commit: e249c7e2a3350238aae1badf4f07373e420ccdb0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 09:48:53 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e249c7e2
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 138 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 235 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..7d2210b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)?
gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* --
gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)?
gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)?
gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so --
gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.*
gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)?
gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..8513c7c
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,138 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..e177865
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
