[refpolicy] services_cvs.patch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] services_cvs.patch
Date: Thu, 06 Nov 2008 11:31:49 -0500	[thread overview]
Message-ID: <49131BF5.6040303@redhat.com> (raw)
In-Reply-To: <1225986183.12285.33.camel@gorn.columbia.tresys.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-10-14 at 16:47 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_cvs.patch
>>
>> Needs
>>
>> +       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
> 
> Conflicting type transition with httpd_cvs_script_rw_t.
> 
Alright I guess the problem here is in my version of the apache interface

My apache_content_template eliminates a lot of the rules that were
specific to httpd_sys_script_t and moves them into the te file.  This
allows me to more easily write a confined cgi script that is much
tighter then the Reference policy

########################################
## <summary>
##	Create a set of derived types for apache
##	web content.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix to be used for deriving type names.
##	</summary>
## </param>
#
template(`apache_content_template',`
	gen_require(`
		attribute httpd_exec_scripts;
		attribute httpd_script_exec_type;
		type httpd_t, httpd_suexec_t, httpd_log_t;
	')
	#This type is for webpages
	type httpd_$1_content_t;
	files_type(httpd_$1_content_t)

	# This type is used for .htaccess files
	type httpd_$1_htaccess_t;
	files_type(httpd_$1_htaccess_t)

	# Type that CGI scripts run as
	type httpd_$1_script_t;
	domain_type(httpd_$1_script_t)
	role system_r types httpd_$1_script_t;

	# This type is used for executable scripts files
	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
	corecmd_shell_entry_type(httpd_$1_script_t)
	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)

	# The following three are the only areas that
	# scripts can read, read/write, or append to
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;

	type httpd_$1_content_rw_t;
	files_type(httpd_$1_content_rw_t)
	typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;

	type httpd_$1_content_ra_t;
	files_type(httpd_$1_content_ra_t)
	typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;

	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;
	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t
httpd_$1_script_exec_t }:dir search_dir_perms;

	allow httpd_$1_script_t self:fifo_file rw_file_perms;
	allow httpd_$1_script_t self:unix_stream_socket connectto;

	allow httpd_$1_script_t httpd_t:fifo_file write;
	# apache should set close-on-exec
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };

	# Allow the script process to search the cgi directory, and users directory
	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t,
httpd_$1_content_t)

	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
	logging_search_logs(httpd_$1_script_t)

	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;

	allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

	dev_read_rand(httpd_$1_script_t)
	dev_read_urand(httpd_$1_script_t)

	corecmd_exec_all_executables(httpd_$1_script_t)
	application_exec_all(httpd_$1_script_t)

	files_exec_etc_files(httpd_$1_script_t)
	files_read_etc_files(httpd_$1_script_t)
	files_search_home(httpd_$1_script_t)

	libs_use_ld_so(httpd_$1_script_t)
	libs_use_shared_libs(httpd_$1_script_t)
	libs_exec_ld_so(httpd_$1_script_t)
	libs_exec_lib_files(httpd_$1_script_t)

	miscfiles_read_fonts(httpd_$1_script_t)
	miscfiles_read_public_files(httpd_$1_script_t)

	seutil_dontaudit_search_config(httpd_$1_script_t)

	# Allow the web server to run scripts and serve pages
	tunable_policy(`httpd_builtin_scripting',`
		manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
		manage_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)
		rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t,
httpd_$1_content_rw_t)

		allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
		read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
		append_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t,
httpd_$1_content_ra_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
	')

	tunable_policy(`httpd_enable_cgi',`
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

		# privileged users run the script:
		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t,
httpd_$1_script_t)

		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;

		# apache runs the script:
		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;

		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;

		allow httpd_$1_script_t self:process { setsched signal_perms };
		allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;

		allow httpd_$1_script_t httpd_t:fd use;
		allow httpd_$1_script_t httpd_t:process sigchld;

		kernel_read_system_state(httpd_$1_script_t)

		dev_read_urand(httpd_$1_script_t)

		fs_getattr_xattr_fs(httpd_$1_script_t)

		files_read_etc_runtime_files(httpd_$1_script_t)
		files_read_usr_files(httpd_$1_script_t)

		libs_read_lib_files(httpd_$1_script_t)

		miscfiles_read_localization(httpd_$1_script_t)
	')

	optional_policy(`
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			nis_use_ypbind_uncond(httpd_$1_script_t)
		')
	')

	optional_policy(`
		postgresql_unpriv_client(httpd_$1_script_t)
	')

	optional_policy(`
		nscd_socket_use(httpd_$1_script_t)
	')
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTG/UACgkQrlYvE4MpobM1iwCgoZhxtseCjvTUNHKS8wfEx2C1
9PcAoM5r5CfRr/rhogRsGjhOlLRI9y22
=xesH
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2008-11-06 16:31 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-14 20:47 [refpolicy] services_cvs.patch Daniel J Walsh
2008-11-06 15:43 ` Christopher J. PeBenito
2008-11-06 16:31   ` Daniel J Walsh [this message]
  -- strict thread matches above, loose matches on Subject: below --
2010-08-26 21:08 Daniel J Walsh
2010-02-23 20:04 Daniel J Walsh
2009-11-12 21:23 Daniel J Walsh
2009-06-09  0:21 Daniel J Walsh
2009-03-05 16:34 Daniel J Walsh
2009-03-23 15:24 ` Christopher J. PeBenito
2008-09-24 20:43 Daniel J Walsh
2008-09-24 19:59 [refpolicy] services_snort.patch Daniel J Walsh
2008-10-09 18:09 ` Christopher J. PeBenito
2008-10-10 20:30   ` [refpolicy] services_cvs.patch Daniel J Walsh
2008-10-13 15:10     ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49131BF5.6040303@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.