From a996bdf4addc1145a9720c69009f7a5e150851c1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 29 2005 20:59:00 +0000 Subject: add most of apache --- diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 27dbff8..20affba 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -48,6 +48,27 @@ gen_tunable(ftp_home_dir,false) ## Allow ftpd to run directly without inetd gen_tunable(ftpd_is_daemon,false) +## Allow httpd to use built in scripting (usually php) +gen_tunable(httpd_builtin_scripting,false) + +## Allow http daemon to tcp connect +gen_tunable(httpd_can_network_connect,false) + +## Allow httpd cgi support +gen_tunable(httpd_enable_cgi,false) + +## Allow httpd to read home directories +gen_tunable(httpd_enable_homedirs,false) + +## Run SSI execs in system CGI script domain. +gen_tunable(httpd_ssi_exec,false) + +## Allow http daemon to communicate with the TTY +gen_tunable(httpd_tty_comm,false) + +## Run CGI in the main httpd domain +gen_tunable(httpd_unified,false) + ## Allow BIND to write the master zone files. ## Generally this is used for dynamic DNS. gen_tunable(named_write_master_zones,false) diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index b5bc065..9594d28 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -137,6 +137,12 @@ optional_policy(`acct.te',` acct_exec_data(logrotate_t) ') +optional_policy(`apache.te',` + apache_read_config(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) +') + optional_policy(`consoletype.te',` consoletype_exec(logrotate_t) diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc new file mode 100644 index 0000000..c7c4151 --- /dev/null +++ b/refpolicy/policy/modules/services/apache.fc @@ -0,0 +1,66 @@ + +HOME_DIR/((www)|(web)|(public_html))(/.+)? context_template(system_u:object_r:httpd_ROLE_content_t,s0) + +/etc/apache(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0) +/etc/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0) +/etc/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) +/etc/httpd -d context_template(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf.* context_template(system_u:object_r:httpd_config_t,s0) +/etc/httpd/logs context_template(system_u:object_r:httpd_log_t,s0) +/etc/httpd/modules context_template(system_u:object_r:httpd_modules_t,s0) +/etc/vhosts -- context_template(system_u:object_r:httpd_config_t,s0) + +/srv/([^/]*/)?www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) + +/usr/bin/htsslpass -- context_template(system_u:object_r:httpd_helper_exec_t,s0) + +/usr/lib/apache-ssl/.+ -- context_template(system_u:object_r:httpd_exec_t,s0) +/usr/lib/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib(64)?/apache(/.*)? context_template(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/apache2/modules(/.*)? context_template(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/apache(2)?/suexec(2)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0) +/usr/lib(64)?/httpd(/.*)? context_template(system_u:object_r:httpd_modules_t,s0) + +/usr/sbin/apache(2)? -- context_template(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache-ssl(2)? -- context_template(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/httpd(\.worker)? -- context_template(system_u:object_r:httpd_exec_t,s0) +ifdef(`distro_suse', ` +/usr/sbin/httpd2-.* -- context_template(system_u:object_r:httpd_exec_t,s0) +') +/usr/sbin/suexec -- context_template(system_u:object_r:httpd_suexec_exec_t,s0) + +/usr/share/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) + +/var/cache/httpd(/.*)? context_template(system_u:object_r:httpd_cache_t,s0) +/var/cache/mod_ssl(/.*)? context_template(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-eaccelerator(/.*)? context_template(system_u:object_r:httpd_cache_t,s0) +/var/cache/php-mmcache(/.*)? context_template(system_u:object_r:httpd_cache_t,s0) +/var/cache/ssl.*\.sem -- context_template(system_u:object_r:httpd_cache_t,s0) + +/var/lib/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/httpd(/.*)? context_template(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php/session(/.*)? context_template(system_u:object_r:httpd_var_run_t,s0) +/var/lib/squirrelmail/prefs(/.*)? context_template(system_u:object_r:httpd_squirrelmail_t,s0) + +/var/log/apache(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0) +/var/log/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- context_template(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? context_template(system_u:object_r:httpd_log_t,s0) +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? context_template(system_u:object_r:httpd_log_t,s0) +') + +/var/run/apache.* context_template(system_u:object_r:httpd_var_run_t,s0) +/var/run/gcache_port -s context_template(system_u:object_r:httpd_var_run_t,s0) + +/var/spool/gosa(/.*)? context_template(system_u:object_r:httpd_sys_script_rw_t,s0) +/var/spool/squirrelmail(/.