diff for duplicates of <4A03D145.2040901@ak.jp.nec.com> diff --git a/a/1.txt b/N1/1.txt index 1df0997..e9700cd 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -76,3 +76,10 @@ KaiGai Kohei wrote: -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: refpolicy-webapp-interface.patch +Type: text/x-patch +Size: 6528 bytes +Desc: not available +Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/a2a8c485/attachment-0001.bin diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 56bdda1..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,5 +0,0 @@ -Content-Type: text/x-patch; - name="refpolicy-webapp-interface.patch" -Content-Transfer-Encoding: 7bit -Content-Disposition: inline; - filename="refpolicy-webapp-interface.patch" diff --git a/a/2.txt b/a/2.txt deleted file mode 100644 index eb23a83..0000000 --- a/a/2.txt +++ /dev/null @@ -1,209 +0,0 @@ -Index: apache.te -=================================================================== ---- apache.te (revision 2982) -+++ apache.te (working copy) -@@ -111,6 +111,9 @@ - attribute httpdcontent; - attribute httpd_user_content_type; - -+# domains that can perform as a server process -+attribute httpd_server_domains; -+ - # domains that can exec all users scripts - attribute httpd_exec_scripts; - -@@ -123,6 +126,7 @@ - type httpd_t; - type httpd_exec_t; - init_daemon_domain(httpd_t, httpd_exec_t) -+typeattribute httpd_t httpd_server_domains; - role system_r types httpd_t; - - # httpd_cache_t is the type given to the /var/cache/httpd -Index: apache.if -=================================================================== ---- apache.if (revision 2982) -+++ apache.if (working copy) -@@ -308,6 +308,182 @@ - - ######################################## - ## <summary> -+## Allow a domain to perform as a web server process -+## with necessary minimum privileges. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`apache_base_webapp',` -+ gen_require(` -+ attribute httpd_server_domains; -+ type httpd_t; -+ type httpd_config_t; -+ type httpd_log_t; -+ type httpd_sys_content_t; -+ type httpd_suexec_exec_t; -+ ') -+ ######################################## -+ # -+ # Local declarations -+ # -+ typeattribute $1 httpd_server_domains; -+ -+ typebounds httpd_t $1; -+ -+ allow httpd_t $1:process { dyntransition }; -+ role system_r types $1; -+ -+ ######################################## -+ # -+ # Minimum privileges to perform as a part of httpd -+ # -+ allow $1 httpd_server_domains:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+ allow $1 httpd_server_domains:fd use; -+ allow $1 httpd_server_domains:sock_file read_sock_file_perms; -+ allow $1 httpd_server_domains:fifo_file rw_fifo_file_perms; -+ allow $1 httpd_server_domains:shm rw_shm_perms; -+ allow $1 httpd_server_domains:sem rw_sem_perms; -+ allow $1 httpd_server_domains:msgq rw_msgq_perms; -+ allow $1 httpd_server_domains:msg { send receive }; -+ allow $1 httpd_server_domains:unix_dgram_socket { rw_socket_perms sendto }; -+ allow $1 httpd_server_domains:unix_stream_socket { rw_socket_perms connectto }; -+ allow $1 httpd_server_domains:tcp_socket rw_socket_perms; -+ allow $1 httpd_server_domains:udp_socket rw_socket_perms; -+ -+ # allow to read the web servers config files -+ allow $1 httpd_config_t:dir list_dir_perms; -+ read_files_pattern($1, httpd_config_t, httpd_config_t) -+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -+ -+ # allow to append the web servers log files -+ allow $1 httpd_log_t:dir setattr; -+ create_files_pattern($1, httpd_log_t, httpd_log_t) -+ append_files_pattern($1, httpd_log_t, httpd_log_t) -+ read_files_pattern($1, httpd_log_t, httpd_log_t) -+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -+ logging_log_filetrans($1, httpd_log_t, file) -+ -+ # SuExec -+ allow $1 httpd_suexec_exec_t:file read_file_perms; -+ -+ # Read-only accesses to system contents -+ allow $1 httpd_sys_content_t:dir list_dir_perms; -+ read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -+ -+ # /proc -+ allow $1 httpd_server_domains:dir