apache_content_template

apache_content_template

[Stefan Schulze Frielinghaus]

I wanted to fix a problem with awstats and httpd_t but I ran into a
problem and just wanted to hear some other ideas.

Awstats uses the apache content template:
apache_content_template(awstats)

And a few awstats icons are labeled as httpd_awstats_content_t. When the
awstats CGI script is executed it generates a HTML file which includes
links to these icons. As soon as the httpd receives a query from the
client to download these icons an AVC is generated and the request is
denied. To allow this I would have to include a rule like:

allow httpd_t httpd_awstats_content_t:dir getattr;
allow httpd_t httpd_awstats_content_t:file { getattr read };

But then I would have to write a require statement for my awstats module
to include the type httpd_t as a dependency. While reading the apache.te
file I recognized three lines:

allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)

Why aren't these ones included in the apache_content_template like these
ones:

allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)

This would solve my problem with awstats and what my interpretation of
the httpd_$1_content_t type is that only these files should be red by
the httpd_t directly. I think other ones will run into the same problem
too.

Any thoughts?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Daniel J Walsh]

Stefan Schulze Frielinghaus wrote:
> I wanted to fix a problem with awstats and httpd_t but I ran into a
> problem and just wanted to hear some other ideas.
>
> Awstats uses the apache content template:
> apache_content_template(awstats)
>
> And a few awstats icons are labeled as httpd_awstats_content_t. When the
> awstats CGI script is executed it generates a HTML file which includes
> links to these icons. As soon as the httpd receives a query from the
> client to download these icons an AVC is generated and the request is
> denied. To allow this I would have to include a rule like:
>
> allow httpd_t httpd_awstats_content_t:dir getattr;
> allow httpd_t httpd_awstats_content_t:file { getattr read };
>
> But then I would have to write a require statement for my awstats module
> to include the type httpd_t as a dependency. While reading the apache.te
> file I recognized three lines:
>
> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
>
> Why aren't these ones included in the apache_content_template like these
> ones:
>
> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
>
> This would solve my problem with awstats and what my interpretation of
> the httpd_$1_content_t type is that only these files should be red by
> the httpd_t directly. I think other ones will run into the same problem
> too.
>
> Any thoughts?
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   
Making that change would eliminate any possibility  of separation of cgi 
data from php data.  IE If I only want my cgi scrips/processes to be 
able to read my data, it ie easy to do now.  But with your change, any 
script that does not cause a transition can now access my data.

I would prefer an

apache_can_read(httpd_awstats_content_t)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Stefan Schulze Frielinghaus]

On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
> Stefan Schulze Frielinghaus wrote:
> > I wanted to fix a problem with awstats and httpd_t but I ran into a
> > problem and just wanted to hear some other ideas.
> >
> > Awstats uses the apache content template:
> > apache_content_template(awstats)
> >
> > And a few awstats icons are labeled as httpd_awstats_content_t. When the
> > awstats CGI script is executed it generates a HTML file which includes
> > links to these icons. As soon as the httpd receives a query from the
> > client to download these icons an AVC is generated and the request is
> > denied. To allow this I would have to include a rule like:
> >
> > allow httpd_t httpd_awstats_content_t:dir getattr;
> > allow httpd_t httpd_awstats_content_t:file { getattr read };
> >
> > But then I would have to write a require statement for my awstats module
> > to include the type httpd_t as a dependency. While reading the apache.te
> > file I recognized three lines:
> >
> > allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> > read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> > read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >
> > Why aren't these ones included in the apache_content_template like these
> > ones:
> >
> > allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> > read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> > read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >
> > This would solve my problem with awstats and what my interpretation of
> > the httpd_$1_content_t type is that only these files should be red by
> > the httpd_t directly. I think other ones will run into the same problem
> > too.
> >
> > Any thoughts?
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >   
> Making that change would eliminate any possibility  of separation of cgi 
> data from php data.  IE If I only want my cgi scrips/processes to be 
> able to read my data, it ie easy to do now.  But with your change, any 
> script that does not cause a transition can now access my data.
> 
> I would prefer an
> 
> apache_can_read(httpd_awstats_content_t)

