From a59bba5a73324e8d769dd47bb44353784a27f416 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 28 May 2019 10:02:31 -0400 Subject: apache: Web content rules simplification. Signed-off-by: Chris PeBenito Signed-off-by: Jason Zaman --- policy/modules/services/apache.fc | 3 ++- policy/modules/services/apache.if | 24 ++---------------------- policy/modules/services/apache.te | 27 +++++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index f3202453d..36bff0043 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -179,7 +179,8 @@ ifdef(`distro_suse',` /var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) +/var/www(/.*)?/logs -d gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) +/var/www(/.*)?/logs/.* gen_context(system_u:object_r:httpd_sys_ra_content_t,s0) /var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 94878d663..2934337be 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -15,7 +15,7 @@ template(`apache_content_template',` gen_require(` attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; attribute httpd_script_domains, httpd_htaccess_type; - attribute httpd_rw_content, httpd_ra_content; + attribute httpd_ro_content, httpd_rw_content, httpd_ra_content; type httpd_t, httpd_suexec_t; ') @@ -34,7 +34,7 @@ template(`apache_content_template',` ## gen_tunable(allow_httpd_$1_script_anon_write, false) - type httpd_$1_content_t, httpdcontent; # customizable + type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) @@ -79,30 +79,10 @@ template(`apache_content_template',` manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; - tunable_policy(`allow_httpd_$1_script_anon_write',` miscfiles_manage_public_files(httpd_$1_script_t) ') - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - ') - - tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` - can_exec(httpd_t, httpd_$1_rw_content_t) - ') - tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index ee95b3051..e87a74ac9 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -258,6 +258,7 @@ attribute httpd_htaccess_type; attribute httpd_exec_scripts; attribute httpd_ra_content; +attribute httpd_ro_content; attribute httpd_rw_content; attribute httpd_script_exec_type; @@ -400,6 +401,12 @@ allow httpd_t httpd_config_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) +allow httpd_t httpd_htaccess_type:file read_file_perms; + +allow httpd_t httpd_ro_content:dir list_dir_perms; +allow httpd_t httpd_ro_content:file read_file_perms; +allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms; + allow httpd_t httpd_keytab_t:file read_file_perms; allow httpd_t httpd_lock_t:dir manage_dir_perms; @@ -597,6 +604,20 @@ tunable_policy(`httpd_builtin_scripting',` allow httpd_t httpdcontent:dir list_dir_perms; allow httpd_t httpdcontent:file read_file_perms; allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; + + allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; + allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; + allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content) + manage_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content) + manage_fifo_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content) + manage_lnk_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content) + manage_sock_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content) +') + +tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` + can_exec(httpd_t, httpd_rw_content) ') tunable_policy(`httpd_enable_cgi',` @@ -945,6 +966,12 @@ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; allow httpd_suexec_t self:tcp_socket { accept listen }; allow httpd_suexec_t self:unix_stream_socket { accept listen }; +allow httpd_suexec_t httpd_htaccess_type:file read_file_perms; + +allow httpd_suexec_t httpd_ro_content:dir list_dir_perms; +allow httpd_suexec_t httpd_ro_content:file read_file_perms; +allow httpd_suexec_t httpd_ro_content:lnk_file read_lnk_file_perms; + create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -- cgit v1.2.3-65-gdbad