* [RFC] 2/4 - Hierarchal apache policy for reference policy (interfaces)
@ 2007-01-18 16:32 Joshua Brindle
0 siblings, 0 replies; only message in thread
From: Joshua Brindle @ 2007-01-18 16:32 UTC (permalink / raw)
To: SE Linux; +Cc: Stephen Smalley
Below is an RFC for the interface file for a hierarchal apache policy.
It includes metapolicy for apache types at the bottom of the
apache_per_role_template template.
-----------------------------------------------
## <summary>Apache web server</summary>
########################################
## <summary>
## Create a set of derived types for apache
## web content.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`apache_content_template',`
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type apache_t.daemon, apache_t.suexec, apache_t.log;
')
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)
#This type is for webpages
type apache_t.$1_content alias httpd_$1_content_t, httpdcontent; #
customizable
files_type(apache_t.$1_content)
# This type is used for .htaccess files
type apache_t.$1_htaccess alias httpd_$1_htaccess_t; # customizable;
files_type(apache_t.$1_htaccess)
# Type that CGI scripts run as
type apache_t.$1_script alias httpd_$1_script_t;
domain_type(apache_t.$1_script)
role system_r types apache_t.$1_script;
# This type is used for executable scripts files
type apache_t.$1_script_exec alias httpd_$1_script_exec_t,
httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(apache_t.$1_script)
domain_entry_file(apache_t.$1_script,apache_t.$1_script_exec)
# The following three are the only areas that
# scripts can read, read/write, or append to
type apache_t.$1_script_ro alias httpd_$1_script_ro_t, httpdcontent;
# customizable
files_type(apache_t.$1_script_ro)
type apache_t.$1_script_rw alias httpd_$1_script_rw_t, httpdcontent;
# customizable
files_type(apache_t.$1_script_rw)
type apache_t.$1_script_ra alias httpd_$1_script_ra_t, httpdcontent;
# customizable
files_type(apache_t.$1_script_ra)
# metapolicy labeling for these rules
type $1_apache_policy_t, apache_content_policy_type;
##############################
#
# Local policy
#
allow apache_t.daemon apache_t.$1_htaccess:file read_file_perms;
domtrans_pattern(apache_t.suexec, apache_t.$1_script_exec,
apache_t.$1_script)
allow apache_t.suexec { apache_t.$1_content apache_t.$1_script_ro
apache_t.$1_script_rw apache_t.$1_script_exec }:dir search_dir_perms;
allow apache_t.$1_script self:fifo_file rw_file_perms;
allow apache_t.$1_script self:unix_stream_socket connectto;
allow apache_t.$1_script apache_t.daemon:fifo_file write;
# apache should set close-on-exec
dontaudit apache_t.$1_script apache_t.daemon:unix_stream_socket {
read write };
# Allow the script process to search the cgi directory, and users
directory
allow apache_t.$1_script apache_t.$1_content:dir search_dir_perms;
append_files_pattern(apache_t.$1_script,apache_t.log,apache_t.log)
logging_search_logs(apache_t.$1_script)
can_exec(apache_t.$1_script, apache_t.$1_script_exec)
allow apache_t.$1_script apache_t.$1_script_exec:dir search_dir_perms;
allow apache_t.$1_script apache_t.$1_script_ra:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(apache_t.$1_script,apache_t.$1_script_ra,apache_t.$1_script_ra)
append_files_pattern(apache_t.$1_script,apache_t.$1_script_ra,apache_t.$1_script_ra)
read_lnk_files_pattern(apache_t.$1_script,apache_t.$1_script_ra,apache_t.$1_script_ra)
allow apache_t.$1_script apache_t.$1_script_ro:dir list_dir_perms;
read_files_pattern(apache_t.$1_script,apache_t.$1_script_ro,apache_t.$1_script_ro)
read_lnk_files_pattern(apache_t.$1_script,apache_t.$1_script_ro,apache_t.$1_script_ro)
manage_dirs_pattern(apache_t.$1_script,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_files_pattern(apache_t.$1_script,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_lnk_files_pattern(apache_t.$1_script,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_fifo_files_pattern(apache_t.$1_script,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_sock_files_pattern(apache_t.$1_script,apache_t.$1_script_rw,apache_t.$1_script_rw)
