more apache work
This commit is contained in:
		
							parent
							
								
									891a8477fc
								
							
						
					
					
						commit
						c2b18fa1f3
					
				| @ -938,6 +938,23 @@ interface(`dev_rw_cpu_microcode',` | ||||
| 	allow $1 cpu_device_t:chr_file rw_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Read and write the the hardware SSL accelerator. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`dev_rw_crypto',` | ||||
| 	gen_require(` | ||||
| 		type device_t, crypt_device_t; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 device_t:dir r_dir_perms; | ||||
| 	allow $1 crypt_device_t:chr_file rw_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Getattr the agp devices. | ||||
|  | ||||
| @ -302,9 +302,6 @@ template(`apache_per_userdomain_template', ` | ||||
| interface(`apache_domtrans',` | ||||
| 	gen_require(` | ||||
| 		type httpd_t, httpd_exec_t; | ||||
| 		class process sigchld; | ||||
| 		class fd use; | ||||
| 		class fifo_file rw_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	corecmd_search_sbin($1) | ||||
| @ -386,20 +383,51 @@ interface(`apache_read_config',` | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to list | ||||
| ##	the contents of the apache modules | ||||
| ##	directory. | ||||
| ##	Execute the Apache helper program with | ||||
| ##	a domain transition. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`apache_list_modules',` | ||||
| interface(`apache_domtrans_helper',` | ||||
| 	gen_require(` | ||||
| 		type httpd_modules_t; | ||||
| 		type httpd_helper_t, httpd_helper_exec_t; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 httpd_modules_t:dir r_dir_perms; | ||||
| 	corecmd_search_sbin($1) | ||||
| 	domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t) | ||||
| 
 | ||||
| 	allow $1 httpd_helper_t:fd use; | ||||
| 	allow httpd_helper_t $1:fd use; | ||||
| 	allow httpd_helper_t $1:fifo_file rw_file_perms; | ||||
| 	allow httpd_helper_t $1:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute the Apache helper program with | ||||
| ##	a domain transition, and allow the | ||||
| ##	specified role the dmidecode domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| ## <param name="role"> | ||||
| ##	The role to be allowed the dmidecode domain. | ||||
| ## </param> | ||||
| ## <param name="terminal"> | ||||
| ##	The type of the terminal allow the dmidecode domain to use. | ||||
| ## </param> | ||||
| # | ||||
| interface(`apache_run_helper',` | ||||
| 	gen_require(` | ||||
| 		type httpd_helper_t; | ||||
| 	') | ||||
| 
 | ||||
| 	apache_domtrans_helper($1) | ||||
| 	role $2 types httpd_helper_t; | ||||
| 	allow httpd_helper_t $3:chr_file rw_term_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| @ -418,3 +446,48 @@ interface(`apache_dontaudit_append_log',` | ||||
| 
 | ||||
| 	dontaudit $1 httpd_log_t:file append; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to list | ||||
| ##	the contents of the apache modules | ||||
| ##	directory. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`apache_list_modules',` | ||||
| 	gen_require(` | ||||
| 		type httpd_modules_t; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 httpd_modules_t:dir r_dir_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute all web scripts in the system | ||||
| ##	script domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| # cjp: this interface specifically added to allow | ||||
| # sysadm_t to run scripts | ||||
| interface(`apache_domtrans_sys_script',` | ||||
| 	gen_require(` | ||||
| 		attribute httpdcontent; | ||||
| 		type httpd_sys_script_t; | ||||
| 	') | ||||
| 
 | ||||
| 	tunable_policy(`httpd_enable_cgi && httpd_unified',` | ||||
| 		domain_auto_trans($1, httpdcontent, httpd_sys_script_t) | ||||
| 
 | ||||
| 		allow $1 httpd_sys_script_t:fd use; | ||||
| 		allow httpd_sys_script_t $1:fd use; | ||||
| 		allow httpd_sys_script_t $1:fifo_file rw_file_perms; | ||||
| 		allow httpd_sys_script_t $1:process sigchld; | ||||
| 	') | ||||
| ') | ||||
|  | ||||
| @ -77,6 +77,9 @@ domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) | ||||
| type httpd_suexec_tmp_t; | ||||
| files_tmp_file(httpd_suexec_tmp_t) | ||||
| 
 | ||||
| # setup the system domain for system CGI scripts | ||||
| apache_content_template(sys) | ||||
| 
 | ||||
| type httpd_tmp_t; | ||||
| files_tmp_file(httpd_tmp_t) | ||||
| 
 | ||||
| @ -110,6 +113,11 @@ ifdef(`distro_redhat',` | ||||