list_dir_perms; -+ kernel_read_kernel_sysctls($1) -+ kernel_read_system_state($1) -+ -+ # allow to communicate via core-networks -+ corenet_all_recvfrom_unlabeled($1) -+ corenet_all_recvfrom_netlabel($1) -+ corenet_tcp_sendrecv_generic_if($1) -+ corenet_udp_sendrecv_generic_if($1) -+ corenet_tcp_sendrecv_generic_node($1) -+ corenet_udp_sendrecv_generic_node($1) -+ corenet_tcp_sendrecv_all_ports($1) -+ corenet_udp_sendrecv_all_ports($1) -+ corenet_sendrecv_http_server_packets($1) -+ corenet_tcp_connect_http_port($1) -+ -+ # device nodes -+ dev_read_sysfs($1) -+ dev_read_rand($1) -+ dev_read_urand($1) -+ dev_rw_crypto($1) -+ -+ # filesystems -+ fs_getattr_all_fs($1) -+ fs_search_auto_mountpoints($1) -+ -+ # misc permissions -+ domain_use_interactive_fds($1) -+ -+ files_read_usr_files($1) -+ files_list_mnt($1) -+ files_search_spool($1) -+ files_read_var_lib_files($1) -+ files_search_home($1) -+ files_getattr_home_dir($1) -+ # for modules that want to access /etc/mtab -+ files_read_etc_runtime_files($1) -+ # Allow httpd_t to have access to files such as nisswitch.conf -+ files_read_etc_files($1) -+ -+ libs_read_lib_files($1) -+ -+ logging_send_syslog_msg($1) -+ -+ miscfiles_read_localization($1) -+ miscfiles_read_fonts($1) -+ miscfiles_read_public_files($1) -+ miscfiles_read_certs($1) -+ -+ seutil_dontaudit_search_config($1) -+ -+ userdom_use_unpriv_users_fds($1) -+') -+ -+######################################## -+## <summary> -+## Allos a domain to access UBAC types for web contents -+## </summary> -+## <param name="prefix"> -+## <summary> -+## The prefix to be used for deriving type names. -+## </summary> -+## </param> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`apache_user_webapp',` -+ gen_require(` -+ type httpd_$1_content_t; -+ type httpd_$1_htaccess_t; -+ type httpd_$1_script_t; -+ type httpd_$1_script_exec_t; -+ type httpd_$1_script_ro_t; -+ type httpd_$1_script_rw_t; -+ type httpd_$1_script_ra_t; -+ ') -+ -+ # .htaccess files -+ allow $2 httpd_$1_htaccess_t:file read_file_perms; -+ -+ # httpd_builtin_scripting controls them -+ manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -+ manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -+ manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -+ rw_sock_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -+ -+ allow $2 httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -+ append_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -+ read_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -+ -+ allow $2 httpd_$1_script_ro_t:dir list_dir_perms; -+ read_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -+ read_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -+ -+ allow $2 httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) -+ -+ # httpd_enable_cgi controls them -+ domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) -+') -+ -+######################################## -+## <summary> - ## Read httpd user scripts executables. - ## </summary> - ## <param name="domain"> diff --git a/a/content_digest b/N1/content_digest index 71f4966..4989fce 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,11 +1,10 @@ "ref\049F69A33.2070601@ak.jp.nec.com\0" "ref\04A025C03.50907@ak.jp.nec.com\0" - "From\0KaiGai Kohei <kaigai@ak.jp.nec.com>\0" - "Subject\0[PATCH] An interface to allow web-apps minimum privileges (Re: [RFC] mod_selinux security policy)\0" + "From\0kaigai@ak.jp.nec.com (KaiGai Kohei)\0" + "Subject\0[refpolicy] [PATCH] An interface to allow web-apps minimum privileges (Re: [RFC] mod_selinux security policy)\0" "Date\0Fri, 08 May 2009 15:29:25 +0900\0" - "To\0Refpolicy <refpolicy@oss.tresys.com>\0" - "Cc\0SELinux <selinux@tycho.nsa.gov>\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" "The purpose of the attached patch is a proof of the concent, and I don't\n" "intend it to be commited soon.