Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion policy/modules/admin/logrotate.te
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,8 @@ optional_policy(`

optional_policy(`
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_ctl_domtrans(logrotate_t)
apache_ctl_domtrans_from_httpd(logrotate_t)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a non-from interface call from the apache module. The from interfaces are intended for users to use without having to modify the policy sources.

apache_signull(logrotate_t)
')

Expand Down
5 changes: 3 additions & 2 deletions policy/modules/services/apache.fc
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)

/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_ctl_exec_t,s0)
/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
Expand Down Expand Up @@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)

/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_ctl_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
Expand Down Expand Up @@ -188,6 +188,7 @@ ifdef(`distro_suse',`
/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
/run/nginx(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)

/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
Expand Down
49 changes: 49 additions & 0 deletions policy/modules/services/apache.if
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ template(`apache_role',`
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
type httpd_user_ra_content_t, httpd_user_rw_content_t;
attribute_role httpd_ctl_roles;
')

role $4 types httpd_user_script_t;
Expand All @@ -156,6 +157,10 @@ template(`apache_role',`
allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

roleattribute $4 httpd_ctl_roles;
apache_ctl_domtrans($3)
apache_ctl_domtrans_from_httpd($3)

userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
Expand Down Expand Up @@ -1416,6 +1421,7 @@ interface(`apache_admin',`
type httpd_runtime_t, httpd_passwd_t, httpd_suexec_t;
type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
type httpd_initrc_exec_t, httpd_keytab_t;
attribute_role httpd_ctl_roles;
')

allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
Expand All @@ -1424,6 +1430,9 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })

init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t)
roleattribute $2 httpd_ctl_roles;
apache_ctl_domtrans($1)
apache_ctl_domtrans_from_httpd($1)

apache_manage_all_content($1)
miscfiles_manage_public_files($1)
Expand Down Expand Up @@ -1466,3 +1475,43 @@ interface(`apache_rw_runtime_files',`

allow $1 httpd_runtime_t:file rw_file_perms;
')

########################################
## <summary>
## Allow domain transitions to httpd_ctl_d
## from httpd_ctl_exec_t
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apache_ctl_domtrans',`
gen_require(`
type httpd_ctl_t, httpd_ctl_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, httpd_ctl_exec_t, httpd_ctl_t)
')

########################################
## <summary>
## Allow domain transitions to httpd_ctl_d
## from httpd_exec_t
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apache_ctl_domtrans_from_httpd',`
gen_require(`
type httpd_ctl_t, httpd_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, httpd_exec_t, httpd_ctl_t)
')
160 changes: 160 additions & 0 deletions policy/modules/services/apache.te
Original file line number Diff line number Diff line change
Expand Up @@ -269,10 +269,19 @@ attribute httpd_script_domains;
attribute_role httpd_helper_roles;
roleattribute system_r httpd_helper_roles;

attribute_role httpd_ctl_roles;
roleattribute system_r httpd_ctl_roles;

type httpd_t;
type httpd_exec_t;
init_daemon_domain(httpd_t, httpd_exec_t)

type httpd_ctl_t;
type httpd_ctl_exec_t;
application_domain(httpd_ctl_t, httpd_ctl_exec_t)
allow httpd_ctl_t httpd_exec_t:file entrypoint;
role httpd_ctl_roles types httpd_ctl_t;

type httpd_cache_t;
files_type(httpd_cache_t)

Expand Down Expand Up @@ -903,6 +912,157 @@ optional_policy(`
sympa_read_var_files(httpd_t)
')

########################################
#
# httpd_ctl local policy
#

allow httpd_ctl_t self:capability { chown kill };
# dac_override is required to read files owned by www-data, e.g., error.log
allow httpd_ctl_t self:capability dac_override;
dontaudit httpd_ctl_t self:capability net_admin;
allow httpd_ctl_t httpd_t:process { getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms };
userdom_use_inherited_user_terminals(httpd_ctl_t)

manage_dirs_pattern(httpd_ctl_t, httpd_cache_t, httpd_cache_t)
mmap_manage_files_pattern(httpd_ctl_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_ctl_t, httpd_cache_t, dir)

allow httpd_ctl_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_ctl_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_ctl_t, httpd_config_t, httpd_config_t)

allow httpd_ctl_t httpd_htaccess_type:file read_file_perms;

allow httpd_ctl_t httpd_ro_content:dir list_dir_perms;
allow httpd_ctl_t httpd_ro_content:file { map read_file_perms };
allow httpd_ctl_t httpd_ro_content:lnk_file read_lnk_file_perms;