But if you want to hide data from other scripts you normally use
httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
does not have any allow rules to read httpd_$1_content_t (except two
search_dir_perms which does not count). This means that even
httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
httpd_$1_content_t really? I can't see it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Schulze Frielinghaus wrote:
> On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
>> Stefan Schulze Frielinghaus wrote:
>>> I wanted to fix a problem with awstats and httpd_t but I ran into a
>>> problem and just wanted to hear some other ideas.
>>>
>>> Awstats uses the apache content template:
>>> apache_content_template(awstats)
>>>
>>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
>>> awstats CGI script is executed it generates a HTML file which includes
>>> links to these icons. As soon as the httpd receives a query from the
>>> client to download these icons an AVC is generated and the request is
>>> denied. To allow this I would have to include a rule like:
>>>
>>> allow httpd_t httpd_awstats_content_t:dir getattr;
>>> allow httpd_t httpd_awstats_content_t:file { getattr read };
>>>
>>> But then I would have to write a require statement for my awstats module
>>> to include the type httpd_t as a dependency. While reading the apache.te
>>> file I recognized three lines:
>>>
>>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
>>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
>>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
>>>
>>> Why aren't these ones included in the apache_content_template like these
>>> ones:
>>>
>>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
>>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
>>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
>>>
>>> This would solve my problem with awstats and what my interpretation of
>>> the httpd_$1_content_t type is that only these files should be red by
>>> the httpd_t directly. I think other ones will run into the same problem
>>> too.
>>>
>>> Any thoughts?
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>   
>> Making that change would eliminate any possibility  of separation of cgi 
>> data from php data.  IE If I only want my cgi scrips/processes to be 
>> able to read my data, it ie easy to do now.  But with your change, any 
>> script that does not cause a transition can now access my data.
>>
>> I would prefer an
>>
>> apache_can_read(httpd_awstats_content_t)
> 
> But if you want to hide data from other scripts you normally use
> httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
> does not have any allow rules to read httpd_$1_content_t (except two
> search_dir_perms which does not count). This means that even
> httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
> httpd_$1_content_t really? I can't see it.
> 
You are right.  Those rules are missing and should be added.

read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfFpuIACgkQrlYvE4MpobN7rQCeNvTr1StM8WbwV5YHrZozWBcw
5dMAnjP9k8TaHOo7zNG/KB4vuUVoHB6q
=GBsr
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Stefan Schulze Frielinghaus]

On Wed, 2008-02-27 at 13:07 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stefan Schulze Frielinghaus wrote:
> > On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
> >> Stefan Schulze Frielinghaus wrote:
> >>> I wanted to fix a problem with awstats and httpd_t but I ran into a
> >>> problem and just wanted to hear some other ideas.
> >>>
> >>> Awstats uses the apache content template:
> >>> apache_content_template(awstats)
> >>>
> >>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
> >>> awstats CGI script is executed it generates a HTML file which includes
> >>> links to these icons. As soon as the httpd receives a query from the
> >>> client to download these icons an AVC is generated and the request is
> >>> denied. To allow this I would have to include a rule like:
> >>>
> >>> allow httpd_t httpd_awstats_content_t:dir getattr;
> >>> allow httpd_t httpd_awstats_content_t:file { getattr read };
> >>>
> >>> But then I would have to write a require statement for my awstats module
> >>> to include the type httpd_t as a dependency. While reading the apache.te
> >>> file I recognized three lines:
> >>>
> >>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> >>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>
> >>> Why aren't these ones included in the apache_content_template like these
> >>> ones:
> >>>
> >>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> >>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>
> >>> This would solve my problem with awstats and what my interpretation of
> >>> the httpd_$1_content_t type is that only these files should be red by
> >>> the httpd_t directly. I think other ones will run into the same problem
> >>> too.
> >>>
> >>> Any thoughts?
> >>>
> >>>
> >>> --
> >>> This message was distributed to subscribers of the selinux mailing list.
> >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >>> the words "unsubscribe selinux" without quotes as the message.
> >>>   
> >> Making that change would eliminate any possibility  of separation of cgi 
> >> data from php data.  IE If I only want my cgi scrips/processes to be 
> >> able to read my data, it ie easy to do now.  But with your change, any 
> >> script that does not cause a transition can now access my data.
> >>
> >> I would prefer an
> >>
> >> apache_can_read(httpd_awstats_content_t)
> > 
> > But if you want to hide data from other scripts you normally use
> > httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
> > does not have any allow rules to read httpd_$1_content_t (except two
> > search_dir_perms which does not count). This means that even
> > httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
> > httpd_$1_content_t really? I can't see it.
> > 
> You are right.  Those rules are missing and should be added.
> 
> read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)

I'm sorry but I'm still not convinced.

This would mean we have two types:
- httpd_$1_content_t
- httpd_$1_script_ro_t
which have the same allow rules and the same meaning. No real difference
(after adding your allow rules).

And a comment from the apache_content_template indicates that there is
something wrong with your definition:

# The following three are the only areas that 
# scripts can read, read/write, or append to

After this comment allow rules follow for ro/rw and append types.

