Apache patch

Apache patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 216 bytes --]

Added bugzilla policy.

Added interfaces to allow for a webadm_r/webadm_t.

Added booleans to allow the use of cifs and nfs files

Removed the creation of booleans from the interface file and put it in 
the te file.

[-- Attachment #2: apache.patch --]
[-- Type: text/x-patch, Size: 11421 bytes --]

--- nsaserefpolicy/policy/modules/services/apache.fc	2007-02-23 16:50:01.000000000 -0500
+++ serefpolicy-2.5.12/policy/modules/services/apache.fc	2007-04-11 17:07:34.000000000 -0400
@@ -78,3 +72,11 @@
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+
--- nsaserefpolicy/policy/modules/services/apache.if	2007-04-02 10:58:34.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/apache.if	2007-04-11 17:07:34.000000000 -0400
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 	')
-	# allow write access to public file transfer
-	# services files.
-	gen_tunable(allow_httpd_$1_script_anon_write,false)
-
 	#This type is for webpages
 	type httpd_$1_content_t, httpdcontent; # customizable
 	files_type(httpd_$1_content_t)
@@ -120,10 +116,6 @@
 		can_exec(httpd_$1_script_t, httpdcontent)
 	')
 
-	tunable_policy(`allow_httpd_$1_script_anon_write',`
-		miscfiles_manage_public_files(httpd_$1_script_t)
-	') 
-
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
 		manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -268,8 +260,11 @@
 	')
 
 	apache_content_template($1)
+	manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+	manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+	manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
 
-	typeattribute httpd_$1_script_t httpd_script_domains;
+	typeattribute httpd_$1_content_t httpd_script_domains;
 	userdom_user_home_content($1,httpd_$1_content_t)
 
 	role $3 types httpd_$1_script_t;
@@ -434,6 +429,24 @@
 
 ########################################
 ## <summary>
+##	getattr apache.process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_getattr',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process getattr;
+')
+
+########################################
+## <summary>
 ##	Inherit and use file descriptors from Apache.
 ## </summary>
 ## <param name="domain">
@@ -752,6 +765,7 @@
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
+	read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
 ')
 
 ########################################
@@ -923,7 +937,7 @@
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file { getattr read };
+	read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
 ')
 
 ########################################
@@ -1000,3 +1014,140 @@
 
 	allow $1 httpd_sys_script_t:dir search_dir_perms;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	apache modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+	manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+	manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create 
+##	apache lock file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_lock',`
+	gen_require(`
+		type httpd_lock_t;
+	')
+	allow $1 httpd_lock_t:file manage_file_perms;
+	files_lock_filetrans($1, httpd_lock_t, file)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	apache pid file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_pid',`
+	gen_require(`
+		type httpd_var_run_t;
+	')
+	manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+	files_pid_filetrans($1,httpd_var_run_t, file)
+')
+
+########################################
+## <summary>
+##f	Read apache system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_read_state',`
+	gen_require(`
+		type httpd_t;
+	')
+	kernel_search_proc($1)
+	allow $1 httpd_t:dir list_dir_perms;
+	read_files_pattern($1,httpd_t,httpd_t)
+	read_lnk_files_pattern($1,httpd_t,httpd_t)
+	dontaudit $1 httpd_t:process ptrace;
+')
+
+########################################
+## <summary>
+##f	allow domain to signal apache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_signal',`
+	gen_require(`
+		type httpd_t;
+	')
+	allow $1 httpd_t:process signal;
+')
+
+########################################
+## <summary>
+##	allow domain to relabel apache content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_relabel',`
+	gen_require(`
+		attribute httpdcontent;
+		attribute httpd_script_exec_type;
+	')
+
+	allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+	allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to search 
+##	apache bugzilla directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_bugzilla_dirs',`
+	gen_require(`
+		type httpd_bugzilla_content_t;
+	')
+
+	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
--- nsaserefpolicy/policy/modules/services/apache.te	2007-04-10 13:21:52.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/apache.te	2007-04-11 17:07:34.000000000 -0400
@@ -106,6 +106,27 @@
 ## </desc>
 gen_tunable(httpd_unified,false)
 
+## <desc>
+## <p>
+## Allow httpd to read nfs files
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow httpd to read cifs files
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content 
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write,false)
+
 attribute httpdcontent;
 
 # domains that can exec all users scripts
@@ -257,6 +278,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
 read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
+read_lnk_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
 
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -297,6 +319,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
 
 corenet_non_ipsec_sendrecv(httpd_t)
 corenet_tcp_sendrecv_all_if(httpd_t)
@@ -416,6 +439,10 @@
 	allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
 ')
 
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+	miscfiles_manage_public_files(httpd_sys_script_t)
+') 
+
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 
@@ -433,11 +460,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_use_nfs',`
+	fs_read_nfs_files(httpd_t)
+	fs_read_nfs_symlinks(httpd_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_use_cifs',`
+	fs_read_cifs_files(httpd_t)
+	fs_read_cifs_symlinks(httpd_t)
+')
+
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
@@ -668,6 +705,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
+tunable_policy(`httpd_use_cifs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
@@ -706,7 +749,8 @@
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+apache_read_squirrelmail_data(httpd_sys_script_t)
+apache_append_squirrelmail_data(httpd_sys_script_t)
 
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -730,11 +774,21 @@
 	')
 ')
 
+tunable_policy(`httpd_use_nfs', `
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_use_cifs', `
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -788,3 +842,19 @@
 	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
 	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
 ')
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+optional_policy(`
+	mysql_search_db(httpd_bugzilla_script_t)
+	mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
--- nsaserefpolicy/policy/modules/services/mta.if	2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/mta.if	2007-04-11 17:07:34.000000000 -0400
@@ -847,6 +847,25 @@
 	manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
 ')
 
+########################################
+## <summary>
+##	search	mail queue dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_search_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mqueue_spool_t:dir search_dir_perms;
+')
+
 #######################################
 ## <summary>
 ##	Read sendmail binary.
--- nsaserefpolicy/policy/modules/services/mta.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.12/policy/modules/services/mta.te	2007-04-11 17:07:34.000000000 -0400
@@ -91,6 +92,7 @@
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
+	apache_search_bugzilla_dirs(system_mail_t)
 
 	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)