allow httpd_ctl_t httpd_keytab_t:file read_file_perms;

allow httpd_ctl_t httpd_lock_t:dir manage_dir_perms;
allow httpd_ctl_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_ctl_t, httpd_lock_t, { file dir })

manage_dirs_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
setattr_files_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_ctl_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_ctl_t, httpd_log_t, file)

allow httpd_ctl_t httpd_modules_t:dir list_dir_perms;
mmap_exec_files_pattern(httpd_ctl_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_ctl_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_ctl_t, httpd_modules_t, httpd_modules_t)

allow httpd_ctl_t httpd_rotatelogs_t:process signal_perms;

manage_dirs_pattern(httpd_ctl_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
mmap_manage_files_pattern(httpd_ctl_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

allow httpd_ctl_t httpd_suexec_exec_t:file read_file_perms;

allow httpd_ctl_t httpd_sys_script_t:unix_stream_socket connectto;
allow httpd_ctl_t httpd_sys_script_t:process signull;


manage_dirs_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
allow httpd_ctl_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_ctl_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_ctl_t, httpd_tmp_t, dir)

manage_dirs_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_ctl_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
mmap_manage_files_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_ctl_t, httpd_var_lib_t, { dir file })

setattr_dirs_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_dirs_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_files_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_sock_files_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
files_runtime_filetrans(httpd_ctl_t, httpd_runtime_t, { file sock_file dir })

manage_dirs_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
Comment on lines +973 to +1001
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this plus especially the port binding makes me reconsider my position...

Overall, I'm beginning to feel this seems too much like httpd_t to make it worthwhile. I'm not definitely saying no, but I'm leaning that direction.

Another option would be to move nginx into a new domain.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I've been thinking about how to handle this change. Would it make sense to create an attribute httpd_domains that would be common to both nginx and apache? If we opted to do that, should I create a new httpd module for the common parts, and an nginx module for the new domain?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a possibility. I'd have to see the full extent of rules that use it.


can_exec(httpd_ctl_t, httpd_exec_t)

kernel_read_kernel_sysctls(httpd_ctl_t)
kernel_read_vm_sysctls(httpd_ctl_t)
kernel_read_vm_overcommit_sysctl(httpd_ctl_t)
kernel_read_network_state(httpd_ctl_t)
kernel_read_system_state(httpd_ctl_t)
kernel_search_network_sysctl(httpd_ctl_t)

# nginx -t checks that it can bind to ports
corenet_tcp_bind_generic_node(httpd_ctl_t)
corenet_tcp_bind_http_port(httpd_ctl_t)
corenet_tcp_bind_http_cache_port(httpd_ctl_t)
optional_policy(`
tunable_policy(`httpd_mod_auth_ntlm_winbind',`
samba_domtrans_winbind_helper(httpd_ctl_t)
')
')
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_ctl_t)
')

dev_read_sysfs(httpd_ctl_t)
dev_read_rand(httpd_ctl_t)
dev_read_urand(httpd_ctl_t)
dev_rwx_zero(httpd_ctl_t)

domain_use_interactive_fds(httpd_ctl_t)

fs_getattr_all_fs(httpd_ctl_t)
fs_search_auto_mountpoints(httpd_ctl_t)

fs_read_iso9660_files(httpd_ctl_t)

files_dontaudit_getattr_all_runtime_files(httpd_ctl_t)
files_read_usr_files(httpd_ctl_t)
files_map_usr_files(httpd_ctl_t)
files_list_mnt(httpd_ctl_t)
files_search_spool(httpd_ctl_t)
files_read_var_symlinks(httpd_ctl_t)
files_read_var_lib_files(httpd_ctl_t)
files_search_home(httpd_ctl_t)
files_getattr_home_dir(httpd_ctl_t)
files_read_etc_runtime_files(httpd_ctl_t)
files_read_var_lib_symlinks(httpd_ctl_t)
files_map_etc_files(httpd_ctl_t)

auth_use_nsswitch(httpd_ctl_t)

init_rw_inherited_script_tmp_files(httpd_ctl_t)

libs_exec_lib_files(httpd_ctl_t)

logging_send_syslog_msg(httpd_ctl_t)

miscfiles_read_localization(httpd_ctl_t)
miscfiles_read_fonts(httpd_ctl_t)
miscfiles_read_public_files(httpd_ctl_t)
miscfiles_read_generic_certs(httpd_ctl_t)
miscfiles_read_generic_tls_privkey(httpd_ctl_t)
miscfiles_read_tetex_data(httpd_ctl_t)

seutil_dontaudit_search_config(httpd_ctl_t)

########################################
#
Expand Down
Loading