files_tmp_filetrans(apache_t.$1_script,apache_t.$1_script_rw,{ dir
file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(apache_t.$1_script)
kernel_dontaudit_search_kernel_sysctl(apache_t.$1_script)
dev_read_rand(apache_t.$1_script)
dev_read_urand(apache_t.$1_script)
corecmd_exec_all_executables(apache_t.$1_script)
files_exec_etc_files(apache_t.$1_script)
files_read_etc_files(apache_t.$1_script)
files_search_home(apache_t.$1_script)
libs_use_ld_so(apache_t.$1_script)
libs_use_shared_libs(apache_t.$1_script)
libs_exec_ld_so(apache_t.$1_script)
libs_exec_lib_files(apache_t.$1_script)
miscfiles_read_fonts(apache_t.$1_script)
miscfiles_read_public_files(apache_t.$1_script)
seutil_dontaudit_search_config(apache_t.$1_script)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow apache_t.$1_script httpdcontent:file entrypoint;
manage_dirs_pattern(apache_t.$1_script,httpdcontent,httpdcontent)
manage_files_pattern(apache_t.$1_script,httpdcontent,httpdcontent)
manage_lnk_files_pattern(apache_t.$1_script,httpdcontent,httpdcontent)
can_exec(apache_t.$1_script, httpdcontent)
')
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(apache_t.$1_script)
')
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(apache_t.daemon,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_files_pattern(apache_t.daemon,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_lnk_files_pattern(apache_t.daemon,apache_t.$1_script_rw,apache_t.$1_script_rw)
rw_sock_files_pattern(apache_t.daemon,apache_t.$1_script_rw,apache_t.$1_script_rw)
allow apache_t.daemon apache_t.$1_script_ra:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(apache_t.daemon,apache_t.$1_script_ra,apache_t.$1_script_ra)
append_files_pattern(apache_t.daemon,apache_t.$1_script_ra,apache_t.$1_script_ra)
read_lnk_files_pattern(apache_t.daemon,apache_t.$1_script_ra,apache_t.$1_script_ra)
allow apache_t.daemon apache_t.$1_script_ro:dir list_dir_perms;
read_files_pattern(apache_t.daemon,apache_t.$1_script_ro,apache_t.$1_script_ro)
read_lnk_files_pattern(apache_t.daemon,apache_t.$1_script_ro,apache_t.$1_script_ro)
allow apache_t.daemon apache_t.$1_content:dir list_dir_perms;
read_files_pattern(apache_t.daemon,apache_t.$1_content,apache_t.$1_content)
read_lnk_files_pattern(apache_t.daemon,apache_t.$1_content,apache_t.$1_content)
')
tunable_policy(`httpd_enable_cgi',`
allow apache_t.$1_script apache_t.$1_script_exec:file entrypoint;
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, apache_t.$1_script_exec,
apache_t.$1_script)
# apache runs the script:
domtrans_pattern(apache_t.daemon, apache_t.$1_script_exec,
apache_t.$1_script)
allow apache_t.daemon apache_t.$1_script:process { signal
sigkill sigstop };
allow apache_t.daemon apache_t.$1_script_exec:dir list_dir_perms;
allow apache_t.$1_script self:process { setsched signal_perms };
allow apache_t.$1_script self:unix_stream_socket
create_stream_socket_perms;
allow apache_t.$1_script apache_t.daemon:fd use;
allow apache_t.$1_script apache_t.daemon:process sigchld;
kernel_read_system_state(apache_t.$1_script)
dev_read_urand(apache_t.$1_script)
fs_getattr_xattr_fs(apache_t.$1_script)
files_read_etc_runtime_files(apache_t.$1_script)
files_read_usr_files(apache_t.$1_script)
libs_read_lib_files(apache_t.$1_script)
miscfiles_read_localization(apache_t.$1_script)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
allow apache_t.$1_script self:tcp_socket create_stream_socket_perms;
allow apache_t.$1_script self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(apache_t.$1_script)
corenet_tcp_sendrecv_all_if(apache_t.$1_script)
corenet_udp_sendrecv_all_if(apache_t.$1_script)
corenet_tcp_sendrecv_all_nodes(apache_t.$1_script)
corenet_udp_sendrecv_all_nodes(apache_t.$1_script)
corenet_tcp_sendrecv_all_ports(apache_t.$1_script)
corenet_udp_sendrecv_all_ports(apache_t.$1_script)
corenet_tcp_connect_postgresql_port(apache_t.$1_script)
corenet_tcp_connect_mysqld_port(apache_t.$1_script)
corenet_sendrecv_postgresql_client_packets(apache_t.$1_script)
