From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 17:11:58 +0200
Subject: [refpolicy] [PATCH 2/2] apache: update
In-Reply-To: <20170910151158.5859-1-cgzones@googlemail.com>
References: <20170910151158.5859-1-cgzones@googlemail.com>
Message-ID: <20170910151158.5859-2-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- add filecontexts
- add reload interface (e.g. for logrotate)
- remove old aliases
- use new userdom_use_inherited_user_terminals
- more strict log access
---
 apache.fc |  7 +++++++
 apache.if | 19 +++++++++++++++++++
 apache.te | 31 +++++++++++--------------------
 3 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/apache.fc b/apache.fc
index 16fb1a6..12397e9 100644
--- a/apache.fc
+++ b/apache.fc
@@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?		gen_context(system_u:obje
 /usr/lib/dirsrv/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/lib/httpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/apache[^/]*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/httpd.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/jetty.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 
@@ -144,6 +145,8 @@ ifdef(`distro_suse',`
 /var/lib/wordpress(/.*)?					gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
+/var/lock/apache2(/.*)?						gen_context(system_u:object_r:httpd_lock_t,s0)
+
 /var/log/apache(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
@@ -177,6 +180,8 @@ ifdef(`distro_suse',`
 
 /var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/cgi-bin(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/gallery/albums(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -189,6 +194,8 @@ ifdef(`distro_suse',`
 /var/www/miq/vmdb/log(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 /var/www/moodledata(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/perl(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/sessions(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/www/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/svn/conf(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/svn/hooks(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/uploads(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/apache.if b/apache.if
index 91191ec..135e2f5 100644
--- a/apache.if
+++ b/apache.if
@@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 httpd_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Reload the httpd service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_reload',`
+	gen_require(`
+		type httpd_unit_t;
+		class service { reload status };
+	')
+
+	allow $1 httpd_unit_t:service { reload status };
+')
+
 ########################################
 ## <summary>
 ##	Read all appendable content
diff --git a/apache.te b/apache.te
index 1c10521..68b0d69 100644
--- a/apache.te
+++ b/apache.te
@@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
 userdom_user_home_content(httpd_user_script_exec_t)
 userdom_user_home_content(httpd_user_ra_content_t)
 userdom_user_home_content(httpd_user_rw_content_t)
-typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
-typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
-typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
-typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
-typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
-typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
-typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
-typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
-typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
-typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
-typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
-typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
 
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
@@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
 files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
 
 manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
@@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
 
 seutil_dontaudit_search_config(httpd_t)
 
-userdom_use_unpriv_users_fds(httpd_t)
-
 ifdef(`TODO',`
 	tunable_policy(`allow_httpd_mod_auth_pam',`
 		auth_domtrans_chk_passwd(httpd_t)
@@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
 
 tunable_policy(`httpd_execmem',`
 	allow httpd_t self:process { execmem execstack };
+',`
+	dontaudit httpd_t self:process execmem;
 ')
 
 tunable_policy(`httpd_can_sendmail',`
@@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
 tunable_policy(`httpd_setrlimit',`
 	allow httpd_t self:process setrlimit;
 	allow httpd_t self:capability sys_resource;
+',`
+	dontaudit httpd_t self:capability sys_resource;
 ')
 
 tunable_policy(`httpd_ssi_exec',`
@@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
 ')
 
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_t)
 ',`
 	userdom_dontaudit_use_user_terminals(httpd_t)
 ')
@@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_helper_t)
+	userdom_use_inherited_user_terminals(httpd_helper_t)
 ',`
 	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 ')
@@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
 ')
 
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_suexec_t)
+	userdom_use_inherited_user_terminals(httpd_suexec_t)
 ',`
 	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
 ')
-- 
2.14.1