From e749cd12a671ca37eacc946368af70352777f123 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 17 Oct 2005 17:55:38 +0000 Subject: [PATCH] wrap up almost all of apache --- refpolicy/Changelog | 1 + refpolicy/policy/modules/kernel/kernel.if | 16 ++ refpolicy/policy/modules/services/apache.fc | 2 +- refpolicy/policy/modules/services/apache.if | 222 +++++++++++++----- refpolicy/policy/modules/services/apache.te | 63 ++--- refpolicy/policy/modules/services/mta.if | 10 +- refpolicy/policy/modules/services/mta.te | 11 + refpolicy/policy/modules/system/userdomain.te | 2 +- 8 files changed, 231 insertions(+), 96 deletions(-) diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 772c47e1..23337011 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -14,6 +14,7 @@ - Fix errors uncovered by sediff. - Added policies: anaconda + apache apm arpwatch bluetooth diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 58d59249..4f75c58f 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -1036,6 +1036,22 @@ interface(`kernel_rw_modprobe_sysctl',` allow $1 sysctl_modprobe_t:file rw_file_perms; ') +######################################## +## +## Do not audit attempts to search generic kernel sysctls. +## +## +## Domain to not audit. +## +# +interface(`kernel_dontaudit_search_kernel_sysctl',` + gen_require(` + type sysctl_kernel_t; + ') + + dontaudit $1 sysctl_kernel_t:dir search; +') + ######################################## ## ## Read generic kernel sysctls. diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 2042a317..402bac27 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -18,7 +18,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 0543cffe..bb43dde0 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -84,6 +84,9 @@ template(`apache_content_template',` allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file }) + kernel_dontaudit_search_sysctl(httpd_$1_script_t) + kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) + dev_read_rand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) @@ -106,20 +109,11 @@ template(`apache_content_template',` seutil_dontaudit_search_config(httpd_$1_script_t) - ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',` - allow httpd_$1_script_t httpdcontent:dir create_dir_perms; - allow httpd_$1_script_t httpdcontent:file create_file_perms; - allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; - can_exec(httpd_$1_script_t, httpdcontent) - ') - ',` - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:dir create_dir_perms; - allow httpd_$1_script_t httpdcontent:file create_file_perms; - allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; - can_exec(httpd_$1_script_t, httpdcontent) - ') + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_$1_script_t httpdcontent:dir create_dir_perms; + allow httpd_$1_script_t httpdcontent:file create_file_perms; + allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; + can_exec(httpd_$1_script_t, httpdcontent) ') tunable_policy(`allow_httpd_$1_script_anon_write',` @@ -147,6 +141,16 @@ template(`apache_content_template',` ') tunable_policy(`httpd_enable_cgi',` + allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; + + # privileged users run the script: + domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_exec_scripts httpd_$1_script_t:fd use; + allow httpd_$1_script_t httpd_exec_scripts:fd use; + allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms; + allow httpd_$1_script_t httpd_exec_scripts:process sigchld; + + # apache runs the script: domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_t:fd use; allow httpd_$1_script_t httpd_t:fd use; @@ -215,21 +219,6 @@ template(`apache_content_template',` optional_policy(`nscd.te',` nscd_use_socket(httpd_$1_script_t) ') - - ifdef(`TODO',` - # - # If a user starts a script by hand it gets the proper context - # - ifdef(`targeted_policy', `', ` - if (httpd_enable_cgi) { - domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) - } - ') - role sysadm_r types httpd_$1_script_t; - - dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; - dontaudit httpd_$1_script_t sysctl_t:dir search; - ') dnl end TODO ') ####################################### @@ -262,6 +251,7 @@ template(`apache_per_userdomain_template', ` apache_content_template($1) + typeattribute httpd_$1_content_t httpd_script_domains; # typeattribute httpd_$1_content_t $1_file_type; role $3 types httpd_$1_script_t; @@ -290,39 +280,23 @@ template(`apache_per_userdomain_template', ` allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom }; allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom }; - ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_cgi',` - domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; - ') + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context + domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; + ') - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domain_auto_trans($2, httpdcontent, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; - ') - ',` - tunable_policy(`httpd_enable_cgi',` - # If a user starts a script by hand it gets the proper context - domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; - ') + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_$1_script_t httpdcontent:file entrypoint; - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domain_auto_trans($2, httpdcontent, httpd_$1_script_t) - allow $2 httpd_$1_script_t:fd use; - allow httpd_$1_script_t $2:fd use; - allow httpd_$1_script_t $2:fifo_file rw_file_perms; - allow httpd_$1_script_t $2:process sigchld; - ') + domain_auto_trans($2, httpdcontent, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; ') # allow accessing files/dirs below the users home dir @@ -403,6 +377,40 @@ interface(`apache_use_fd',` allow $1 httpd_t:fd use; ') +######################################## +## +## Do not audit attempts to read and write Apache +## unix domain stream sockets. +## +## +## Domain allowed access. +## +# +interface(`apache_dontaudit_rw_stream_socket',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:unix_stream_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read and write Apache +## TCP sockets. +## +## +## Domain allowed access. +## +# +interface(`apache_dontaudit_rw_tcp_socket',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:tcp_socket { read write }; +') + ######################################## ## ## Allow the specified domain to read @@ -506,7 +514,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') - dontaudit $1 httpd_log_t:file append; + dontaudit $1 httpd_log_t:file { getattr append }; ') ######################################## @@ -574,3 +582,95 @@ interface(`apache_domtrans_sys_script',` allow httpd_sys_script_t $1:process sigchld; ') ') + +######################################## +## +## Do not audit attempts to read and write Apache +## system script unix domain stream sockets. +## +## +## Domain allowed access. +## +# +interface(`apache_dontaudit_rw_sys_script_stream_socket',` + gen_require(` + type httpd_sys_script_t; + ') + + dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; +') + +######################################## +## +## Execute all user scripts in the user +## script domain. +## +## +## Domain allowed access. +## +# +interface(`apache_domtrans_all_scripts',` + gen_require(` + attribute httpd_exec_scripts; + ') + + typeattribute $1 httpd_exec_scripts; +') + +######################################## +## +## Execute all user scripts in the user +## script domain. Add user script domains +## to the specified role. +## +## +## Domain allowed access. +## +## +## The role to be allowed the script domains. +## +# +# cjp: this is missing the terminal since scripts +# do not output to the terminal +interface(`apache_run_all_scripts',` + gen_require(` + attribute httpd_exec_scripts, httpd_script_domains; + ') + + role $2 types httpd_script_domains; + apache_domtrans_all_scripts($1) +') + +######################################## +## +## Allow the specified domain to read +## apache squirrelmail data. +## +## +## Domain allowed access. +## +# +interface(`apache_read_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file { getattr read }; +') + +######################################## +## +## Allow the specified domain to append +## apache squirrelmail data. +## +## +## Domain allowed access. +## +# +interface(`apache_append_squirrelmail_data',` + gen_require(` + type httpd_squirrelmail_t; + ') + + allow $1 httpd_squirrelmail_t:file { getattr append }; +') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index e0d79b41..80755b27 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -22,9 +22,16 @@ policy_module(apache,1.0) attribute httpdcontent; +# domains that can exec all users scripts +attribute httpd_exec_scripts; + +# user script domains +attribute httpd_script_domains; + type httpd_t; type httpd_exec_t; init_daemon_domain(httpd_t,httpd_exec_t) +role system_r types httpd_t; # httpd_cache_t is the type given to the /var/cache/httpd # directory and the files under that directory @@ -36,11 +43,10 @@ type httpd_config_t; files_type(httpd_config_t) type httpd_helper_t; -domain_type(httpd_helper_t) -role system_r types httpd_helper_t; - type httpd_helper_exec_t; +domain_type(httpd_helper_t) domain_entry_file(httpd_helper_t,httpd_helper_exec_t) +role system_r types httpd_helper_t; type httpd_lock_t; files_lock_file(httpd_lock_t) @@ -54,11 +60,10 @@ type httpd_modules_t; files_type(httpd_modules_t) type httpd_php_t; -domain_type(httpd_php_t) -role system_r types httpd_php_t; - type httpd_php_exec_t; +domain_type(httpd_php_t) domain_entry_file(httpd_php_t,httpd_php_exec_t) +role