*)? context_template(system_u:object_r:squirrelmail_spool_t,s0) +ifdef(`targeted_policy', `', ` +/var/spool/cron/apache -- context_template(system_u:object_r:user_cron_spool_t,s0) +') + +/var/www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) +/var/www/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/icons(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0) +/var/www/perl(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if new file mode 100644 index 0000000..bea817d --- /dev/null +++ b/refpolicy/policy/modules/services/apache.if @@ -0,0 +1,353 @@ +## Apache web server + +template(`apache_content_template',` + + #This type is for webpages + type httpd_$1_content_t, httpdcontent; # customizable + files_type(httpd_$1_content_t) + + # This type is used for .htaccess files + type httpd_$1_htaccess_t; # customizable; + files_type(httpd_$1_htaccess_t) + + # Type that CGI scripts run as + type httpd_$1_script_t; + domain_type(httpd_$1_script_t) + role system_r types httpd_$1_script_t; + + # This type is used for executable scripts files + type httpd_$1_script_exec_t; # customizable; + domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) + + # The following three are the only areas that + # scripts can read, read/write, or append to + type httpd_$1_script_ro_t, httpdcontent; # customizable + files_type(httpd_$1_script_ro_t) + + type httpd_$1_script_rw_t, httpdcontent; # customizable + files_type(httpd_$1_script_rw_t) + + type httpd_$1_script_ra_t, httpdcontent; # customizable + files_type(httpd_$1_script_ra_t) + + allow httpd_t httpd_$1_htaccess_t:file r_file_perms; + + domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_suexec_t httpd_$1_script_t:fd use; + allow httpd_$1_script_t httpd_suexec_t:fd use; + allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms; + allow httpd_$1_script_t httpd_suexec_t:process sigchld; + + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; + + allow httpd_$1_script_t self:fifo_file rw_file_perms; + + allow httpd_$1_script_t httpd_t:fifo_file write; + # apache should set close-on-exec + dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + + # Allow the script process to search the cgi directory, and users directory + allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; + + allow httpd_$1_script_t httpd_log_t:file { getattr append }; + allow httpd_$1_script_t httpd_log_t:dir search; + logging_search_logs(httpd_$1_script_t) + + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) + allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; + + allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms; + allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms; + allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read }; + + allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search }; + allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr }; + allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read }; + + allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms; + allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms; + allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; + allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; + allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; + files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file }) + + dev_read_rand(httpd_$1_script_t) + dev_read_urand(httpd_$1_script_t) + + corecmd_exec_bin(httpd_$1_script_t) + corecmd_exec_sbin(httpd_$1_script_t) + + domain_exec_all_entry_files(httpd_$1_script_t) + + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) + files_search_home(httpd_$1_script_t) + + libs_use_ld_so(httpd_$1_script_t) + libs_use_shared_libs(httpd_$1_script_t) + libs_exec_ld_so(httpd_$1_script_t) + libs_exec_lib_files(httpd_$1_script_t) + + miscfiles_read_fonts(httpd_$1_script_t) + + seutil_dontaudit_search_config(httpd_$1_script_t) + + ifdef(`targeted_policy',` + tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',` + allow httpd_$1_script_t httpdcontent:dir create_dir_perms; + allow httpd_$1_script_t httpdcontent:file create_file_perms; + allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; + can_exec(httpd_$1_script_t, httpdcontent) + ') + ',` + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_$1_script_t httpdcontent:dir create_dir_perms; + allow httpd_$1_script_t httpdcontent:file create_file_perms; + allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; + can_exec(httpd_$1_script_t, httpdcontent) + ') + ') + + # Allow the web server to run scripts and serve pages + tunable_policy(`httpd_builtin_scripting',` + allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms; + allow httpd_t httpd_$1_script_rw_t:file create_file_perms; + allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; + allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; + + allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms; + allow