corenet_sendrecv_mysqld_client_packets(apache_t.$1_script)
sysnet_read_config(apache_t.$1_script)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow apache_t.$1_script self:tcp_socket create_stream_socket_perms;
allow apache_t.$1_script self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(apache_t.$1_script)
corenet_tcp_sendrecv_all_if(apache_t.$1_script)
corenet_udp_sendrecv_all_if(apache_t.$1_script)
corenet_tcp_sendrecv_all_nodes(apache_t.$1_script)
corenet_udp_sendrecv_all_nodes(apache_t.$1_script)
corenet_tcp_sendrecv_all_ports(apache_t.$1_script)
corenet_udp_sendrecv_all_ports(apache_t.$1_script)
corenet_tcp_connect_all_ports(apache_t.$1_script)
corenet_sendrecv_all_client_packets(apache_t.$1_script)
sysnet_read_config(apache_t.$1_script)
')
optional_policy(`
mta_send_mail(apache_t.$1_script)
')
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(apache_t.$1_script)
')
')
optional_policy(`
nscd_socket_use(apache_t.$1_script)
')
')
#######################################
## <summary>
## The per role template for the apache module.
## </summary>
## <desc>
## <p>
## This template creates types used for web pages
## and web cgi to be used from the user home directory.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts;
type apache_t.daemon, apache_t.suexec, apache_t.log;
# metapolicy requirements
class policy.class { use add_perm };
class policy.user { add add_role };
class policy.role { add use };
class policy.type { add use };
class policy.attribute { add add_type };
')
apache_content_template($1)
typeattribute apache_t.$1_content httpd_script_domains;
userdom_user_home_content($1,apache_t)
userdom_user_home_content($1,apache_t.$1_content)
role $3 types apache_t.$1_script;
##############################
#
# Local policy
#
manage_dirs_pattern($2,apache_t,apache_t)
manage_files_pattern($2,apache_t,apache_t)
manage_lnk_files_pattern($2,apache_t,apache_t)
relabel_dirs_pattern($2,apache_t,apache_t)
relabel_files_pattern($2,apache_t,apache_t)
relabel_lnk_files_pattern($2,apache_t,apache_t)
allow $2 apache_t.$1_content:{ dir file lnk_file } { relabelto
relabelfrom };
allow $2 apache_t.$1_htaccess:file { manage_file_perms relabelto
relabelfrom };
manage_dirs_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
manage_files_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
manage_lnk_files_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
relabel_dirs_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
relabel_files_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
relabel_lnk_files_pattern($2,apache_t.$1_script_ra,apache_t.$1_script_ra)
manage_dirs_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
manage_files_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
manage_lnk_files_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
relabel_dirs_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
relabel_files_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
relabel_lnk_files_pattern($2,apache_t.$1_script_ro,apache_t.$1_script_ro)
manage_dirs_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_files_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_lnk_files_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
relabel_dirs_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
relabel_files_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
relabel_lnk_files_pattern($2,apache_t.$1_script_rw,apache_t.$1_script_rw)
manage_dirs_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
manage_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
manage_lnk_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
relabel_dirs_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
relabel_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
relabel_lnk_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
# cjp: this should be domtrans_pattern, but it gets a
# type transition conflict
domain_transition_pattern($2, apache_t, apache_t)
allow apache_t $2:fd use;
allow apache_t $2:fifo_file rw_file_perms;
