From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 19 Sep 2017 18:22:29 -0400
Subject: [refpolicy] [PATCH] apache: update
In-Reply-To: <20170918150158.3915-1-cgzones@googlemail.com>
References: <20170918150158.3915-1-cgzones@googlemail.com>
Message-ID: <e47b652a-446c-6662-5ae6-ed5108fb118f@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/18/2017 11:01 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - add reload interface (e.g. for logrotate)
> - remove old aliases
> - use new userdom_use_inherited_user_terminals
> 
> v2:
> - full dontaudits in tunables
> - nextcloud filecontexts
> - drop alias removals
> ---
>   apache.fc | 11 +++++++++++
>   apache.if | 19 +++++++++++++++++++
>   apache.te | 18 ++++++++++++------
>   3 files changed, 42 insertions(+), 6 deletions(-)
> 
> diff --git a/apache.fc b/apache.fc
> index 16fb1a6..67bf2a2 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?		gen_context(system_u:obje
>   /usr/lib/dirsrv/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>   /usr/lib/httpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
>   /usr/lib/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/apache[^/]*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
>   /usr/lib/systemd/system/httpd.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
>   /usr/lib/systemd/system/jetty.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
>   
> @@ -144,6 +145,8 @@ ifdef(`distro_suse',`
>   /var/lib/wordpress(/.*)?					gen_context(system_u:object_r:httpd_var_lib_t,s0)
>   /var/lib/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>   
> +/var/lock/apache2(/.*)?						gen_context(system_u:object_r:httpd_lock_t,s0)
> +
>   /var/log/apache(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
>   /var/log/apache-ssl(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
>   /var/log/cacti(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
> @@ -177,6 +180,8 @@ ifdef(`distro_suse',`
>   
>   /var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
>   /var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>   /var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>   /var/www/cgi-bin(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>   /var/www/gallery/albums(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -188,7 +193,13 @@ ifdef(`distro_suse',`
>   /var/www/icons(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
>   /var/www/miq/vmdb/log(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
>   /var/www/moodledata(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/config(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/data(.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/apps(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/nextcloud/\.htaccess			--	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>   /var/www/perl(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/sessions(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
>   /var/www/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>   /var/www/svn/conf(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
>   /var/www/svn/hooks(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/uploads(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
> diff --git a/apache.if b/apache.if
> index 91191ec..135e2f5 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>   	dontaudit $1 httpd_t:tcp_socket { read write };
>   ')
>   
> +########################################
> +## <summary>
> +##	Reload the httpd service (systemd).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_reload',`
> +	gen_require(`
> +		type httpd_unit_t;
> +		class service { reload status };
> +	')
> +
> +	allow $1 httpd_unit_t:service { reload status };
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read all appendable content
> diff --git a/apache.te b/apache.te
> index 1c10521..0fe5438 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -407,7 +407,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
>   files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>   
>   manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
>   read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
>   logging_log_filetrans(httpd_t, httpd_log_t, file)
>   
> @@ -530,8 +533,6 @@ miscfiles_read_tetex_data(httpd_t)
>   
>   seutil_dontaudit_search_config(httpd_t)
>   
> -userdom_use_unpriv_users_fds(httpd_t)
> -
>   ifdef(`TODO',`
>   	tunable_policy(`allow_httpd_mod_auth_pam',`
>   		auth_domtrans_chk_passwd(httpd_t)
> @@ -656,6 +657,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
>   
>   tunable_policy(`httpd_execmem',`
>   	allow httpd_t self:process { execmem execstack };
> +',`
> +	dontaudit httpd_t self:process { execmem execstack };
>   ')
>   
>   tunable_policy(`httpd_can_sendmail',`
> @@ -707,6 +710,9 @@ tunable_policy(`httpd_read_user_content',`
>   tunable_policy(`httpd_setrlimit',`
>   	allow httpd_t self:process setrlimit;
>   	allow httpd_t self:capability sys_resource;
> +',`
> +	dontaudit httpd_t self:process setrlimit;
> +	dontaudit httpd_t self:capability sys_resource;
>   ')
>   
>   tunable_policy(`httpd_ssi_exec',`
> @@ -718,7 +724,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
>   ')
>   
>   tunable_policy(`httpd_tty_comm',`
> -	userdom_use_user_terminals(httpd_t)
> +	userdom_use_inherited_user_terminals(httpd_t)
>   ',`
>   	userdom_dontaudit_use_user_terminals(httpd_t)
>   ')
> @@ -919,7 +925,7 @@ logging_search_logs(httpd_helper_t)
>   logging_send_syslog_msg(httpd_helper_t)
>   
>   tunable_policy(`httpd_tty_comm',`
> -	userdom_use_user_terminals(httpd_helper_t)
> +	userdom_use_inherited_user_terminals(httpd_helper_t)
>   ',`
>   	userdom_dontaudit_use_user_terminals(httpd_helper_t)
>   ')
> @@ -1051,7 +1057,7 @@ tunable_policy(`httpd_tmp_exec',`
>   ')
>   
>   tunable_policy(`httpd_tty_comm',`
> -	userdom_use_user_terminals(httpd_suexec_t)
> +	userdom_use_inherited_user_terminals(httpd_suexec_t)
>   ',`
>   	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
>   ')

Merged.

-- 
Chris PeBenito