1 |
commit: 436f8b0513fceb428333b459874156aa93b02dc0 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Nov 1 21:32:39 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Nov 1 21:32:39 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=436f8b05 |
7 |
|
8 |
Reshuffle gentoo specific apache changes |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/apache.if | 263 ++++++++++++++++++++------------------ |
12 |
policy/modules/contrib/apache.te | 7 +- |
13 |
2 files changed, 141 insertions(+), 129 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if |
16 |
index 81e541e..e89080d 100644 |
17 |
--- a/policy/modules/contrib/apache.if |
18 |
+++ b/policy/modules/contrib/apache.if |
19 |
@@ -15,9 +15,7 @@ template(`apache_content_template',` |
20 |
gen_require(` |
21 |
attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; |
22 |
attribute httpd_script_domains, httpd_htaccess_type; |
23 |
- attribute httpd_rw_content; |
24 |
- attribute httpd_ra_content; |
25 |
- type httpd_t, httpd_suexec_t, httpd_log_t; |
26 |
+ type httpd_t, httpd_suexec_t; |
27 |
') |
28 |
|
29 |
######################################## |
30 |
@@ -50,11 +48,11 @@ template(`apache_content_template',` |
31 |
corecmd_shell_entry_type(httpd_$1_script_t) |
32 |
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) |
33 |
|
34 |
- type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable |
35 |
+ type httpd_$1_rw_content_t, httpdcontent; # customizable |
36 |
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; |
37 |
files_type(httpd_$1_rw_content_t) |
38 |
|
39 |
- type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable |
40 |
+ type httpd_$1_ra_content_t, httpdcontent; # customizable |
41 |
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; |
42 |
files_type(httpd_$1_ra_content_t) |
43 |
|
44 |
@@ -84,6 +82,17 @@ template(`apache_content_template',` |
45 |
allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; |
46 |
allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; |
47 |
|
48 |
+ ifdef(`distro_gentoo',` |
49 |
+ gen_require(` |
50 |
+ attribute httpd_rw_content; |
51 |
+ attribute httpd_ra_content; |
52 |
+ type httpd_log_t; |
53 |
+ ') |
54 |
+ |
55 |
+ typeattribute httpd_$1_rw_content_t httpd_rw_content; |
56 |
+ typeattribute httpd_$1_ra_content_t httpd_ra_content; |
57 |
+ ') |
58 |
+ |
59 |
tunable_policy(`allow_httpd_$1_script_anon_write',` |
60 |
miscfiles_manage_public_files(httpd_$1_script_t) |
61 |
') |
62 |
@@ -393,128 +402,6 @@ interface(`apache_dontaudit_rw_tcp_sockets',` |
63 |
|
64 |
######################################## |
65 |
## <summary> |
66 |
-## Read all appendable content. |
67 |
-## </summary> |
68 |
-## <param name="domain"> |
69 |
-## <summary> |
70 |
-## Domain allowed access. |
71 |
-## </summary> |
72 |
-## </param> |
73 |
-## <rolecap/> |
74 |
-# |
75 |
-interface(`apache_read_all_ra_content',` |
76 |
- gen_require(` |
77 |
- attribute httpd_ra_content; |
78 |
- ') |
79 |
- |
80 |
- read_files_pattern($1, httpd_ra_content, httpd_ra_content) |
81 |
- read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) |
82 |
-') |
83 |
- |
84 |
-######################################## |
85 |
-## <summary> |
86 |
-## Append to all appendable web content files. |
87 |
-## </summary> |
88 |
-## <param name="domain"> |
89 |
-## <summary> |
90 |
-## Domain allowed access. |
91 |
-## </summary> |
92 |
-## </param> |
93 |
-## <rolecap/> |
94 |
-# |
95 |
-interface(`apache_append_all_ra_content',` |
96 |
- gen_require(` |
97 |
- attribute httpd_ra_content; |
98 |
- ') |
99 |
- |
100 |
- apache_search_all_content($1) |
101 |
- append_files_pattern($1, httpd_ra_content, httpd_ra_content) |
102 |
-') |