allow apache_t $2:process sigchld;
domtrans_pattern($2, apache_t.$1_script_exec, apache_t.$1_script)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow apache_t.$1_script httpdcontent:file entrypoint;
# cjp: this should be domtrans_pattern, but it gets a
# type transition conflict
domain_transition_pattern($2, httpdcontent, apache_t)
allow apache_t $2:fd use;
allow apache_t $2:fifo_file rw_file_perms;
allow apache_t $2:process sigchld;
domtrans_pattern($2, httpdcontent, apache_t.$1_script)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs($1,apache_t.daemon)
userdom_search_user_home_dirs($1,apache_t.suexec)
userdom_search_user_home_dirs($1,apache_t.$1_script)
')
##############################
#
# Local metapolicy
#
allow $2 $1_apache_policy_t:policy.class { use add_perm };
allow $2 $1_apache_policy_t:policy.user { add add_role };
allow $2 $1_apache_policy_t:policy.role { add use };
allow $2 $1_apache_policy_t:policy.type { add use };
allow $2 $1_apache_policy_t:policy.attribute { add add_type };
')
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_scripts',`
gen_require(`
type apache_t,apache_t.$1_script_exec;
')
allow $2 apache_t:dir list_dir_perms;
read_files_pattern($2,apache_t,apache_t)
read_lnk_files_pattern($2,apache_t,apache_t)
allow $2 apache_t.$1_script_exec:dir list_dir_perms;
read_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
read_lnk_files_pattern($2,apache_t.$1_script_exec,apache_t.$1_script_exec)
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_content',`
gen_require(`
type apache_t,apache_t.$1_content;
')
allow $2 apache_t:dir list_dir_perms;
read_files_pattern($2,apache_t,apache_t)
read_lnk_files_pattern($2,apache_t,apache_t)
allow $2 apache_t.$1_content:dir list_dir_perms;
read_files_pattern($2,apache_t.$1_content,apache_t.$1_content)
read_lnk_files_pattern($2,apache_t.$1_content,apache_t.$1_content)
')
########################################
## <summary>
## Transition to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans',`
gen_require(`
type apache_t,apache_t.daemon, apache_t.daemon_exec;
')
corecmd_search_sbin($1)
domtrans_pattern($1,apache_t,apache_t)
domtrans_pattern($1,apache_t.daemon_exec,apache_t.daemon)
')
########################################
## <summary>
## Send a null signal to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_signull',`
gen_require(`
type apache_t,apache_t.daemon;
')
allow $1 apache_t:process signull;
allow $1 apache_t.daemon:process signull;
')
########################################
## <summary>
## Send a SIGCHLD signal to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_sigchld',`
gen_require(`
type apache_t,apache_t.daemon;
')
allow $1 apache_t:process sigchld;
allow $1 apache_t.daemon:process sigchld;
')
########################################
## <summary>
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_use_fds',`
gen_require(`
type apache_t,apache_t.daemon;
')
allow $1 apache_t:fd use;
allow $1 apache_t.daemon:fd use;
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_stream_sockets',`
gen_require(`
type apache_t.daemon;
')
dontaudit $1 apache_t.daemon:unix_stream_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_tcp_sockets',`
gen_require(`
type apache_t,apache_t.daemon;
')
dontaudit $1 apache_t.daemon:tcp_socket { read write };
')
########################################
## <summary>
## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_content',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
manage_dirs_pattern($1,httpdcontent,httpdcontent)
manage_files_pattern($1,httpdcontent,httpdcontent)
manage_lnk_files_pattern($1,httpdcontent,httpdcontent)
manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
')
########################################
## <summary>
## Allow the specified domain to read
## and write Apache cache files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_rw_cache_files',`
gen_require(`
type apache_t,apache_t.daemon_cache;
')
allow $1 apache_t:file rw_file_perms;
allow $1 apache_t.daemon_cache:file rw_file_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_read_config',`
