[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Jason Zaman Sat, 13 Jul 2019 00:01:36 -0700

commit:     a59bba5a73324e8d769dd47bb44353784a27f416
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Tue May 28 14:02:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a59bba5a


apache: Web content rules simplification.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/apache.fc |  3 ++-
 policy/modules/services/apache.if | 24 ++----------------------
 policy/modules/services/apache.te | 27 +++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/policy/modules/services/apache.fc 
b/policy/modules/services/apache.fc
index f3202453..36bff004 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -179,7 +179,8 @@ ifdef(`distro_suse',`
 /var/spool/viewvc(/.*)?                                                
gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 
 /var/www(/.*)?                                                 
gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?                                      
gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs                                    -d      
gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs/.*                                         
gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 /var/www(/.*)?/roundcubemail/logs(/.*)?                                
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/roundcubemail/temp(/.*)?                                
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/[^/]*/cgi-bin(/.*)?                                   
gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)

diff --git a/policy/modules/services/apache.if 
b/policy/modules/services/apache.if
index 94878d66..2934337b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -15,7 +15,7 @@ template(`apache_content_template',`
        gen_require(`
                attribute httpdcontent, httpd_exec_scripts, 
httpd_script_exec_type;
                attribute httpd_script_domains, httpd_htaccess_type;
-               attribute httpd_rw_content, httpd_ra_content;
+               attribute httpd_ro_content, httpd_rw_content, httpd_ra_content;
                type httpd_t, httpd_suexec_t;
        ')
 
@@ -34,7 +34,7 @@ template(`apache_content_template',`
        ## </desc>
        gen_tunable(allow_httpd_$1_script_anon_write, false)
 
-       type httpd_$1_content_t, httpdcontent; # customizable
+       type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
        typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
        files_type(httpd_$1_content_t)
 
@@ -79,30 +79,10 @@ template(`apache_content_template',`
        manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
        files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir 
file lnk_file sock_file fifo_file })
 
-       allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-       allow { httpd_t httpd_suexec_t } { httpd_$1_content_t 
httpd_$1_htaccess_t }:file read_file_perms;
-       allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file 
read_lnk_file_perms;
-
        tunable_policy(`allow_httpd_$1_script_anon_write',`
                miscfiles_manage_public_files(httpd_$1_script_t)
        ')
 
-       tunable_policy(`httpd_builtin_scripting',`
-               manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
-               manage_files_pattern(httpd_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
-               manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
-               manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
-               manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, 
httpd_$1_rw_content_t)
-
-               allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms 
add_entry_dir_perms setattr_dir_perms };
-               allow httpd_t httpd_$1_ra_content_t:file { append_file_perms 
read_file_perms create_file_perms setattr_file_perms };
-               allow httpd_t httpd_$1_ra_content_t:lnk_file 
read_lnk_file_perms;
-       ')
-
-       tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-               can_exec(httpd_t, httpd_$1_rw_content_t)
-       ')
-
        tunable_policy(`httpd_enable_cgi',`
                allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
                domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, 
httpd_$1_script_exec_t, httpd_$1_script_t)

diff --git a/policy/modules/services/apache.te 
b/policy/modules/services/apache.te
index ee95b305..e87a74ac 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -258,6 +258,7 @@ attribute httpd_htaccess_type;
 attribute httpd_exec_scripts;
 
 attribute httpd_ra_content;
+attribute httpd_ro_content;
 attribute httpd_rw_content;
 
 attribute httpd_script_exec_type;
@@ -400,6 +401,12 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+allow httpd_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:dir manage_dir_perms;
@@ -597,6 +604,20 @@ tunable_policy(`httpd_builtin_scripting',`
        allow httpd_t httpdcontent:dir list_dir_perms;
        allow httpd_t httpdcontent:file read_file_perms;
        allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+
+       allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms 
setattr_dir_perms };
+       allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms 
create_file_perms setattr_file_perms };
+       allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms;
+
+       manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+       manage_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+       manage_fifo_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+       manage_lnk_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+       manage_sock_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+')
+
+tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+       can_exec(httpd_t, httpd_rw_content)
 ')
 
 tunable_policy(`httpd_enable_cgi',`
@@ -945,6 +966,12 @@ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
 allow httpd_suexec_t self:tcp_socket { accept listen };
 allow httpd_suexec_t self:unix_stream_socket { accept listen };
 
+allow httpd_suexec_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_suexec_t httpd_ro_content:dir list_dir_perms;
+allow httpd_suexec_t httpd_ro_content:file read_file_perms;
+allow httpd_suexec_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Reply via email to