httpd_t httpd_$1_script_ra_t:file ra_file_perms; + allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read }; + + allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms; + allow httpd_t httpd_$1_script_ro_t:file r_file_perms; + allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read }; + + allow httpd_t httpd_$1_content_t:dir r_dir_perms; + allow httpd_t httpd_$1_content_t:file r_file_perms; + allow httpd_t httpd_$1_content_t:lnk_file { getattr read }; + ') + + tunable_policy(`httpd_enable_cgi',` + domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t httpd_$1_script_t:fd use; + allow httpd_$1_script_t httpd_t:fd use; + allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_$1_script_t httpd_t:process sigchld; + + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; + allow httpd_t httpd_$1_script_exec_t:file r_file_perms; + + allow httpd_$1_script_t self:process signal_perms; + allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; + + allow httpd_$1_script_t httpd_t:fd use; + allow httpd_$1_script_t httpd_t:process sigchld; + + kernel_read_system_state(httpd_$1_script_t) + + dev_read_urand(httpd_$1_script_t) + + fs_getattr_xattr_fs(httpd_$1_script_t) + + files_read_etc_runtime_files(httpd_$1_script_t) + files_read_usr_files(httpd_$1_script_t) + + libs_read_lib(httpd_$1_script_t) + + miscfiles_read_localization(httpd_$1_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_$1_script_t self:udp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if(httpd_$1_script_t) + corenet_udp_sendrecv_all_if(httpd_$1_script_t) + corenet_raw_sendrecv_all_if(httpd_$1_script_t) + corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) + corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) + corenet_raw_sendrecv_all_nodes(httpd_$1_script_t) + corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) + corenet_udp_sendrecv_all_ports(httpd_$1_script_t) + corenet_tcp_bind_all_nodes(httpd_$1_script_t) + corenet_udp_bind_all_nodes(httpd_$1_script_t) + corenet_tcp_connect_all_ports(httpd_$1_script_t) + + sysnet_read_config(httpd_$1_script_t) + ') + + optional_policy(`mount.te',` + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + mount_send_nfs_client_request(httpd_$1_script_t) + ') + ') + + + optional_policy(`mta.te',` + mta_send_mail(httpd_$1_script_t) + ') + + optional_policy(`nis.te',` + tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_$1_script_t) + ') + ') + + optional_policy(`nscd.te',` + nscd_use_socket(httpd_$1_script_t) + ') + + ifdef(`TODO',` + anonymous_domain(httpd_$1_script) + + # + # If a user starts a script by hand it gets the proper context + # + ifdef(`targeted_policy', `', ` + if (httpd_enable_cgi) { + domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) + } + ') + role sysadm_r types httpd_$1_script_t; + + dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; + dontaudit httpd_$1_script_t sysctl_t:dir search; + ') dnl end TODO +') + +template(`apache_per_userdomain_template', ` + + apache_content_template($1) + +# typeattribute httpd_$1_content_t $1_file_type; + + role $3 types httpd_$1_script_t; + + allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; + + allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; + + allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom }; + + allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom }; + + allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom }; + + allow $2 httpd_$1_script_exec_t:dir create_dir_perms; + allow $2 httpd_$1_script_exec_t:file create_file_perms; + allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms; + + allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom }; + allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom }; + + ifdef(`targeted_policy',` + tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',` + domain_auto_trans($2, httpdcontent, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; + ') + + tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',` + domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; + ') + ',` + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context + domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) + allow $2 httpd_$1_script_t:fd use; + allow httpd_$1_script_t $2:fd use; + allow httpd_$1_script_t $2:fifo_file rw_file_perms; + allow httpd_$1_script_t $2:process sigchld; + ') + ') + + # allow accessing files/dirs below the users home dir + tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home($1,httpd_t) + userdom_search_user_home($1,httpd_suexec_t) + userdom_search_user_home($1,httpd_$1_script_t) + ') +') + +######################################## +## +## Transition to Apache. +## +## +## Domain allowed access. +## +# +interface(`apache_domtrans',` + gen_require(` + type httpd_t, httpd_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,httpd_exec_t,httpd_t) + + allow $1 httpd_t:fd use; + allow httpd_t $1:fd use; + allow httpd_t $1:fifo_file rw_file_perms; + allow httpd_t $1:process sigchld; +') + +######################################## +## +## Send a null signal to apache. +## +## +## The type of the process performing this action. +## +# +interface(`apache_signull',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signull; +') + +######################################## +## +## Allow the specified domain to read +## apache configuration files. +## +## +## Domain allowed access. +## +# +interface(`apache_read_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) + allow $1 httpd_config_t:dir r_dir_perms; + allow $1 httpd_config_t:file r_file_perms; + allow $1 httpd_config_t:lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te new file mode 100644 index 0000000..50ddc20 --- /dev/null +++ b/refpolicy/policy/modules/services/apache.te @@ -0,0 +1,647 @@ + +policy_module(apache,1.0) + +# +# NOTES: +# This policy will work with SUEXEC enabled as part of the Apache +# configuration. However, the user CGI scripts will run under the +# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the +# of the creating user. +# +# The user CGI scripts must be labeled with the httpd_$1_script_exec_t +# type, and the directory containing the scripts should also be labeled +# with these types. This policy allows user_r role to perform that +# relabeling. If it is desired that only sysadm_r should be able to relabel +# the user CGI scripts, then relabel rule for user_r should be removed. +# + +######################################## +# +# Declarations +# + +attribute httpdcontent; + +type httpd_t; +type httpd_exec_t; +init_daemon_domain(httpd_t,httpd_exec_t) + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory +type httpd_cache_t; +files_type(httpd_cache_t) + +# httpd_config_t is the type given to the configuration files +type httpd_config_t; +files_type(httpd_config_t) + +type httpd_helper_t; +domain_type(httpd_helper_t) +role system_r types httpd_helper_t; + +type httpd_helper_exec_t; +domain_entry_file(httpd_helper_t,httpd_helper_exec_t) + +type httpd_lock_t; +files_lock_file(httpd_lock_t) + +type httpd_log_t; +logging_log_file(httpd_log_t) + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache +type httpd_modules_t; +files_type(httpd_modules_t) + +type httpd_php_t; +domain_type(httpd_php_t) +role system_r types httpd_php_t; + +type httpd_php_exec_t; +domain_entry_file(httpd_php_t,httpd_php_exec_t) + +type httpd_php_tmp_t; +files_tmp_file(httpd_php_tmp_t) + +type httpd_squirrelmail_t; +files_type(httpd_squirrelmail_t) + +# SUEXEC runs user scripts as their own user ID +type httpd_suexec_t; #, daemon; +domain_type(httpd_suexec_t) +role system_r types httpd_suexec_t; + +type httpd_suexec_exec_t; +domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) + +type httpd_suexec_tmp_t; +files_tmp_file(httpd_suexec_tmp_t) + +type httpd_tmp_t; +files_tmp_file(httpd_tmp_t) + +type httpd_tmpfs_t; +files_tmpfs_file(httpd_tmpfs_t) + +# Unconfined domain for apache scripts. +# Only to be used as a last resort +type httpd_unconfined_script_t; +domain_type(httpd_unconfined_script_t) +role system_r types httpd_unconfined_script_t; + +type httpd_unconfined_script_exec_t; # customizable +files_type(httpd_unconfined_script_exec_t) + +# for apache2 memory mapped files +type httpd_var_lib_t; +files_type(httpd_var_lib_t) + +type httpd_var_run_t; +files_pid_file(httpd_var_run_t) + +# File Type of squirrelmail attachments +type squirrelmail_spool_t; +files_tmp_file(squirrelmail_spool_t) + +######################################## +# +# Apache server local policy +# + +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; +dontaudit httpd_t self:capability { net_admin sys_tty_config }; +allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_t self:fd use; +allow httpd_t self:fifo_file rw_file_perms; +allow httpd_t self:shm create_shm_perms; +allow httpd_t self:sem create_sem_perms; +allow httpd_t self:msgq create_msgq_perms; +allow httpd_t self:msg { send receive }; +allow httpd_t self:unix_dgram_socket create_socket_perms; +allow httpd_t self:unix_stream_socket create_stream_socket_perms; +allow httpd_t self:unix_dgram_socket sendto; +allow httpd_t self:unix_stream_socket connectto; +allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom }; + +allow httpd_t self:tcp_socket create_stream_socket_perms; +allow httpd_t self:udp_socket { connect }; +allow httpd_t self:tcp_socket connected_socket_perms; +allow httpd_t self:udp_socket connected_socket_perms; + +# Allow httpd_t to put files in /var/cache/httpd etc +allow httpd_t httpd_cache_t:dir create_dir_perms; +allow httpd_t httpd_cache_t:file create_file_perms; +allow httpd_t httpd_cache_t:lnk_file create_lnk_perms; + +# Allow the httpd_t to read the web servers config