From c2b18fa1f3e489a3fae2a7d453a229a7f2293bb3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 12 Oct 2005 16:23:22 +0000 Subject: [PATCH] more apache work --- refpolicy/policy/modules/kernel/devices.if | 17 ++++ refpolicy/policy/modules/services/apache.if | 91 +++++++++++++++++-- refpolicy/policy/modules/services/apache.te | 49 +++------- refpolicy/policy/modules/system/userdomain.te | 6 ++ 4 files changed, 119 insertions(+), 44 deletions(-) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 2b57edab1..f43158ea8 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -938,6 +938,23 @@ interface(`dev_rw_cpu_microcode',` allow $1 cpu_device_t:chr_file rw_file_perms; ') +######################################## +## +## Read and write the the hardware SSL accelerator. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_crypto',` + gen_require(` + type device_t, crypt_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 crypt_device_t:chr_file rw_file_perms; +') + ######################################## ## ## Getattr the agp devices. diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 4f41c3e8f..155c9a34f 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -302,9 +302,6 @@ template(`apache_per_userdomain_template', ` interface(`apache_domtrans',` gen_require(` type httpd_t, httpd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -386,20 +383,51 @@ interface(`apache_read_config',` ######################################## ## -## Allow the specified domain to list -## the contents of the apache modules -## directory. +## Execute the Apache helper program with +## a domain transition. ## ## ## Domain allowed access. ## # -interface(`apache_list_modules',` +interface(`apache_domtrans_helper',` gen_require(` - type httpd_modules_t; + type httpd_helper_t, httpd_helper_exec_t; ') - allow $1 httpd_modules_t:dir r_dir_perms; + corecmd_search_sbin($1) + domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t) + + allow $1 httpd_helper_t:fd use; + allow httpd_helper_t $1:fd use; + allow httpd_helper_t $1:fifo_file rw_file_perms; + allow httpd_helper_t $1:process sigchld; +') + +######################################## +## +## Execute the Apache helper program with +## a domain transition, and allow the +## specified role the dmidecode domain. +## +## +## Domain allowed access. +## +## +## The role to be allowed the dmidecode domain. +## +## +## The type of the terminal allow the dmidecode domain to use. +## +# +interface(`apache_run_helper',` + gen_require(` + type httpd_helper_t; + ') + + apache_domtrans_helper($1) + role $2 types httpd_helper_t; + allow httpd_helper_t $3:chr_file rw_term_perms; ') ######################################## @@ -418,3 +446,48 @@ interface(`apache_dontaudit_append_log',` dontaudit $1 httpd_log_t:file append; ') + +######################################## +## +## Allow the specified domain to list +## the contents of the apache modules +## directory. +## +## +## Domain allowed access. +## +# +interface(`apache_list_modules',` + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir r_dir_perms; +') + +######################################## +## +## Execute all web scripts in the system +## script domain. +## +## +## Domain allowed access. +## +# +# cjp: this interface specifically added to allow +# sysadm_t to run scripts +interface(`apache_domtrans_sys_script',` + gen_require(` + attribute httpdcontent; + type httpd_sys_script_t; + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domain_auto_trans($1, httpdcontent, httpd_sys_script_t) + + allow $1 httpd_sys_script_t:fd use; + allow httpd_sys_script_t $1:fd use; + allow httpd_sys_script_t $1:fifo_file rw_file_perms; + allow httpd_sys_script_t $1:process sigchld; + ') +') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index e96d8c9a5..0e4c00738 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -77,6 +77,9 @@ domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) +# setup the system domain for system CGI scripts +apache_content_template(sys) + type httpd_tmp_t; files_tmp_file(httpd_tmp_t) @@ -110,6 +113,11 @@ ifdef(`distro_redhat',` typealias httpd_log_t alias httpd_runtime_t; ') +ifdef(`targeted_policy',` + typealias httpd_sys_content_t alias httpd_user_content_t; + typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; +') + ######################################## # # Apache server local policy @@ -154,6 +162,9 @@ files_create_lock(httpd_t,httpd_lock_t) allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; allow httpd_t httpd_log_t:file { create ra_file_perms }; allow httpd_t httpd_log_t:lnk_file read; +# cjp: need to refine create interfaces to +# cut this back to add_name only +logging_create_log(httpd_t,httpd_log_t) allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; @@ -208,6 +219,7 @@ corenet_tcp_bind_http_cache_port(httpd_t) dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) dev_read_urand(httpd_t) +dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -371,40 +383,23 @@ optional_policy(`rhgb.te',` rhgb_domain(httpd_t) ') -allow httpd_t var_log_t:dir ra_dir_perms; -type_transition httpd_t var_log_t:file httpd_log_t; - can_tcp_connect(web_client_domain, httpd_t) -allow httpd_t crypt_device_t:chr_file rw_file_perms; - allow httpd_t home_root_t:dir getattr; - dontaudit httpd_t sysadm_home_dir_t:dir getattr; +allow httpd_sys_script_t var_spool_t:dir getattr; optional_policy(`mysql.te',` allow httpd_t mysqld_db_t:dir search; allow httpd_t mysqld_db_t:sock_file rw_file_perms; ') -ifdef(`snmpd.te', ` - dontaudit httpd_t snmpd_var_lib_t:dir search; - dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; -', ` - dontaudit httpd_t usr_t:dir write; -') - -allow httpd_sys_script_t var_spool_t:dir getattr; - optional_policy(`mysql.te',` allow httpd_sys_script_t mysqld_db_t:dir search; allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms; ') -ifdef(`targeted_policy', ` - typealias httpd_sys_content_t alias httpd_user_content_t; - typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; - +ifdef(`targeted_policy',` if (httpd_enable_homedirs) { allow httpd_t user_home_dir_t:dir { getattr search }; } @@ -416,15 +411,6 @@ ifdef(`targeted_policy', ` } ') -# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context -typealias httpd_sys_content_t alias httpd_sysadm_content_t; - -tunable_policy(`httpd_enable_cgi && httpd_unified',` - ifdef(`targeted_policy', `', ` - domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) - ') -') - optional_policy(`mta.te',` # apache should set close-on-exec dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; @@ -452,10 +438,6 @@ allow httpd_helper_t httpd_log_t:file append; libs_use_ld_so(httpd_helper_t) libs_use_shared_libs(httpd_helper_t) -# a "run" interface needs to be -# added, and have sysadm_t use it -# in a optional_policy block. for httpd_helper_t - ######################################## # # Apache PHP script local policy @@ -612,9 +594,6 @@ optional_policy(`nis.te',` # Apache system script local policy # -# setup the system domain for system CGI scripts -apache_content_template(sys) - allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 2e42d4f6f..cc80db1ce 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -120,6 +120,12 @@ ifdef(`targeted_policy',` domain_ptrace_all_domains(sysadm_t) ') + optional_policy(`apache.te',` + apache_run_helper(sysadm_t,sysadm_r,admin_terminal) + # cjp: why is this not run + #apache_domtrans_sys_script(sysadm_t) + ') + optional_policy(`apm.te',` # cjp: why is this not apm_run_client apm_domtrans_client(sysadm_t)