I still believe that the initial purpose of httpd_$1_content_t was to
allow httpd_t to read files/dirs. Otherwise httpd_$1_script_ro_t could
be used. Or even httpd_$1_content_t is a duplicate and could be removed.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Schulze Frielinghaus wrote:
> On Wed, 2008-02-27 at 13:07 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stefan Schulze Frielinghaus wrote:
>>> On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
>>>> Stefan Schulze Frielinghaus wrote:
>>>>> I wanted to fix a problem with awstats and httpd_t but I ran into a
>>>>> problem and just wanted to hear some other ideas.
>>>>>
>>>>> Awstats uses the apache content template:
>>>>> apache_content_template(awstats)
>>>>>
>>>>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
>>>>> awstats CGI script is executed it generates a HTML file which includes
>>>>> links to these icons. As soon as the httpd receives a query from the
>>>>> client to download these icons an AVC is generated and the request is
>>>>> denied. To allow this I would have to include a rule like:
>>>>>
>>>>> allow httpd_t httpd_awstats_content_t:dir getattr;
>>>>> allow httpd_t httpd_awstats_content_t:file { getattr read };
>>>>>
>>>>> But then I would have to write a require statement for my awstats module
>>>>> to include the type httpd_t as a dependency. While reading the apache.te
>>>>> file I recognized three lines:
>>>>>
>>>>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
>>>>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
>>>>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
>>>>>
>>>>> Why aren't these ones included in the apache_content_template like these
>>>>> ones:
>>>>>
>>>>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
>>>>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
>>>>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
>>>>>
>>>>> This would solve my problem with awstats and what my interpretation of
>>>>> the httpd_$1_content_t type is that only these files should be red by
>>>>> the httpd_t directly. I think other ones will run into the same problem
>>>>> too.
>>>>>
>>>>> Any thoughts?
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>   
>>>> Making that change would eliminate any possibility  of separation of cgi 
>>>> data from php data.  IE If I only want my cgi scrips/processes to be 
>>>> able to read my data, it ie easy to do now.  But with your change, any 
>>>> script that does not cause a transition can now access my data.
>>>>
>>>> I would prefer an
>>>>
>>>> apache_can_read(httpd_awstats_content_t)
>>> But if you want to hide data from other scripts you normally use
>>> httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
>>> does not have any allow rules to read httpd_$1_content_t (except two
>>> search_dir_perms which does not count). This means that even
>>> httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
>>> httpd_$1_content_t really? I can't see it.
>>>
>> You are right.  Those rules are missing and should be added.
>>
>> read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
>> read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> 
> I'm sorry but I'm still not convinced.
> 
> This would mean we have two types:
> - httpd_$1_content_t
> - httpd_$1_script_ro_t
> which have the same allow rules and the same meaning. No real difference
> (after adding your allow rules).
> 
> And a comment from the apache_content_template indicates that there is
> something wrong with your definition:
> 
> # The following three are the only areas that 
> # scripts can read, read/write, or append to
> 
> After this comment allow rules follow for ro/rw and append types.
> 
> I still believe that the initial purpose of httpd_$1_content_t was to
> allow httpd_t to read files/dirs. Otherwise httpd_$1_script_ro_t could
> be used. Or even httpd_$1_content_t is a duplicate and could be removed.
> 
Yes you might be right.
I would say httpd_$1_script_ro_t should go away and be an alias of
httpd_$1_content_t.  Then allow httpd_$1_script_t read on all
files/directories/lnk_files.  Labeling a directory httpd_$1_script_ro_t
and putting rw_t content in is seems strange.

But there is a boolean to allow httpd to read script specific content.

httpd_builtin_scripting

Which if we changed the httpd_$1_script_ro_t would fix the problem.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfFuqQACgkQrlYvE4MpobMBYQCgtO3951Eg0gyq84wlE+H8FKTu
Xf8AoKLJeYBhJ96mcwyMBYI9aoLK0NE+
=vU6O
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Stefan Schulze Frielinghaus]

