From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:13:22 -0400
Subject: [refpolicy] [PATCH 2/2] apache: update
In-Reply-To: <20170910151158.5859-2-cgzones@googlemail.com>
References: <20170910151158.5859-1-cgzones@googlemail.com>
<20170910151158.5859-2-cgzones@googlemail.com>
Message-ID: <7114d495-29dd-4f9d-7ecd-55788644b1fa@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 09/10/2017 11:11 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - add reload interface (e.g. for logrotate)
> - remove old aliases
> - use new userdom_use_inherited_user_terminals
> - more strict log access
> ---
> apache.fc | 7 +++++++
> apache.if | 19 +++++++++++++++++++
> apache.te | 31 +++++++++++--------------------
> 3 files changed, 37 insertions(+), 20 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 16fb1a6..12397e9 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
>
> @@ -144,6 +145,8 @@ ifdef(`distro_suse',`
> /var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
> +
> /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> @@ -177,6 +180,8 @@ ifdef(`distro_suse',`
>
> /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -189,6 +194,8 @@ ifdef(`distro_suse',`
> /var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> /var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> /var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> diff --git a/apache.if b/apache.if
> index 91191ec..135e2f5 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
> dontaudit $1 httpd_t:tcp_socket { read write };
> ')
>
> +########################################
> +##
> +## Reload the httpd service (systemd).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`apache_reload',`
> + gen_require(`
> + type httpd_unit_t;
> + class service { reload status };
> + ')
> +
> + allow $1 httpd_unit_t:service { reload status };
> +')
> +
> ########################################
> ##
> ## Read all appendable content
> diff --git a/apache.te b/apache.te
> index 1c10521..68b0d69 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
> userdom_user_home_content(httpd_user_script_exec_t)
> userdom_user_home_content(httpd_user_ra_content_t)
> userdom_user_home_content(httpd_user_rw_content_t)
> -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
> -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
> -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
> -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
> -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
> -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
> -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
> -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
> -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
> -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
> -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
> -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
>
> type httpd_var_lib_t;
> files_type(httpd_var_lib_t)
> @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> logging_log_filetrans(httpd_t, httpd_log_t, file)
This reverses a recent change, but I can't remember why we changed it.
Russell?
> @@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> -userdom_use_unpriv_users_fds(httpd_t)
> -
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> @@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
>
> tunable_policy(`httpd_execmem',`
> allow httpd_t self:process { execmem execstack };
> +',`
> + dontaudit httpd_t self:process execmem;
Should dontaudit the execstack for completeness.
> ')
>
> tunable_policy(`httpd_can_sendmail',`
> @@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
> tunable_policy(`httpd_setrlimit',`
> allow httpd_t self:process setrlimit;
> allow httpd_t self:capability sys_resource;
> +',`
> + dontaudit httpd_t self:capability sys_resource;
Same here, dontaudit setrlimit.
> ')
>
> tunable_policy(`httpd_ssi_exec',`
> @@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_t)
> + userdom_use_inherited_user_terminals(httpd_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_t)
> ')
> @@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
> logging_send_syslog_msg(httpd_helper_t)
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_helper_t)
> + userdom_use_inherited_user_terminals(httpd_helper_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_helper_t)
> ')
> @@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_suexec_t)
> + userdom_use_inherited_user_terminals(httpd_suexec_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_suexec_t)
> ')
>
--
Chris PeBenito