[refpolicy] [PATCH/RFC] Reintroduce httpd_user_content_type and httpd_user_script_exec_type attributes

[sven.vermeulen@siphos.be (Sven Vermeulen)]

Hi all,

The httpd_user_content_type and httpd_user_script_exec_type attributes were
erroneously removed a while ago, but while trying to reintroduce them I did
notice that they were removed because there was no way for users to actually
use them (or I'm completely misreading the policy code).

Below a first attempt at the patch, which also introduces two interfaces:
apache_user_content_type() and apache_user_script_exec_type(), which assigns
the given types the attributes again.

However, when trying to find out if/when the Apache domain (httpd_t) should
be able to execute the httpd_user_script_exec_type-labeled files (and read
httpd_user_content_type-labeled files) I'm getting a bit lost and hopefully
you can give me some guidance...

Should I allow execute rights on httpd_user_script_exec_type if
httpd_enable_cgi (boolean) and httpd_enable_homedirs (boolean) is set? And
httpd_enable_homedirs (boolean) for reading httpd_user_content_type?

Wkr,
	Sven Vermeulen

diff --git a/apache.if b/apache.if
index 83e899c..aacf98e 100644
--- a/apache.if
+++ b/apache.if
@@ -124,6 +124,42 @@ template(`apache_content_template',`
 
 ########################################
 ## <summary>
+##	Mark the selected type as an apache user content type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as apache user content
+##	</summary>
+## </param>
+#
+interface(`apache_user_content_type',`
+	gen_require(`
+		attribute httpd_user_content_type;
+	')
+
+	typeattribute $1 httpd_user_content_type;
+')
+
+########################################
+## <summary>
+##	Mark the selected type as an apache user script exec type
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as apache user script exec type
+##	</summary>
+## </param>
+#
+interface(`apache_user_script_exec_type',`
+	gen_require(`
+		attribute httpd_user_script_exec_type;
+	')
+
+	typeattribute $1 httpd_user_script_exec_type;
+')
+
+########################################
+## <summary>
 ##	Role access for apache.
 ## </summary>
 ## <param name="role">
@@ -1070,8 +1106,17 @@ interface(`apache_search_sys_scripts',`
 ## <rolecap/>
 #
 interface(`apache_manage_all_user_content',`
-	refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
-	apache_manage_all_content($1)
+	gen_require(`
+		attribute httpd_user_content_type, httpd_user_script_exec_type;
+	')
+
+	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
 ')
 
 ########################################
diff --git a/apache.te b/apache.te
index 1a82e29..9b95119 100644
--- a/apache.te
+++ b/apache.te
@@ -252,12 +252,14 @@ gen_tunable(httpd_use_gpg, false)
 gen_tunable(httpd_use_nfs, false)
 
 attribute httpdcontent;
+attribute httpd_user_content_type;
 attribute httpd_htaccess_type;
 
 # domains that can exec all scripts
 attribute httpd_exec_scripts;
 
 attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
 
 # all script domains
 attribute httpd_script_domains;
@@ -322,6 +324,8 @@ type httpd_tmpfs_t;
 files_tmpfs_file(httpd_tmpfs_t)
 
 apache_content_template(user)
+apache_user_content_type(httpd_user_content_t)
+apache_user_script_exec_type(httpd_user_script_exec_t)
 ubac_constrained(httpd_user_script_t)
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)