From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/3] Support read/append/manage functions for various httpd content
Date: Fri, 4 Apr 2014 16:26:49 -0400 [thread overview]
Message-ID: <533F1589.1070801@tresys.com> (raw)
In-Reply-To: <1396188552-16007-3-git-send-email-sven.vermeulen@siphos.be>
On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> We make the web content types as defined by the apache module more
> generic in use so that other domains, who need to interact with these
> types, can do so without getting too many privileges assigned (like with
> apache_manage_all_content).
>
> Within the apache module, the apache_content_template() allows creation
> of additional derived types for "apache web content". But this is
> actually being used to label generic web content, and it creates
> additional types based on the prefix.
>
> When we want to support additional web servers (or parsers used by web
> servers, such as php-fpm) that do not run within the apache-provided
> domains, they have a hard time accessing the data. There is currently
> one interface available (apache_manage_all_content) but that is a lot of
> privileges for a parser that possibly just needs to read content.
>
> In this patch, we create additional attributes (httpd_ra_content for
> read/append data, and httpd_rw_content for read/write content) and
> define interfaces to manage the types that have these attributes
> assigned.
>
> This is the result of the discussion of June 2012, which was version 3
> of the patchset (I never came to finish up the commit), see also
> http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> apache.if | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
> apache.te | 3 ++
> 2 files changed, 121 insertions(+), 2 deletions(-)
>
> diff --git a/apache.if b/apache.if
> index f6eb485..717c6f7 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -15,6 +15,7 @@ template(`apache_content_template',`
> gen_require(`
> attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
> attribute httpd_script_domains, httpd_htaccess_type;
> + attribute httpd_rw_content, httpd_ra_content;
> type httpd_t, httpd_suexec_t;
> ')
>
> @@ -48,11 +49,11 @@ template(`apache_content_template',`
> corecmd_shell_entry_type(httpd_$1_script_t)
> domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>
> - type httpd_$1_rw_content_t, httpdcontent; # customizable
> + type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
> typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
> files_type(httpd_$1_rw_content_t)
>
> - type httpd_$1_ra_content_t, httpdcontent; # customizable
> + type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
> typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
> files_type(httpd_$1_ra_content_t)
>
> @@ -391,6 +392,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>
> ########################################
> ## <summary>
> +## Read all appendable content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_read_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> + read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +## Append to all appendable web content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_append_all_ra_content',`
> + gen_require(`
> + attribute httpd_ra_content;
> + ')
> +
> + append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +## Read all read/write content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_read_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all read/write content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_manage_all_rw_content',`
> + gen_require(`
> + attribute httpd_rw_content;
> + ')
> +
> + manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> + manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +########################################
> +## <summary>
> +## Read all web content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_read_all_content',`
> + gen_require(`
> + attribute httpdcontent, httpd_script_exec_type;
> + ')
> +
> + read_files_pattern($1, httpdcontent, httpdcontent)
> + read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> + read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> + read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
> +#######################################
> +## <summary>
> +## Search all apache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_search_all_content',`
> + gen_require(`
> + attribute httpdcontent;
> + ')
> +
> + allow $1 httpdcontent:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## all httpd content.
> ## </summary>
> diff --git a/apache.te b/apache.te
> index a9322c3..3645d88 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -257,6 +257,9 @@ attribute httpd_htaccess_type;
> # domains that can exec all scripts
> attribute httpd_exec_scripts;
>
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> +
> attribute httpd_script_exec_type;
>
> # all script domains
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-04-04 20:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-30 14:09 [refpolicy] [PATCH 0/3] Gentoo patch upstreaming Sven Vermeulen
2014-03-30 14:09 ` [refpolicy] [PATCH 1/3] Introduce alsa domains Sven Vermeulen
2014-04-04 20:22 ` Christopher J. PeBenito
2014-04-06 9:45 ` Sven Vermeulen
2014-03-30 14:09 ` [refpolicy] [PATCH 2/3] Support read/append/manage functions for various httpd content Sven Vermeulen
2014-04-04 20:26 ` Christopher J. PeBenito [this message]
2014-03-30 14:09 ` [refpolicy] [PATCH 3/3] dnsmasq reads MTU sysctl Sven Vermeulen
2014-04-04 20:19 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533F1589.1070801@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.