Merge pull request #56 from pebenito/apache-simplify

policy/modules/services/apache.fc

@@ -179,7 +179,8 @@ ifdef(`distro_suse',`
 /var/spool/viewvc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 
 /var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs					-d	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs/.*						gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 /var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)

policy/modules/services/apache.if

@@ -15,7 +15,7 @@ template(`apache_content_template',`
 	gen_require(`
 		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
 		attribute httpd_script_domains, httpd_htaccess_type;
-		attribute httpd_rw_content, httpd_ra_content;
+		attribute httpd_ro_content, httpd_rw_content, httpd_ra_content;
 		type httpd_t, httpd_suexec_t;
 	')
 
@@ -34,7 +34,7 @@ template(`apache_content_template',`
 	## </desc>
 	gen_tunable(allow_httpd_$1_script_anon_write, false)
 
-	type httpd_$1_content_t, httpdcontent; # customizable
+	type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 	files_type(httpd_$1_content_t)
 
@@ -79,30 +79,10 @@ template(`apache_content_template',`
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
 	tunable_policy(`allow_httpd_$1_script_anon_write',`
 		miscfiles_manage_public_files(httpd_$1_script_t)
 	')
 
-	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
-
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
-	')
-
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)

policy/modules/services/apache.te

@@ -258,6 +258,7 @@ attribute httpd_htaccess_type;
 attribute httpd_exec_scripts;
 
 attribute httpd_ra_content;
+attribute httpd_ro_content;
 attribute httpd_rw_content;
 
 attribute httpd_script_exec_type;
@@ -400,6 +401,12 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+allow httpd_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:dir manage_dir_perms;
@@ -597,6 +604,20 @@ tunable_policy(`httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir list_dir_perms;
 	allow httpd_t httpdcontent:file read_file_perms;
 	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+
+	allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+	allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+	allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms;
+
+	manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_fifo_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_lnk_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_sock_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+')
+
+tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+	can_exec(httpd_t, httpd_rw_content)
 ')
 
 tunable_policy(`httpd_enable_cgi',`
@@ -945,6 +966,12 @@ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
 allow httpd_suexec_t self:tcp_socket { accept listen };
 allow httpd_suexec_t self:unix_stream_socket { accept listen };
 
+allow httpd_suexec_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_suexec_t httpd_ro_content:dir list_dir_perms;
+allow httpd_suexec_t httpd_ro_content:file read_file_perms;
+allow httpd_suexec_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)