system_r types httpd_php_t; type httpd_php_tmp_t; files_tmp_file(httpd_php_tmp_t) @@ -68,11 +73,10 @@ files_type(httpd_squirrelmail_t) # SUEXEC runs user scripts as their own user ID type httpd_suexec_t; #, daemon; -domain_type(httpd_suexec_t) -role system_r types httpd_suexec_t; - type httpd_suexec_exec_t; +domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) +role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -89,11 +93,10 @@ files_tmpfs_file(httpd_tmpfs_t) # Unconfined domain for apache scripts. # Only to be used as a last resort type httpd_unconfined_script_t; -domain_type(httpd_unconfined_script_t) -role system_r types httpd_unconfined_script_t; - type httpd_unconfined_script_exec_t; # customizable -files_type(httpd_unconfined_script_exec_t) +domain_type(httpd_unconfined_script_t) +domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) +role system_r types httpd_unconfined_script_t; # for apache2 memory mapped files type httpd_var_lib_t; @@ -178,15 +181,15 @@ allow httpd_t httpd_tmp_t:dir create_dir_perms; allow httpd_t httpd_tmp_t:file create_file_perms; files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir }) -allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow httpd_t httpd_tmpfs_t:dir create_dir_perms; +allow httpd_t httpd_tmpfs_t:file create_file_perms; +allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms; +allow httpd_t httpd_tmpfs_t:sock_file create_file_perms; +allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms; fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow httpd_t httpd_var_lib_t:file create_file_perms; -allow httpd_t httpd_var_lib_t:dir create_dir_perms; +allow httpd_t httpd_var_lib_t:dir rw_dir_perms; files_create_var_lib(httpd_t,httpd_var_lib_t) allow httpd_t httpd_var_run_t:file create_file_perms; @@ -341,6 +344,14 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_symlinks(httpd_t) ') +tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) + allow httpd_t httpd_sys_script_t:fd use; + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; +') + # When the admin starts the server, the server wants to access # the TTY or PTY associated with the session. The httpd appears # to run correctly without this permission, so the permission @@ -391,10 +402,6 @@ optional_policy(`rhgb.te',` can_tcp_connect(web_client_domain, httpd_t) -allow httpd_t home_root_t:dir getattr; -dontaudit httpd_t sysadm_home_dir_t:dir getattr; -allow httpd_sys_script_t var_spool_t:dir getattr; - ifdef(`targeted_policy',` if (httpd_enable_homedirs) { allow httpd_t user_home_dir_t:dir { getattr search }; @@ -406,14 +413,6 @@ ifdef(`targeted_policy',` allow httpd_suexec_t user_home_dir_t:dir { getattr search }; } ') - -optional_policy(`mta.te',` - # apache should set close-on-exec - dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; - dontaudit system_mail_t httpd_log_t:file { append getattr }; - allow system_mail_t httpd_squirrelmail_t:file { append read }; - dontaudit system_mail_t httpd_t:tcp_socket { read write }; -') ') dnl end TODO ######################################## @@ -434,6 +433,8 @@ allow httpd_helper_t httpd_log_t:file append; libs_use_ld_so(httpd_helper_t) libs_use_shared_libs(httpd_helper_t) +logging_send_syslog_msg(httpd_helper_t) + ######################################## # # Apache PHP script local policy diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index eb91503d..4c9ad48c 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -254,10 +254,16 @@ interface(`mta_mailserver_delivery',` # interface(`mta_mailserver_user_agent',` gen_require(` - attribute mailserver_user_agent; + attribute mta_user_agent; ') - typeattribute $1 mailserver_user_agent; + typeattribute $1 mta_user_agent; + + optional_policy(`apache.te',` + # apache should set close-on-exec + apache_dontaudit_rw_stream_socket($1) + apache_dontaudit_rw_sys_script_stream_socket($1) + ') ') ####################################### diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 98733d39..07b40e94 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -119,6 +119,17 @@ ifdef(`targeted_policy',` ') ') +optional_policy(`apache.te',` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_socket(system_mail_t) + apache_dontaudit_rw_tcp_socket(system_mail_t) + apache_dontaudit_rw_sys_script_stream_socket(system_mail_t) +') + optional_policy(`cron.te',` cron_read_system_job_tmp_files(system_mail_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 45dafca6..1aa37fbb 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -122,7 +122,7 @@ ifdef(`targeted_policy',` optional_policy(`apache.te',` apache_run_helper(sysadm_t,sysadm_r,admin_terminal) - # cjp: why is this not run + #apache_run_all_scripts(sysadm_t,sysadm_r) #apache_domtrans_sys_script(sysadm_t) ')