[selinux-policy: 735/3172] more apache work

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:08:22 UTC 2010 

commit c2b18fa1f3e489a3fae2a7d453a229a7f2293bb3
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Oct 12 16:23:22 2005 +0000

    more apache work

 refpolicy/policy/modules/kernel/devices.if    |   17 +++++
 refpolicy/policy/modules/services/apache.if   |   91 ++++++++++++++++++++++---
 refpolicy/policy/modules/services/apache.te   |   49 ++++----------
 refpolicy/policy/modules/system/userdomain.te |    6 ++
 4 files changed, 119 insertions(+), 44 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 2b57eda..f43158e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -940,6 +940,23 @@ interface(`dev_rw_cpu_microcode',`
 
 ########################################
 ## <summary>
+##	Read and write the the hardware SSL accelerator.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_crypto',`
+	gen_require(`
+		type device_t, crypt_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 crypt_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Getattr the agp devices.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 4f41c3e..155c9a3 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -302,9 +302,6 @@ template(`apache_per_userdomain_template', `
 interface(`apache_domtrans',`
 	gen_require(`
 		type httpd_t, httpd_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	corecmd_search_sbin($1)
@@ -386,20 +383,51 @@ interface(`apache_read_config',`
 
 ########################################
 ## <summary>
-##	Allow the specified domain to list
-##	the contents of the apache modules
-##	directory.
+##	Execute the Apache helper program with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`apache_list_modules',`
+interface(`apache_domtrans_helper',`
 	gen_require(`
-		type httpd_modules_t;
+		type httpd_helper_t, httpd_helper_exec_t;
 	')
 
-	allow $1 httpd_modules_t:dir r_dir_perms;
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
+
+	allow $1 httpd_helper_t:fd use;
+	allow httpd_helper_t $1:fd use;
+	allow httpd_helper_t $1:fifo_file rw_file_perms;
+	allow httpd_helper_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute the Apache helper program with
+##	a domain transition, and allow the
+##	specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="role">
+##	The role to be allowed the dmidecode domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the dmidecode domain to use.
+## </param>
+#
+interface(`apache_run_helper',`
+	gen_require(`
+		type httpd_helper_t;
+	')
+
+	apache_domtrans_helper($1)
+	role $2 types httpd_helper_t;
+	allow httpd_helper_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -418,3 +446,48 @@ interface(`apache_dontaudit_append_log',`
 
 	dontaudit $1 httpd_log_t:file append;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	the contents of the apache modules
+##	directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_list_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	allow $1 httpd_modules_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Execute all web scripts in the system
+##	script domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
+interface(`apache_domtrans_sys_script',`
+	gen_require(`
+		attribute httpdcontent;
+		type httpd_sys_script_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
+
+		allow $1 httpd_sys_script_t:fd use;
+		allow httpd_sys_script_t $1:fd use;
+		allow httpd_sys_script_t $1:fifo_file rw_file_perms;
+		allow httpd_sys_script_t $1:process sigchld;
+	')
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index e96d8c9..0e4c007 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -77,6 +77,9 @@ domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
 type httpd_suexec_tmp_t;
 files_tmp_file(httpd_suexec_tmp_t)
 
+# setup the system domain for system CGI scripts
+apache_content_template(sys)
+
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
@@ -110,6 +113,11 @@ ifdef(`distro_redhat',`
 	typealias httpd_log_t alias httpd_runtime_t;
 ')
 
+ifdef(`targeted_policy',`
+	typealias httpd_sys_content_t alias httpd_user_content_t;
+	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+')
+
 ########################################
 #
 # Apache server local policy
@@ -154,6 +162,9 @@ files_create_lock(httpd_t,httpd_lock_t)
 allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
 allow httpd_t httpd_log_t:file { create ra_file_perms };
 allow httpd_t httpd_log_t:lnk_file read;
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
+logging_create_log(httpd_t,httpd_log_t)
 
 allow httpd_t httpd_modules_t:file rx_file_perms;
 allow httpd_t httpd_modules_t:dir r_dir_perms;
@@ -208,6 +219,7 @@ corenet_tcp_bind_http_cache_port(httpd_t)
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
+dev_rw_crypto(httpd_t)
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@@ -371,40 +383,23 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(httpd_t)
 ')
 
-allow httpd_t var_log_t:dir ra_dir_perms;
-type_transition httpd_t var_log_t:file httpd_log_t;
-
 can_tcp_connect(web_client_domain, httpd_t)
 
-allow httpd_t crypt_device_t:chr_file rw_file_perms;
-
 allow httpd_t home_root_t:dir getattr;
-
 dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+allow httpd_sys_script_t var_spool_t:dir getattr;
 
 optional_policy(`mysql.te',`
 	allow httpd_t mysqld_db_t:dir search;
 	allow httpd_t mysqld_db_t:sock_file rw_file_perms;
 ')
 
-ifdef(`snmpd.te', `
-	dontaudit httpd_t snmpd_var_lib_t:dir search;
-	dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
-', `
-	dontaudit httpd_t usr_t:dir write;
-')
-
-allow httpd_sys_script_t var_spool_t:dir getattr;
-
 optional_policy(`mysql.te',`
 	allow httpd_sys_script_t mysqld_db_t:dir search;
 	allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms;
 ')
 
-ifdef(`targeted_policy', `
-	typealias httpd_sys_content_t alias httpd_user_content_t;
-	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-
+ifdef(`targeted_policy',`
 	if (httpd_enable_homedirs) {
 		allow httpd_t user_home_dir_t:dir { getattr search };
 	}
@@ -416,15 +411,6 @@ ifdef(`targeted_policy', `
 	}
 ')
 
-# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
-	ifdef(`targeted_policy', `', `
-		domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-	')
-')
-
 optional_policy(`mta.te',`
 	# apache should set close-on-exec
 	dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
@@ -452,10 +438,6 @@ allow httpd_helper_t httpd_log_t:file append;
 libs_use_ld_so(httpd_helper_t)
 libs_use_shared_libs(httpd_helper_t)
 
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block. for httpd_helper_t
-
 ########################################
 #
 # Apache PHP script local policy
@@ -612,9 +594,6 @@ optional_policy(`nis.te',`
 # Apache system script local policy
 #
 
-# setup the system domain for system CGI scripts
-apache_content_template(sys)
-
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2e42d4f..cc80db1 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -120,6 +120,12 @@ ifdef(`targeted_policy',`
 		domain_ptrace_all_domains(sysadm_t)
 	')
 
+	optional_policy(`apache.te',`
+		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
+		# cjp: why is this not run
+		#apache_domtrans_sys_script(sysadm_t)
+	')
+
 	optional_policy(`apm.te',`
 		# cjp: why is this not apm_run_client
 		apm_domtrans_client(sysadm_t)

More information about the scm-commits mailing list