gen_require(`
type apache_t,apache_t.config;
')
allow $1 apache_t:dir list_dir_perms;
read_files_pattern($1,apache_t,apache_t)
read_lnk_files_pattern($1,apache_t,apache_t)
files_search_etc($1)
allow $1 apache_t.config:dir list_dir_perms;
read_files_pattern($1,apache_t.config,apache_t.config)
read_lnk_files_pattern($1,apache_t.config,apache_t.config)
')
########################################
## <summary>
## Allow the specified domain to manage
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_config',`
gen_require(`
type apache_t,apache_t.config;
')
manage_dirs_pattern($1,apache_t,apache_t)
manage_files_pattern($1,apache_t,apache_t)
read_lnk_files_pattern($1,apache_t,apache_t)
files_search_etc($1)
manage_dirs_pattern($1,apache_t.config,apache_t.config)
manage_files_pattern($1,apache_t.config,apache_t.config)
read_lnk_files_pattern($1,apache_t.config,apache_t.config)
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_helper',`
gen_require(`
type apache_t,apache_t.helper,apache_t.helper_exec;
')
domain_transition_pattern($1,apache_t,apache_t)
allow apache_t $1:fd use;
allow apache_t $1:fifo_file rw_file_perms;
allow apache_t $1:process sigchld;
corecmd_search_sbin($1)
domtrans_pattern($1,apache_t.helper_exec,apache_t.helper)
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition, and allow the
## specified role the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the dmidecode domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the dmidecode domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_run_helper',`
gen_require(`
type apache_t,apache_t.helper;
')
apache_domtrans_helper($1)
role $2 types apache_t.helper;
allow apache_t $3:chr_file rw_term_perms;
allow apache_t.helper $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_read_log',`
gen_require(`
type apache_t,apache_t.log;
')
allow $1 apache_t:dir list_dir_perms;
read_files_pattern($1,apache_t,apache_t)
read_lnk_files_pattern($1,apache_t,apache_t)
logging_search_logs($1)
allow $1 apache_t.log:dir list_dir_perms;
read_files_pattern($1,apache_t.log,apache_t.log)
read_lnk_files_pattern($1,apache_t.log,apache_t.log)
')
########################################
## <summary>
## Allow the specified domain to append
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_log',`
gen_require(`
type apache_t,apache_t.log;
')
allow $1 apache_t:dir list_dir_perms;
append_files_pattern($1,apache_t,apache_t)
logging_search_logs($1)
allow $1 apache_t.log:dir list_dir_perms;
append_files_pattern($1,apache_t.log,apache_t.log)
')
########################################
## <summary>
## Do not audit attempts to append to the
## Apache logs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_dontaudit_append_log',`
gen_require(`
type apache_t,apache_t.log;
')
dontaudit $1 apache_t.log:file { getattr append };
')
########################################
## <summary>
## Allow the specified domain to manage
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_log',`
gen_require(`
type apache_t,apache_t.log;
')
manage_dirs_pattern($1,apache_t,apache_t)
manage_files_pattern($1,apache_t,apache_t)
read_lnk_files_pattern($1,apache_t,apache_t)
logging_search_logs($1)
manage_dirs_pattern($1,apache_t.log,apache_t.log)
manage_files_pattern($1,apache_t.log,apache_t.log)
read_lnk_files_pattern($1,apache_t.log,apache_t.log)
')
########################################
## <summary>
## Do not audit attempts to search Apache
## module directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_dontaudit_search_modules',`
gen_require(`
type apache_t,apache_t.daemon_modules;
')
dontaudit $1 apache_t.daemon_modules:dir search_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_list_modules',`
gen_require(`
type apache_t,apache_t.daemon_modules;
')
allow $1 apache_t:dir list_dir_perms;
allow $1 apache_t.daemon_modules:dir list_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to execute
## apache modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_exec_modules',`
gen_require(`