On Wed, 2008-02-27 at 14:31 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stefan Schulze Frielinghaus wrote:
> > On Wed, 2008-02-27 at 13:07 -0500, Daniel J Walsh wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Stefan Schulze Frielinghaus wrote:
> >>> On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
> >>>> Stefan Schulze Frielinghaus wrote:
> >>>>> I wanted to fix a problem with awstats and httpd_t but I ran into a
> >>>>> problem and just wanted to hear some other ideas.
> >>>>>
> >>>>> Awstats uses the apache content template:
> >>>>> apache_content_template(awstats)
> >>>>>
> >>>>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
> >>>>> awstats CGI script is executed it generates a HTML file which includes
> >>>>> links to these icons. As soon as the httpd receives a query from the
> >>>>> client to download these icons an AVC is generated and the request is
> >>>>> denied. To allow this I would have to include a rule like:
> >>>>>
> >>>>> allow httpd_t httpd_awstats_content_t:dir getattr;
> >>>>> allow httpd_t httpd_awstats_content_t:file { getattr read };
> >>>>>
> >>>>> But then I would have to write a require statement for my awstats module
> >>>>> to include the type httpd_t as a dependency. While reading the apache.te
> >>>>> file I recognized three lines:
> >>>>>
> >>>>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>>
> >>>>> Why aren't these ones included in the apache_content_template like these
> >>>>> ones:
> >>>>>
> >>>>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>>
> >>>>> This would solve my problem with awstats and what my interpretation of
> >>>>> the httpd_$1_content_t type is that only these files should be red by
> >>>>> the httpd_t directly. I think other ones will run into the same problem
> >>>>> too.
> >>>>>
> >>>>> Any thoughts?
> >>>>>
> >>>>>
> >>>>> --
> >>>>> This message was distributed to subscribers of the selinux mailing list.
> >>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >>>>> the words "unsubscribe selinux" without quotes as the message.
> >>>>>   
> >>>> Making that change would eliminate any possibility  of separation of cgi 
> >>>> data from php data.  IE If I only want my cgi scrips/processes to be 
> >>>> able to read my data, it ie easy to do now.  But with your change, any 
> >>>> script that does not cause a transition can now access my data.
> >>>>
> >>>> I would prefer an
> >>>>
> >>>> apache_can_read(httpd_awstats_content_t)
> >>> But if you want to hide data from other scripts you normally use
> >>> httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
> >>> does not have any allow rules to read httpd_$1_content_t (except two
> >>> search_dir_perms which does not count). This means that even
> >>> httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
> >>> httpd_$1_content_t really? I can't see it.
> >>>
> >> You are right.  Those rules are missing and should be added.
> >>
> >> read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> >> read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> > 
> > I'm sorry but I'm still not convinced.
> > 
> > This would mean we have two types:
> > - httpd_$1_content_t
> > - httpd_$1_script_ro_t
> > which have the same allow rules and the same meaning. No real difference
> > (after adding your allow rules).
> > 
> > And a comment from the apache_content_template indicates that there is
> > something wrong with your definition:
> > 
> > # The following three are the only areas that 
> > # scripts can read, read/write, or append to
> > 
> > After this comment allow rules follow for ro/rw and append types.
> > 
> > I still believe that the initial purpose of httpd_$1_content_t was to
> > allow httpd_t to read files/dirs. Otherwise httpd_$1_script_ro_t could
> > be used. Or even httpd_$1_content_t is a duplicate and could be removed.
> > 
> Yes you might be right.
> I would say httpd_$1_script_ro_t should go away and be an alias of
> httpd_$1_content_t.  Then allow httpd_$1_script_t read on all
> files/directories/lnk_files.  Labeling a directory httpd_$1_script_ro_t
> and putting rw_t content in is seems strange.
> 
> But there is a boolean to allow httpd to read script specific content.
> 
> httpd_builtin_scripting
> 
> Which if we changed the httpd_$1_script_ro_t would fix the problem.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkfFuqQACgkQrlYvE4MpobMBYQCgtO3951Eg0gyq84wlE+H8FKTu
> Xf8AoKLJeYBhJ96mcwyMBYI9aoLK0NE+
> =vU6O
> -----END PGP SIGNATURE-----

Yeah I think this is quite OK. To be consistent when changing
httpd_$1_script_ro_t to httpd_$1_content_t (and alias it back)
shouldn't we add a type httpd_$1_content_rw_t and alias it to
httpd_$1_script_rw_t (and the same for a_t)?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apache_content_template

[Stefan Schulze Frielinghaus]