\n" @@ -84,218 +83,13 @@ "\n" "-- \n" "OSS Platform Development Division, NEC\n" - KaiGai Kohei <kaigai@ak.jp.nec.com> - "\01:2\0" - "fn\0refpolicy-webapp-interface.patch\0" - "b\0" - "Index: apache.te\n" - "===================================================================\n" - "--- apache.te\t(revision 2982)\n" - "+++ apache.te\t(working copy)\n" - "@@ -111,6 +111,9 @@\n" - " attribute httpdcontent;\n" - " attribute httpd_user_content_type;\n" - " \n" - "+# domains that can perform as a server process\n" - "+attribute httpd_server_domains;\n" - "+\n" - " # domains that can exec all users scripts\n" - " attribute httpd_exec_scripts;\n" - " \n" - "@@ -123,6 +126,7 @@\n" - " type httpd_t;\n" - " type httpd_exec_t;\n" - " init_daemon_domain(httpd_t, httpd_exec_t)\n" - "+typeattribute httpd_t httpd_server_domains;\n" - " role system_r types httpd_t;\n" - " \n" - " # httpd_cache_t is the type given to the /var/cache/httpd\n" - "Index: apache.if\n" - "===================================================================\n" - "--- apache.if\t(revision 2982)\n" - "+++ apache.if\t(working copy)\n" - "@@ -308,6 +308,182 @@\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tAllow a domain to perform as a web server process\n" - "+##\twith necessary minimum privileges.\n" - "+## </summary>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`apache_base_webapp',`\n" - "+\tgen_require(`\n" - "+\t\tattribute httpd_server_domains;\n" - "+\t\ttype httpd_t;\n" - "+\t\ttype httpd_config_t;\n" - "+\t\ttype httpd_log_t;\n" - "+\t\ttype httpd_sys_content_t;\n" - "+\t\ttype httpd_suexec_exec_t;\n" - "+\t')\n" - "+\t########################################\n" - "+\t#\n" - "+\t# Local declarations\n" - "+\t#\n" - "+\ttypeattribute $1 httpd_server_domains;\n" - "+\n" - "+\ttypebounds httpd_t $1;\n" - "+\n" - "+\tallow httpd_t $1:process { dyntransition };\n" - "+\trole system_r types $1;\n" - "+\n" - "+\t########################################\n" - "+\t#\n" - "+\t# Minimum privileges to perform as a part of httpd\n" - "+\t#\n" - "+\tallow $1 httpd_server_domains:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };\n" - "+\tallow $1 httpd_server_domains:fd use;\n" - "+\tallow $1 httpd_server_domains:sock_file read_sock_file_perms;\n" - "+\tallow $1 httpd_server_domains:fifo_file rw_fifo_file_perms;\n" - "+\tallow $1 httpd_server_domains:shm rw_shm_perms;\n" - "+\tallow $1 httpd_server_domains:sem rw_sem_perms;\n" - "+\tallow $1 httpd_server_domains:msgq rw_msgq_perms;\n" - "+\tallow $1 httpd_server_domains:msg { send receive };\n" - "+\tallow $1 httpd_server_domains:unix_dgram_socket { rw_socket_perms sendto };\n" - "+\tallow $1 httpd_server_domains:unix_stream_socket { rw_socket_perms connectto };\n" - "+\tallow $1 httpd_server_domains:tcp_socket rw_socket_perms;\n" - "+\tallow $1 httpd_server_domains:udp_socket rw_socket_perms;\n" - "+\n" - "+\t# allow to read the web servers config files\n" - "+\tallow $1 httpd_config_t:dir list_dir_perms;\n" - "+\tread_files_pattern($1, httpd_config_t, httpd_config_t)\n" - "+\tread_lnk_files_pattern($1, httpd_config_t, httpd_config_t)\n" - "+\n" - "+\t# allow to append the web servers log files\n" - "+\tallow $1 httpd_log_t:dir setattr;\n" - "+\tcreate_files_pattern($1, httpd_log_t, httpd_log_t)\n" - "+\tappend_files_pattern($1, httpd_log_t, httpd_log_t)\n" - "+\tread_files_pattern($1, httpd_log_t, httpd_log_t)\n" - "+\tread_lnk_files_pattern($1, httpd_log_t, httpd_log_t)\n" - "+\tlogging_log_filetrans($1, httpd_log_t, file)\n" - "+\n" - "+\t# SuExec\n" - "+\tallow $1 httpd_suexec_exec_t:file read_file_perms;\n" - "+\n" - "+\t# Read-only accesses to system contents\n" - "+\tallow $1 httpd_sys_content_t:dir list_dir_perms;\n" - "+\tread_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)\n" - "+\tread_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)\n" - "+\n" - "+\t# /proc\n" - "+\tallow $1 httpd_server_domains:dir list_dir_perms;\n" - "+\tkernel_read_kernel_sysctls($1)\n" - "+\tkernel_read_system_state($1)\n" - "+\n" - "+\t# allow to communicate via