103 |
- |
104 |
-######################################## |
105 |
-## <summary> |
106 |
-## Read all read/write content. |
107 |
-## </summary> |
108 |
-## <param name="domain"> |
109 |
-## <summary> |
110 |
-## Domain allowed access. |
111 |
-## </summary> |
112 |
-## </param> |
113 |
-## <rolecap/> |
114 |
-# |
115 |
-interface(`apache_read_all_rw_content',` |
116 |
- gen_require(` |
117 |
- attribute httpd_rw_content; |
118 |
- ') |
119 |
- |
120 |
- read_files_pattern($1, httpd_rw_content, httpd_rw_content) |
121 |
- read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) |
122 |
-') |
123 |
- |
124 |
-######################################## |
125 |
-## <summary> |
126 |
-## Manage all read/write content. |
127 |
-## </summary> |
128 |
-## <param name="domain"> |
129 |
-## <summary> |
130 |
-## Domain allowed access. |
131 |
-## </summary> |
132 |
-## </param> |
133 |
-## <rolecap/> |
134 |
-# |
135 |
-interface(`apache_manage_all_rw_content',` |
136 |
- gen_require(` |
137 |
- attribute httpd_rw_content; |
138 |
- ') |
139 |
- |
140 |
- manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) |
141 |
- manage_files_pattern($1, httpd_rw_content, httpd_rw_content) |
142 |
- manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) |
143 |
-') |
144 |
- |
145 |
-######################################## |
146 |
-## <summary> |
147 |
-## Read all web content. |
148 |
-## </summary> |
149 |
-## <param name="domain"> |
150 |
-## <summary> |
151 |
-## Domain allowed access. |
152 |
-## </summary> |
153 |
-## </param> |
154 |
-## <rolecap/> |
155 |
-# |
156 |
-interface(`apache_read_all_content',` |
157 |
- gen_require(` |
158 |
- attribute httpdcontent, httpd_script_exec_type; |
159 |
- ') |
160 |
- |
161 |
- read_files_pattern($1, httpdcontent, httpdcontent) |
162 |
- read_lnk_files_pattern($1, httpdcontent, httpdcontent) |
163 |
- |
164 |
- read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) |
165 |
- read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) |
166 |
-') |
167 |
- |
168 |
-######################################## |
169 |
-## <summary> |
170 |
-## Search all apache content. |
171 |
-## </summary> |
172 |
-## <param name="domain"> |
173 |
-## <summary> |
174 |
-## Domain allowed access. |
175 |
-## </summary> |
176 |
-## </param> |
177 |
-# |
178 |
-interface(`apache_search_all_content',` |
179 |
- gen_require(` |
180 |
- attribute httpdcontent; |
181 |
- ') |
182 |
- |
183 |
- allow $1 httpdcontent:dir search_dir_perms; |
184 |
-') |
185 |
- |
186 |
-######################################## |
187 |
-## <summary> |
188 |
## Create, read, write, and delete |
189 |
## all httpd content. |
190 |
## </summary> |
191 |
@@ -1329,3 +1216,125 @@ interface(`apache_admin',` |
192 |
apache_run_all_scripts($1, $2) |
193 |
apache_run_helper($1, $2) |
194 |
') |
195 |
+ |
196 |
+######################################## |
197 |
+## <summary> |
198 |
+## Read all appendable content. |
199 |
+## </summary> |
200 |
+## <param name="domain"> |
201 |
+## <summary> |
202 |
+## Domain allowed access. |
203 |
+## </summary> |
204 |
+## </param> |
205 |
+## <rolecap/> |
206 |
+# |
207 |
+interface(`apache_read_all_ra_content',` |
208 |
+ gen_require(` |
209 |
+ attribute httpd_ra_content; |
210 |
+ ') |
211 |
+ |
212 |
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content) |
213 |
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) |
214 |
+') |
215 |
+ |
216 |
+######################################## |
217 |
+## <summary> |
218 |
+## Append to all appendable web content files. |
219 |
+## </summary> |
220 |
+## <param name="domain"> |
221 |
+## <summary> |
222 |
+## Domain allowed access. |
223 |
+## </summary> |
