home_dirs
+##	and httpd_read_user_content.
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
@@ -692,6 +704,8 @@ optional_policy(`
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
@@ -1096,6 +1110,8 @@ optional_policy(`
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_suexec_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
@@ -1264,6 +1280,8 @@ tunable_policy(`httpd_execmem',`
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_sys_script_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_use_cifs',`
@@ -1367,6 +1385,8 @@ tunable_policy(`httpd_enable_homedirs &&
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_user_script_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(httpd_user_script_t)
 ')
 
 optional_policy(`