files +allow httpd_t httpd_config_t:dir r_dir_perms; +allow httpd_t httpd_config_t:file r_file_perms; +allow httpd_t httpd_config_t:lnk_file { getattr read }; + +can_exec(httpd_t, httpd_exec_t) + +allow httpd_t httpd_lock_t:file create_file_perms; +files_create_lock(httpd_t,httpd_lock_t) + +allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; +allow httpd_t httpd_log_t:file { create ra_file_perms }; +allow httpd_t httpd_log_t:lnk_file read; + +allow httpd_t httpd_modules_t:file rx_file_perms; +allow httpd_t httpd_modules_t:dir r_dir_perms; +allow httpd_t httpd_modules_t:lnk_file r_file_perms; + +allow httpd_t httpd_squirrelmail_t:dir create_dir_perms; +allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms; +allow httpd_t httpd_squirrelmail_t:file create_file_perms; + +allow httpd_t httpd_tmp_t:dir create_dir_perms; +allow httpd_t httpd_tmp_t:file create_file_perms; +files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir }) + +allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; +allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +allow httpd_t httpd_var_lib_t:file create_file_perms; +allow httpd_t httpd_var_lib_t:dir create_dir_perms; +files_create_var_lib(httpd_t,httpd_var_lib_t) + +allow httpd_t httpd_var_run_t:file create_file_perms; +allow httpd_t httpd_var_run_t:sock_file create_file_perms; +allow httpd_t httpd_var_run_t:dir rw_dir_perms; +files_create_pid(httpd_t,httpd_var_run_t, { file sock_file }) + +allow httpd_t squirrelmail_spool_t:dir create_dir_perms; +allow httpd_t squirrelmail_spool_t:file create_file_perms; +allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms; + +kernel_read_kernel_sysctl(httpd_t) +kernel_tcp_recvfrom(httpd_t) +# for modules that want to access /proc/meminfo +kernel_read_system_state(httpd_t) + +corenet_tcp_sendrecv_all_if(httpd_t) +corenet_udp_sendrecv_all_if(httpd_t) +corenet_raw_sendrecv_all_if(httpd_t) +corenet_tcp_sendrecv_all_nodes(httpd_t) +corenet_udp_sendrecv_all_nodes(httpd_t) +corenet_raw_sendrecv_all_nodes(httpd_t) +corenet_tcp_sendrecv_all_ports(httpd_t) +corenet_udp_sendrecv_all_ports(httpd_t) +corenet_tcp_bind_all_nodes(httpd_t) +corenet_udp_bind_all_nodes(httpd_t) +corenet_tcp_bind_http_port(httpd_t) +corenet_tcp_bind_http_cache_port(httpd_t) + +dev_read_sysfs(httpd_t) +dev_read_rand(httpd_t) +dev_read_urand(httpd_t) + +fs_getattr_all_fs(httpd_t) +fs_search_auto_mountpoints(httpd_t) + +term_dontaudit_use_console(httpd_t) + +# execute perl +corecmd_exec_bin(httpd_t) +corecmd_exec_sbin(httpd_t) + +domain_use_wide_inherit_fd(httpd_t) + +files_read_usr_files(httpd_t) +files_list_mnt(httpd_t) +files_search_spool(httpd_t) +files_read_var_lib_files(httpd_t) +files_search_home(httpd_t) +files_getattr_home_dir(httpd_t) +# for modules that want to access /etc/mtab +files_read_etc_runtime_files(httpd_t) +# Allow httpd_t to have access to files such as nisswitch.conf +files_read_etc_files(httpd_t) + +init_use_fd(httpd_t) +init_use_script_pty(httpd_t) + +libs_use_ld_so(httpd_t) +libs_use_shared_libs(httpd_t) +libs_read_lib(httpd_t) + +logging_send_syslog_msg(httpd_t) + +miscfiles_read_localization(httpd_t) +miscfiles_read_fonts(httpd_t) + +seutil_dontaudit_search_config(httpd_t) + +sysnet_dns_name_resolve(httpd_t) +sysnet_use_ldap(httpd_t) +sysnet_read_config(httpd_t) + +userdom_use_unpriv_users_fd(httpd_t) +userdom_dontaudit_search_sysadm_home_dir(httpd_t) + +mta_send_mail(httpd_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(httpd_t) + term_dontaudit_use_generic_pty(httpd_t) + files_dontaudit_read_root_file(httpd_t) +') + +tunable_policy(`httpd_enable_cgi',` + domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + allow httpd_t httpd_unconfined_script_t:fd use; + allow httpd_unconfined_script_t httpd_t:fd use; + allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_unconfined_script_t httpd_t:process sigchld; + + allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) +') + +tunable_policy(`httpd_can_network_connect',` + allow httpd_t self:tcp_socket create_socket_perms; + allow httpd_t self:udp_socket { connect }; + allow httpd_t self:udp_socket connected_socket_perms; + + corenet_tcp_sendrecv_all_if(httpd_t) + corenet_udp_sendrecv_all_if(httpd_t) + corenet_raw_sendrecv_all_if(httpd_t) + corenet_tcp_sendrecv_all_nodes(httpd_t) + corenet_udp_sendrecv_all_nodes(httpd_t) + corenet_raw_sendrecv_all_nodes(httpd_t) + corenet_tcp_sendrecv_all_ports(httpd_t) + corenet_udp_sendrecv_all_ports(httpd_t) + corenet_tcp_bind_all_nodes(httpd_t) + corenet_udp_bind_all_nodes(httpd_t) + corenet_tcp_connect_all_ports(httpd_t) + + sysnet_read_config(httpd_t) +') + +optional_policy(`kerberos.te',` + kerberos_use(httpd_t) +') + +optional_policy(`mta.te',` + # apache should set close-on-exec + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +') + +optional_policy(`mysql.te',` + mysql_stream_connect(httpd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(httpd_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(httpd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(httpd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(httpd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(httpd_t) +') + +allow httpd_t var_log_t:dir ra_dir_perms; +type_transition httpd_t var_log_t:file httpd_log_t; + +can_tcp_connect(web_client_domain, httpd_t) + +allow httpd_t crypt_device_t:chr_file rw_file_perms; + +# for tomcat +allow httpd_t var_lib_t:lnk_file { getattr read }; + +######################################### +# Allow httpd to search users directories +######################################### +allow httpd_t home_root_t:dir { getattr search }; + +dontaudit httpd_t sysadm_home_dir_t:dir getattr; + +# Allow apache to used ftpd_anon_t +anonymous_domain(httpd) + +optional_policy(`mysql.te',` + allow httpd_t mysqld_db_t:dir search; + allow httpd_t mysqld_db_t:sock_file rw_file_perms; +') + +ifdef(`snmpd.te', ` + dontaudit httpd_t snmpd_var_lib_t:dir search; + dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; +', ` + dontaudit httpd_t usr_t:dir write; +') + +r_dir_file(initrc_t, httpd_config_t) +allow initrc_t httpd_modules_t:dir r_dir_perms; + + +# setup the system domain for system CGI scripts +dontaudit httpd_sys_script_t httpd_config_t:dir search; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +kernel_read_kernel_sysctl(httpd_sys_script_t) +allow httpd_sys_script_t var_spool_t:dir { getattr search }; +r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +allow httpd_sys_script_t var_lib_t:dir search; + +# Run SSI execs in system CGI script domain. +tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) + allow httpd_t httpd_sys_script_t:fd use; + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; +') + +optional_policy(`mysql.te',` + allow httpd_sys_script_t mysqld_db_t:dir search; + allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms; + + mysql_stream_connect(httpd_sys_script_t) +') + +ifdef(`targeted_policy', ` + typealias httpd_sys_content_t alias httpd_user_content_t; + typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; + + if (httpd_enable_homedirs) { + allow httpd_t user_home_dir_t:dir { getattr search }; + } + if (httpd_enable_homedirs) { + allow httpd_sys_script_t user_home_dir_t:dir { getattr search }; + } + if (httpd_enable_homedirs) { + allow httpd_suexec_t user_home_dir_t:dir { getattr search }; + } +') + +# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context +typealias httpd_sys_content_t alias httpd_sysadm_content_t; + +ifdef(`distro_redhat',` + # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat + # This is a bug but it still exists in FC2 + typealias httpd_log_t alias httpd_runtime_t; + + allow httpd_sys_script_t httpd_log_t:file { getattr append }; +') + +######################################## +# When the admin starts the server, the server wants to access +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +################################################## + +if (httpd_tty_comm) { + allow { httpd_t httpd_helper_t } devpts_t:dir search; + allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; +} else { + dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; +} + +r_dir_file(httpd_t, cert_t) + +dontaudit httpd_suexec_t var_run_t:dir search; +allow httpd_suexec_t home_root_t:dir search; + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { + domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + allow httpd_suexec_t httpd_sys_script_t:fd use; + allow httpd_sys_script_t httpd_suexec_t:fd use; + allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_suexec_t:process sigchld; + + ifdef(`targeted_policy', `', ` + domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) + ') +} + +if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { + domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) + allow httpd_t httpd_sys_script_t:fd use; + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; + + allow httpd_t httpdcontent:dir create_dir_perms; + allow httpd_t httpdcontent:file create_file_perms; + allow httpd_t httpdcontent:lnk_file create_lnk_perms; +} + +tunable_policy(`httpd_enable_cgi',` + domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) +') + + +optional_policy(`mta.te',` + # apache should set close-on-exec + dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; + dontaudit system_mail_t httpd_log_t:file { append getattr }; + allow system_mail_t httpd_squirrelmail_t:file { append read }; + dontaudit system_mail_t httpd_t:tcp_socket { read write }; +') +') dnl end TODO + +######################################## +# +# Apache helper local policy +# + +domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) +allow httpd_t httpd_helper_t:fd use; +allow httpd_helper_t httpd_t:fd use; +allow