224 |
+## </param> |
225 |
+## <rolecap/> |
226 |
+# |
227 |
+interface(`apache_append_all_ra_content',` |
228 |
+ gen_require(` |
229 |
+ attribute httpd_ra_content; |
230 |
+ ') |
231 |
+ |
232 |
+ apache_search_all_content($1) |
233 |
+ append_files_pattern($1, httpd_ra_content, httpd_ra_content) |
234 |
+') |
235 |
+ |
236 |
+######################################## |
237 |
+## <summary> |
238 |
+## Read all read/write content. |
239 |
+## </summary> |
240 |
+## <param name="domain"> |
241 |
+## <summary> |
242 |
+## Domain allowed access. |
243 |
+## </summary> |
244 |
+## </param> |
245 |
+## <rolecap/> |
246 |
+# |
247 |
+interface(`apache_read_all_rw_content',` |
248 |
+ gen_require(` |
249 |
+ attribute httpd_rw_content; |
250 |
+ ') |
251 |
+ |
252 |
+ read_files_pattern($1, httpd_rw_content, httpd_rw_content) |
253 |
+ read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) |
254 |
+') |
255 |
+ |
256 |
+######################################## |
257 |
+## <summary> |
258 |
+## Manage all read/write content. |
259 |
+## </summary> |
260 |
+## <param name="domain"> |
261 |
+## <summary> |
262 |
+## Domain allowed access. |
263 |
+## </summary> |
264 |
+## </param> |
265 |
+## <rolecap/> |
266 |
+# |
267 |
+interface(`apache_manage_all_rw_content',` |
268 |
+ gen_require(` |
269 |
+ attribute httpd_rw_content; |
270 |
+ ') |
271 |
+ |
272 |
+ manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) |
273 |
+ manage_files_pattern($1, httpd_rw_content, httpd_rw_content) |
274 |
+ manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) |
275 |
+') |
276 |
+ |
277 |
+######################################## |
278 |
+## <summary> |
279 |
+## Read all web content. |
280 |
+## </summary> |
281 |
+## <param name="domain"> |
282 |
+## <summary> |
283 |
+## Domain allowed access. |
284 |
+## </summary> |
285 |
+## </param> |
286 |
+## <rolecap/> |
287 |
+# |
288 |
+interface(`apache_read_all_content',` |
289 |
+ gen_require(` |
290 |
+ attribute httpdcontent, httpd_script_exec_type; |
291 |
+ ') |
292 |
+ |
293 |
+ read_files_pattern($1, httpdcontent, httpdcontent) |
294 |
+ read_lnk_files_pattern($1, httpdcontent, httpdcontent) |
295 |
+ |
296 |
+ read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) |
297 |
+ read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) |
298 |
+') |
299 |
+ |
300 |
+######################################## |
301 |
+## <summary> |
302 |
+## Search all apache content. |
303 |
+## </summary> |
304 |
+## <param name="domain"> |
305 |
+## <summary> |
306 |
+## Domain allowed access. |
307 |
+## </summary> |
308 |
+## </param> |
309 |
+# |
310 |
+interface(`apache_search_all_content',` |
311 |
+ gen_require(` |
312 |
+ attribute httpdcontent; |
313 |
+ ') |
314 |
+ |
315 |
+ allow $1 httpdcontent:dir search_dir_perms; |
316 |
+') |
317 |
|
318 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
319 |
index 7f0a224..7d7e1ba 100644 |
320 |
--- a/policy/modules/contrib/apache.te |
321 |
+++ b/policy/modules/contrib/apache.te |
322 |
@@ -252,8 +252,6 @@ gen_tunable(httpd_use_gpg, false) |
323 |
gen_tunable(httpd_use_nfs, false) |
324 |
|
325 |
attribute httpdcontent; |
326 |
-attribute httpd_ra_content; |
327 |
-attribute httpd_rw_content; |
328 |
attribute httpd_htaccess_type; |
329 |
|
330 |
# domains that can exec all scripts |
331 |
@@ -362,6 +360,11 @@ domain_type(httpd_gpg_t) |
332 |
gpg_entry_type(httpd_gpg_t) |
333 |
role system_r types httpd_gpg_t; |
334 |
|
335 |
+ifdef(`distro_gentoo',` |
336 |
+ attribute httpd_ra_content; |
337 |
+ attribute httpd_rw_content; |
338 |
+') |
339 |
+ |
340 |
optional_policy(` |
341 |
prelink_object_file(httpd_modules_t) |
342 |
') |