type apache_t,apache_t.daemon_modules;
')
allow $1 apache_t:dir list_dir_perms;
allow $1 apache_t:lnk_file read_file_perms;
can_exec($1,apache_t)
allow $1 apache_t.daemon_modules:dir list_dir_perms;
allow $1 apache_t.daemon_modules:lnk_file read_file_perms;
can_exec($1,apache_t.daemon_modules)
')
########################################
## <summary>
## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
gen_require(`
type apache_t,apache_t.rotatelogs, apache_t.rotatelogs_exec;
')
domain_transition_pattern($1,apache_t,apache_t)
domtrans_pattern($1,apache_t.rotatelogs_exec,apache_t.rotatelogs)
')
########################################
## <summary>
## Allow the specified domain to manage
## apache system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
# Note that apache_t.sys_content is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
type apache_t,apache_t.sys_content;
')
manage_dirs_pattern($1,apache_t,apache_t)
manage_files_pattern($1,apache_t,apache_t)
manage_lnk_files_pattern($1,apache_t,apache_t)
files_search_var($1)
manage_dirs_pattern($1,apache_t.sys_content,apache_t.sys_content)
manage_files_pattern($1,apache_t.sys_content,apache_t.sys_content)
manage_lnk_files_pattern($1,apache_t.sys_content,apache_t.sys_content)
')
########################################
## <summary>
## Execute all web scripts in the system
## script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type apache_t,apache_t.sys_script;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domain_transition_pattern($1, httpdcontent, apache_t)
domtrans_pattern($1, httpdcontent, apache_t.sys_script)
')
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
gen_require(`
type apache_t,apache_t.sys_script;
')
dontaudit $1 apache_t.sys_script:unix_stream_socket { read write };
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_all_scripts',`
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the script domains.
## </summary>
## </param>
#
# cjp: this is missing the terminal since scripts
# do not output to the terminal
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
')
########################################
## <summary>
## Allow the specified domain to read
## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_squirrelmail_data',`
gen_require(`
type apache_t,apache_t.squirrelmail;
')
allow $1 apache_t:file { getattr read };
allow $1 apache_t.squirrelmail:file { getattr read };
')
########################################
## <summary>
## Allow the specified domain to append
## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_squirrelmail_data',`
gen_require(`
type apache_t,apache_t.squirrelmail;
')
allow $1 apache_t:file { getattr append };
allow $1 apache_t.squirrelmail:file { getattr append };
')
########################################
## <summary>
## Search apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_content',`
gen_require(`
type apache_t,apache_t.sys_content;
')
allow $1 apache_t:dir search_dir_perms;
allow $1 apache_t.sys_content:dir search_dir_perms;
')
########################################
## <summary>
## Read apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_read_sys_content',`
gen_require(`
type apache_t,apache_t.sys_content;
')
allow $1 apache_t:dir list_dir_perms;
read_files_pattern($1,apache_t,apache_t)
read_lnk_files_pattern($1,apache_t,apache_t)
allow $1 apache_t.sys_content:dir list_dir_perms;
read_files_pattern($1,apache_t.sys_content,apache_t.sys_content)
read_lnk_files_pattern($1,apache_t.sys_content,apache_t.sys_content)
')
########################################
## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_search_sys_script_state',`
gen_require(`
type apache_t,apache_t.sys_script;
')
allow $1 apache_t:dir search_dir_perms;
allow $1 apache_t.sys_script:dir search_dir_perms;
')
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-01-18 16:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-18 16:32 [RFC] 2/4 - Hierarchal apache policy for reference policy (interfaces) Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.