httpd_helper_t httpd_t:fifo_file rw_file_perms; +allow httpd_helper_t httpd_t:process sigchld; + +allow httpd_helper_t httpd_config_t:file { getattr read }; + +allow httpd_helper_t httpd_log_t:file append; + +libs_use_ld_so(httpd_helper_t) +libs_use_shared_libs(httpd_helper_t) + +# a "run" interface needs to be +# added, and have sysadm_t use it +# in a optional_policy block. for httpd_helper_t + +######################################## +# +# Apache PHP script local policy +# + +allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_php_t self:fd use; +allow httpd_php_t self:fifo_file rw_file_perms; +allow httpd_php_t self:unix_dgram_socket create_socket_perms; +allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; +allow httpd_php_t self:unix_dgram_socket sendto; +allow httpd_php_t self:unix_stream_socket connectto; +allow httpd_php_t self:shm create_shm_perms; +allow httpd_php_t self:sem create_sem_perms; +allow httpd_php_t self:msgq create_msgq_perms; +allow httpd_php_t self:msg { send receive }; + +domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) +allow httpd_t httpd_php_t:fd use; +allow httpd_php_t httpd_t:fd use; +allow httpd_php_t httpd_t:fifo_file rw_file_perms; +allow httpd_php_t httpd_t:process sigchld; + +# allow php to read and append to apache logfiles +allow httpd_php_t httpd_log_t:file ra_file_perms; + +allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms; +allow httpd_php_t httpd_php_tmp_t:file create_file_perms; +files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir }) + +fs_search_auto_mountpoints(httpd_php_t) + +libs_exec_lib_files(httpd_php_t) +libs_use_ld_so(httpd_php_t) +libs_use_shared_libs(httpd_php_t) + +userdom_use_unpriv_users_fd(httpd_php_t) + +optional_policy(`mysql.te',` + mysql_stream_connect(httpd_php_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(httpd_php_t) +') + +######################################## +# +# Apache suexec local policy +# + +allow httpd_suexec_t self:capability { setuid setgid }; +allow httpd_suexec_t self:process signal_perms; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +# cjp: need transitionbool +domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) +allow httpd_t httpd_suexec_t:fd use; +allow httpd_suexec_t httpd_t:fd use; +allow httpd_suexec_t httpd_t:fifo_file rw_file_perms; +allow httpd_suexec_t httpd_t:process sigchld; + +allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; +allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; +allow httpd_suexec_t httpd_t:fifo_file getattr; + +allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; +allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; +files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + +kernel_read_kernel_sysctl(httpd_suexec_t) +kernel_list_proc(httpd_suexec_t) +kernel_read_proc_symlinks(httpd_suexec_t) + +dev_read_urand(httpd_suexec_t) + +fs_search_auto_mountpoints(httpd_suexec_t) + +# for shell scripts +corecmd_exec_bin(httpd_suexec_t) +corecmd_exec_shell(httpd_suexec_t) + +files_read_etc_files(httpd_suexec_t) +files_read_usr_files(httpd_suexec_t) + +libs_use_ld_so(httpd_suexec_t) +libs_use_shared_libs(httpd_suexec_t) + +logging_search_logs(httpd_suexec_t) +logging_send_syslog_msg(httpd_suexec_t) + +miscfiles_read_localization(httpd_suexec_t) + +tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; + + corenet_tcp_sendrecv_all_if(httpd_suexec_t) + corenet_udp_sendrecv_all_if(httpd_suexec_t) + corenet_raw_sendrecv_all_if(httpd_suexec_t) + corenet_tcp_sendrecv_all_nodes(httpd_suexec_t) + corenet_udp_sendrecv_all_nodes(httpd_suexec_t) + corenet_raw_sendrecv_all_nodes(httpd_suexec_t) + corenet_tcp_sendrecv_all_ports(httpd_suexec_t) + corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_bind_all_nodes(httpd_suexec_t) + corenet_udp_bind_all_nodes(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + + sysnet_read_config(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) + fs_execute_nfs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) + fs_execute_cifs_files(httpd_suexec_t) +') + +optional_policy(`mount.te',` + tunable_policy(`httpd_can_network_connect',` + mount_send_nfs_client_request(httpd_suexec_t) + ') +') + +optional_policy(`nis.te',` + nis_use_ypbind(httpd_suexec_t) +') + +######################################## +# +# Apache system script local policy +# + +apache_content_template(sys) + +######################################## +# +# Apache unconfined script local policy +# + +unconfined_domain_template(httpd_unconfined_script_t) + +optional_policy(`nscd.te',` + nscd_use_socket(httpd_unconfined_script_t) +') diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 7c6c2b1..ecd5bdf 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -147,6 +147,9 @@ template(`cron_per_userdomain_template',` ') ifdef(`TODO',` + optional_policy(`apache.te', ` + create_dir_file($1_crond_t, httpd_$1_content_t) + ') allow $1_crond_t tmp_t:dir rw_dir_perms; type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index c4e02fc..6a4c53d 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -2,6 +2,69 @@ ######################################## ## +## Use the ypbind service to access NIS services +## unconditionally. +## +## +##