core-networks\n" - "+\tcorenet_all_recvfrom_unlabeled($1)\n" - "+\tcorenet_all_recvfrom_netlabel($1)\n" - "+\tcorenet_tcp_sendrecv_generic_if($1)\n" - "+\tcorenet_udp_sendrecv_generic_if($1)\n" - "+\tcorenet_tcp_sendrecv_generic_node($1)\n" - "+\tcorenet_udp_sendrecv_generic_node($1)\n" - "+\tcorenet_tcp_sendrecv_all_ports($1)\n" - "+\tcorenet_udp_sendrecv_all_ports($1)\n" - "+\tcorenet_sendrecv_http_server_packets($1)\n" - "+\tcorenet_tcp_connect_http_port($1)\n" - "+\n" - "+\t# device nodes\n" - "+\tdev_read_sysfs($1)\n" - "+\tdev_read_rand($1)\n" - "+\tdev_read_urand($1)\n" - "+\tdev_rw_crypto($1)\n" - "+\n" - "+\t# filesystems\n" - "+\tfs_getattr_all_fs($1)\n" - "+\tfs_search_auto_mountpoints($1)\n" - "+\n" - "+\t# misc permissions\n" - "+\tdomain_use_interactive_fds($1)\n" - "+\n" - "+\tfiles_read_usr_files($1)\n" - "+\tfiles_list_mnt($1)\n" - "+\tfiles_search_spool($1)\n" - "+\tfiles_read_var_lib_files($1)\n" - "+\tfiles_search_home($1)\n" - "+\tfiles_getattr_home_dir($1)\n" - "+\t# for modules that want to access /etc/mtab\n" - "+\tfiles_read_etc_runtime_files($1)\n" - "+\t# Allow httpd_t to have access to files such as nisswitch.conf\n" - "+\tfiles_read_etc_files($1)\n" - "+\n" - "+\tlibs_read_lib_files($1)\n" - "+\n" - "+\tlogging_send_syslog_msg($1)\n" - "+\n" - "+\tmiscfiles_read_localization($1)\n" - "+\tmiscfiles_read_fonts($1)\n" - "+\tmiscfiles_read_public_files($1)\n" - "+\tmiscfiles_read_certs($1)\n" - "+\n" - "+\tseutil_dontaudit_search_config($1)\n" - "+\n" - "+\tuserdom_use_unpriv_users_fds($1)\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tAllos a domain to access UBAC types for web contents\n" - "+## </summary>\n" - "+## <param name=\"prefix\">\n" - "+##\t<summary>\n" - "+##\tThe prefix to be used for deriving type names.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+## <param name=\"domain\">\n" - "+##\t<summary>\n" - "+##\tDomain allowed access.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`apache_user_webapp',`\n" - "+\tgen_require(`\n" - "+\t\ttype httpd_$1_content_t;\n" - "+\t\ttype httpd_$1_htaccess_t;\n" - "+\t\ttype httpd_$1_script_t;\n" - "+\t\ttype httpd_$1_script_exec_t;\n" - "+\t\ttype httpd_$1_script_ro_t;\n" - "+\t\ttype httpd_$1_script_rw_t;\n" - "+\t\ttype httpd_$1_script_ra_t;\n" - "+\t')\n" - "+\n" - "+\t# .htaccess files\n" - "+\tallow $2 httpd_$1_htaccess_t:file read_file_perms;\n" - "+\n" - "+\t# httpd_builtin_scripting controls them\n" - "+\tmanage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)\n" - "+\tmanage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)\n" - "+\tmanage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)\n" - "+\trw_sock_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)\n" - "+\n" - "+\tallow $2 httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };\n" - "+\tread_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)\n" - "+\tappend_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)\n" - "+\tread_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)\n" - "+\n" - "+\tallow $2 httpd_$1_script_ro_t:dir list_dir_perms;\n" - "+\tread_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)\n" - "+\tread_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)\n" - "+\n" - "+\tallow $2 httpd_$1_content_t:dir list_dir_perms;\n" - "+\tread_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)\n" - "+\tread_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)\n" - "+\n" - "+\t# httpd_enable_cgi controls them\n" - "+\tdomtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tRead httpd user scripts executables.\n" - " ## </summary>\n" - " ## <param name=\"domain\">" + "KaiGai Kohei <kaigai@ak.jp.nec.com>\n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: refpolicy-webapp-interface.patch\n" + "Type: text/x-patch\n" + "Size: 6528 bytes\n" + "Desc: not available\n" + Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/a2a8c485/attachment-0001.bin -6c9cde53750b31ae4e71d71fbe063a04170ad407c69c747bbe2db1447bfb956c +2253c87d6e1bf4c9eb98457063acf62f0d7063a7d11f5697030884515566f051
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.