On Wed, 2008-02-27 at 14:31 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stefan Schulze Frielinghaus wrote:
> > On Wed, 2008-02-27 at 13:07 -0500, Daniel J Walsh wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Stefan Schulze Frielinghaus wrote:
> >>> On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
> >>>> Stefan Schulze Frielinghaus wrote:
> >>>>> I wanted to fix a problem with awstats and httpd_t but I ran into a
> >>>>> problem and just wanted to hear some other ideas.
> >>>>>
> >>>>> Awstats uses the apache content template:
> >>>>> apache_content_template(awstats)
> >>>>>
> >>>>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
> >>>>> awstats CGI script is executed it generates a HTML file which includes
> >>>>> links to these icons. As soon as the httpd receives a query from the
> >>>>> client to download these icons an AVC is generated and the request is
> >>>>> denied. To allow this I would have to include a rule like:
> >>>>>
> >>>>> allow httpd_t httpd_awstats_content_t:dir getattr;
> >>>>> allow httpd_t httpd_awstats_content_t:file { getattr read };
> >>>>>
> >>>>> But then I would have to write a require statement for my awstats module
> >>>>> to include the type httpd_t as a dependency. While reading the apache.te
> >>>>> file I recognized three lines:
> >>>>>
> >>>>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>>
> >>>>> Why aren't these ones included in the apache_content_template like these
> >>>>> ones:
> >>>>>
> >>>>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>>
> >>>>> This would solve my problem with awstats and what my interpretation of
> >>>>> the httpd_$1_content_t type is that only these files should be red by
> >>>>> the httpd_t directly. I think other ones will run into the same problem
> >>>>> too.
> >>>>>
> >>>>> Any thoughts?
> >>>>>
> >>>>>
> >>>>> --
> >>>>> This message was distributed to subscribers of the selinux mailing list.
> >>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >>>>> the words "unsubscribe selinux" without quotes as the message.
> >>>>>   
> >>>> Making that change would eliminate any possibility  of separation of cgi 
> >>>> data from php data.  IE If I only want my cgi scrips/processes to be 
> >>>> able to read my data, it ie easy to do now.  But with your change, any 
> >>>> script that does not cause a transition can now access my data.
> >>>>
> >>>> I would prefer an
> >>>>
> >>>> apache_can_read(httpd_awstats_content_t)
> >>> But if you want to hide data from other scripts you normally use
> >>> httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
> >>> does not have any allow rules to read httpd_$1_content_t (except two
> >>> search_dir_perms which does not count). This means that even
> >>> httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
> >>> httpd_$1_content_t really? I can't see it.
> >>>
> >> You are right.  Those rules are missing and should be added.
> >>
> >> read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> >> read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> > 
> > I'm sorry but I'm still not convinced.
> > 
> > This would mean we have two types:
> > - httpd_$1_content_t
> > - httpd_$1_script_ro_t
> > which have the same allow rules and the same meaning. No real difference
> > (after adding your allow rules).
> > 
> > And a comment from the apache_content_template indicates that there is
> > something wrong with your definition:
> > 
> > # The following three are the only areas that 
> > # scripts can read, read/write, or append to
> > 
> > After this comment allow rules follow for ro/rw and append types.
> > 
> > I still believe that the initial purpose of httpd_$1_content_t was to
> > allow httpd_t to read files/dirs. Otherwise httpd_$1_script_ro_t could
> > be used. Or even httpd_$1_content_t is a duplicate and could be removed.
> > 
> Yes you might be right.
> I would say httpd_$1_script_ro_t should go away and be an alias of
> httpd_$1_content_t.  Then allow httpd_$1_script_t read on all
> files/directories/lnk_files.  Labeling a directory httpd_$1_script_ro_t
> and putting rw_t content in is seems strange.
> 
> But there is a boolean to allow httpd to read script specific content.
> 
> httpd_builtin_scripting
> 
> Which if we changed the httpd_$1_script_ro_t would fix the problem.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkfFuqQACgkQrlYvE4MpobMBYQCgtO3951Eg0gyq84wlE+H8FKTu
> Xf8AoKLJeYBhJ96mcwyMBYI9aoLK0NE+
> =vU6O
> -----END PGP SIGNATURE-----

Another problem raised up. httpd_t should have at least search
permissions for httpd_$1_content_t because otherwise httpd_t could not
read httpd_$1_htaccess_t files. The following rules exists:

allow httpd_t httpd_$1_htaccess_t:file read_file_perms;

I would suggest to change this allow rule to read_files_pattern()

A small example should summaries the problem:

/var/www.myWiki <- is labeled as httpd_myWiki_content_t
/var/www.myWiki/config/.htaccess <- is labeled as     
                                    httpd_myWiki_htaccess_t

httpd_t could not read the htaccess file because it does not have search
permissions for /var/www.myWiki.

Another example would be:

/usr/share/awstats/wwwroot <- labeled as httpd_awstats_content_t
/usr/share/awstats/wwwroot/cgi-bin <- labeled as 
                                       httpd_awstats_script_exec_t
/usr/share/awstats/wwwroot/icon <- labeled as httpd_sys_content_t

This would work if httpd_t has search permissions because httpd_t can
scroll through /usr/share/awstats/wwwroot and then into icon.

The search permissions and the correct labeling of
e.g. /usr/share/awstats/wwwroot/icon as httpd_sys_content_t would also
eliminate the need of apache_can_read()


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.