+## Use the ypbind service to access NIS services +## unconditionally. +##

+##

+## This interface was added because of apache and +## spamassassin, to fix a nested conditionals problem. +## When that support is added, this should be removed, +## and the regular interface should be used. +##

+## +## +## The type of the process performing this action. +## +# +interface(`nis_use_ypbind_uncond',` + gen_require(` + type var_yp_t; + ') + + dontaudit $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir r_dir_perms; + allow $1 var_yp_t:lnk_file { getattr read }; + allow $1 var_yp_t:file r_file_perms; + + corenet_tcp_sendrecv_all_if($1) + corenet_udp_sendrecv_all_if($1) + corenet_raw_sendrecv_all_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_bind_all_nodes($1) + corenet_udp_bind_all_nodes($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) + corenet_tcp_bind_reserved_port($1) + corenet_udp_bind_reserved_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_tcp_connect_portmap_port($1) + corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_generic_port($1) + corenet_dontaudit_tcp_connect_all_reserved_ports($1) + + sysnet_read_config($1) + + optional_policy(`mount.te',` + mount_send_nfs_client_request($1) + ') +') + +######################################## +## ## Use the ypbind service to access NIS services. ## ## diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index c250727..36665be 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -24,25 +24,17 @@ ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## -## -## The type of the user domain. -## -## -## The role associated with the user domain. -## # template(`samba_per_userdomain_template',` - optional_policy(` - gen_require(` - type smbd_t; - ') - - userdom_manage_user_home_subdir_files($1,smbd_t) - userdom_manage_user_home_subdir_symlinks($1,smbd_t) - userdom_manage_user_home_subdir_sockets($1,smbd_t) - userdom_manage_user_home_subdir_pipes($1,smbd_t) - userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) + gen_require(` + type smbd_t; ') + + userdom_manage_user_home_subdir_files($1,smbd_t) + userdom_manage_user_home_subdir_symlinks($1,smbd_t) + userdom_manage_user_home_subdir_sockets($1,smbd_t) + userdom_manage_user_home_subdir_pipes($1,smbd_t) +# userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) ') ######################################## diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index e993eb9..329715d 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -99,6 +99,10 @@ ifdef(`distro_suse', ` /usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0) +ifdef(`distro_suse',` +/usr/share/apache2/[^/]* -- context_template(system_u:object_r:bin_t,s0) +') + # # /var # diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index a89151f..4bade65 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -32,6 +32,7 @@ ifdef(`distro_gentoo', ` # # /usr # +/usr/sbin/apachectl -- context_template(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- context_template(system_u:object_r:initrc_exec_t,s0) # diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 60bf234..b9b6fc6 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -88,8 +88,8 @@ interface(`init_daemon_domain',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t # at the end of the type, it returns empty! - bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false; - if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) { + bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; + if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { domain_auto_trans(initrc_t,$2,$1) allow initrc_t $1:fd use; allow initrc_t $1:process { noatsecure siginh rlimitinh }; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 8ccac59..758f23a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -958,6 +958,36 @@ template(`admin_user_template',` ######################################## ## +## Search user home directories. +## +## +##

+## Search user home directories. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## +# +template(`userdom_search_user_home',` + gen_require(` + class dir { getattr search }; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir { getattr search }; +') + +######################################## +## ## Read user home files. ## ## @@ -1921,7 +1951,7 @@ interface(`userdom_create_user_home',` class dir rw_dir_perms; ') - allow $1 etc_t:dir rw_dir_perms; + allow $1 user_home_dir_t:dir rw_dir_perms; ifelse(`$2',`',` type_transition $1 user_home_dir_t:file user_home_t; ',`