From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 1/1] Supporting read/append/manage functions for the various httpd_*_(ra_|rw_|)content
Date: Wed, 4 Jan 2012 07:13:54 -0500 [thread overview]
Message-ID: <4F044282.4000304@tresys.com> (raw)
In-Reply-To: <20111231122945.GA11176@siphos.be>
On 12/31/11 07:29, Sven Vermeulen wrote:
> Within the apache module, the apache_content_template() allows creation of
> additional derived types for "apache web content". But it is actually being
> used to label generic web content, and it creates additional types based on
> the prefix.
>
> The most used and well known one is the "sys" derived type (through
> apache_content_template(sys) within apache.te), which creates the types
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content_t (attribute httpdcontent)
> httpd_sys_rw_content_t (attribute httpdcontent)
>
> When we want to support additional web servers (or parsers used by web
> servers) that do not run within the apache-provided domains, they have a
> hard time accessing the data. There is currently one interface available,
> called "apache_manage_all_content" but that's a lot of privileges for a
> parser that needs to read content.
>
> In the below patch, I suggest to "tag" the created additional types with the
> following attributes:
> httpd_ra_content for the appendable content
> httpd_rw_content for the read/write content
>
> In other words, the previously mentioned types become:
> httpd_sys_content_t (attribute httpdcontent)
> httpd_sys_ra_content (attribute httpdcontent, attribute httpd_ra_content)
> httpd_sys_rw_content (attribute httpdcontent, attribute httpd_rw_content)
>
> Then the following interfaces are also supported so that other domains can
> benefit from using these types:
> apache_read_all_ra_content (reads httpd_ra_content)
> apache_append_all_ra_content (appends to httpd_ra_content)
> apache_read_all_rw_content (reads httpd_rw_content)
> apache_manage_all_rw_content (manage httpd_rw_content)
> apache_read_all_content (reads httpdcontent)
>
> With these interfaces, we can then have additional web server domains to
> access the files. Generally, this would mean (I use phpfpm_t as an example
> here):
> apache_append_all_ra_content(phpfpm_t)
> apache_manage_all_rw_content(phpfpm_t)
> apache_read_all_content(phpfpm_t)
>
> So, what's your take on this?
Generally I'm ok with this, but there are issues in the patch.
> --- refpolicy/policy/modules/services/apache.te 2011-07-26 14:10:40.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.te 2011-12-31 13:07:31.499729456 +0100
> @@ -143,6 +143,8 @@
> gen_tunable(httpd_use_nfs, false)
>
> attribute httpdcontent;
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> attribute httpd_user_content_type;
>
> # domains that can exec all users scripts
> --- refpolicy/policy/modules/services/apache.if 2011-03-28 17:05:13.000000000 +0200
> +++ refpolicy/policy/modules/services/apache.if 2011-12-31 13:18:04.040730813 +0100
> @@ -41,11 +41,11 @@
> corecmd_shell_entry_type(httpd_$1_script_t)
> domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>
> - type httpd_$1_rw_content_t, httpdcontent; # customizable
> + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
> typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
> files_type(httpd_$1_rw_content_t)
>
> - type httpd_$1_ra_content_t, httpdcontent; # customizable
> + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
> typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
> files_type(httpd_$1_ra_content_t)
>
> @@ -447,6 +447,112 @@
> ')
>
> ########################################
> +## <summary>
> +## Read all appendable content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +## Append to all appendable web content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_append_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + allow $1 httpd_ra_content:dir { list_dir_perms add_entry_dir_perms };
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
There should be no read files perms here.
> +########################################
> +## <summary>
> +## Read all read/write content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all read/write content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_manage_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
Also seems to have excessive perms.
> +########################################
> +## <summary>
> +## Read all web content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`apache_read_all_content',`
> + gen_require(`
> + attribute httpdcontent, httpd_script_exec_type;
> + ')
> +
> + read_files_pattern($1, httpdcontent, httpdcontent)
> + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
Doesn't seem appropriate to include the script type here.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-01-04 12:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-31 12:29 [refpolicy] [PATCH/RFC 1/1] Supporting read/append/manage functions for the various httpd_*_(ra_|rw_|)content Sven Vermeulen
2012-01-04 12:13 ` Christopher J. PeBenito [this message]
2012-01-05 19:40 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F044282.4000304@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.