| 	typealias httpd_log_t alias httpd_runtime_t; | ||||
| ') | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| 	typealias httpd_sys_content_t alias httpd_user_content_t; | ||||
| 	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Apache server local policy | ||||
| @ -154,6 +162,9 @@ files_create_lock(httpd_t,httpd_lock_t) | ||||
| allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; | ||||
| allow httpd_t httpd_log_t:file { create ra_file_perms }; | ||||
| allow httpd_t httpd_log_t:lnk_file read; | ||||
| # cjp: need to refine create interfaces to | ||||
| # cut this back to add_name only | ||||
| logging_create_log(httpd_t,httpd_log_t) | ||||
| 
 | ||||
| allow httpd_t httpd_modules_t:file rx_file_perms; | ||||
| allow httpd_t httpd_modules_t:dir r_dir_perms; | ||||
| @ -208,6 +219,7 @@ corenet_tcp_bind_http_cache_port(httpd_t) | ||||
| dev_read_sysfs(httpd_t) | ||||
| dev_read_rand(httpd_t) | ||||
| dev_read_urand(httpd_t) | ||||
| dev_rw_crypto(httpd_t) | ||||
| 
 | ||||
| fs_getattr_all_fs(httpd_t) | ||||
| fs_search_auto_mountpoints(httpd_t) | ||||
| @ -371,40 +383,23 @@ optional_policy(`rhgb.te',` | ||||
| 	rhgb_domain(httpd_t) | ||||
| ') | ||||
| 
 | ||||
| allow httpd_t var_log_t:dir ra_dir_perms; | ||||
| type_transition httpd_t var_log_t:file httpd_log_t; | ||||
| 
 | ||||
| can_tcp_connect(web_client_domain, httpd_t) | ||||
| 
 | ||||
| allow httpd_t crypt_device_t:chr_file rw_file_perms; | ||||
| 
 | ||||
| allow httpd_t home_root_t:dir getattr; | ||||
| 
 | ||||
| dontaudit httpd_t sysadm_home_dir_t:dir getattr; | ||||
| allow httpd_sys_script_t var_spool_t:dir getattr; | ||||
| 
 | ||||
| optional_policy(`mysql.te',` | ||||
| 	allow httpd_t mysqld_db_t:dir search; | ||||
| 	allow httpd_t mysqld_db_t:sock_file rw_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ifdef(`snmpd.te', ` | ||||
| 	dontaudit httpd_t snmpd_var_lib_t:dir search; | ||||
| 	dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; | ||||
| ', ` | ||||
| 	dontaudit httpd_t usr_t:dir write; | ||||
| ') | ||||
| 
 | ||||
| allow httpd_sys_script_t var_spool_t:dir getattr; | ||||
| 
 | ||||
| optional_policy(`mysql.te',` | ||||
| 	allow httpd_sys_script_t mysqld_db_t:dir search; | ||||
| 	allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ifdef(`targeted_policy', ` | ||||
| 	typealias httpd_sys_content_t alias httpd_user_content_t; | ||||
| 	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; | ||||
| 
 | ||||
| ifdef(`targeted_policy',` | ||||
| 	if (httpd_enable_homedirs) { | ||||
| 		allow httpd_t user_home_dir_t:dir { getattr search }; | ||||
| 	} | ||||
| @ -416,15 +411,6 @@ ifdef(`targeted_policy', ` | ||||
| 	} | ||||
| ') | ||||
| 
 | ||||
| # We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context | ||||
| typealias httpd_sys_content_t alias httpd_sysadm_content_t; | ||||
| 
 | ||||
| tunable_policy(`httpd_enable_cgi && httpd_unified',` | ||||
| 	ifdef(`targeted_policy', `', ` | ||||
| 		domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`mta.te',` | ||||
| 	# apache should set close-on-exec | ||||
| 	dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; | ||||
| @ -452,10 +438,6 @@ allow httpd_helper_t httpd_log_t:file append; | ||||
| libs_use_ld_so(httpd_helper_t) | ||||
| libs_use_shared_libs(httpd_helper_t) | ||||
| 
 | ||||
| # a "run" interface needs to be | ||||
| # added, and have sysadm_t use it | ||||
| # in a optional_policy block. for httpd_helper_t | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Apache PHP script local policy | ||||
| @ -612,9 +594,6 @@ optional_policy(`nis.te',` | ||||
| # Apache system script local policy | ||||
| # | ||||
| 
 | ||||
| # setup the system domain for system CGI scripts | ||||
| apache_content_template(sys) | ||||
| 
 | ||||
| allow httpd_sys_script_t httpd_t:tcp_socket { read write }; | ||||
| 
 | ||||
| dontaudit httpd_sys_script_t httpd_config_t:dir search; | ||||
|  | ||||
| @ -120,6 +120,12 @@ ifdef(`targeted_policy',` | ||||
| 		domain_ptrace_all_domains(sysadm_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`apache.te',` | ||||
| 		apache_run_helper(sysadm_t,sysadm_r,admin_terminal) | ||||
| 		# cjp: why is this not run | ||||
| 		#apache_domtrans_sys_script(sysadm_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`apm.te',` | ||||
| 		# cjp: why is this not apm_run_client | ||||
| 		apm_domtrans_client(sysadm_t) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user