diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index d4d3dc6..04f3dc7 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.13.9) +policy_module(corenetwork, 1.13.10) ######################################## # @@ -138,6 +138,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 4f1e6e9..2dd4e3c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5166,6 +5166,25 @@ interface(`files_rw_generic_pids',` ######################################## ## +## Do not audit attempts to get the attributes of +## daemon runtime data files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_getattr_all_pids',` + gen_require(` + attribute pidfile; + ') + + dontaudit $1 pidfile:file getattr; +') + +######################################## +## ## Do not audit attempts to write to daemon runtime data files. ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index c915c73..953c829 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files, 1.12.4) +policy_module(files, 1.12.5) ######################################## # diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 997b2b0..7bd97c4 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -49,10 +49,11 @@ template(`apache_content_template',` typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) - allow httpd_t httpd_$1_htaccess_t:file read_file_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; @@ -69,7 +70,7 @@ template(`apache_content_template',` logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) @@ -173,50 +174,6 @@ template(`apache_content_template',` miscfiles_read_localization(httpd_$1_script_t) ') - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) - corenet_udp_sendrecv_generic_if(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) - corenet_udp_sendrecv_generic_node(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) - corenet_udp_sendrecv_generic_if(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) - corenet_udp_sendrecv_generic_node(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_tcp_connect_all_ports(httpd_$1_script_t) - corenet_sendrecv_all_client_packets(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - optional_policy(` - mta_send_mail(httpd_$1_script_t) - ') - - optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_$1_script_t) - ') - ') - optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) @@ -355,6 +312,24 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') +####################################### +## +## Send a generic signal to apache. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_signal',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process signal; +') + ######################################## ## ## Send a null signal to apache. @@ -412,6 +387,25 @@ interface(`apache_use_fds',` ######################################## ## ## Do not audit attempts to read and write Apache +## unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_rw_fifo_file',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write Apache ## unix domain stream sockets. ## ## @@ -474,6 +468,44 @@ interface(`apache_manage_all_content',` ######################################## ## +## Allow domain to set the attributes +## of the APACHE cache directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_setattr_cache_dirs',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:dir setattr; +') + +######################################## +## +## Allow the specified domain to list +## Apache cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_list_cache',` + gen_require(` + type httpd_cache_t; + ') + + list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## ## Allow the specified domain to read ## and write Apache cache files. ## @@ -493,6 +525,25 @@ interface(`apache_rw_cache_files',` ######################################## ## +## Allow the specified domain to delete +## Apache cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_delete_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + delete_files_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## ## Allow the specified domain to read ## apache configuration files. ## @@ -560,7 +611,7 @@ interface(`apache_domtrans_helper',` ## ## Execute the Apache helper program with ## a domain transition, and allow the -## specified role the dmidecode domain. +## specified role the Apache helper domain. ## ## ## @@ -569,7 +620,7 @@ interface(`apache_domtrans_helper',` ## ## ## -## The role to be allowed the dmidecode domain. +## Role allowed access. ## ## ## @@ -1017,6 +1068,45 @@ interface(`apache_search_sys_script_state',` ######################################## ## +## Allow the specified domain to read +## apache tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_read_tmp_files',` + gen_require(` + type httpd_config_t; + ') + + files_search_tmp($1) + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + +######################################## +## +## Dontaudit attempts to write +## apache tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_write_tmp_files',` + gen_require(` + type httpd_config_t; + ') + + dontaudit $1 httpd_tmp_t:file write_file_perms; +') + +######################################## +## ## Execute CGI in the specified domain. ## ## diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 91d8e08..68c3d73 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache, 2.1.1) +policy_module(apache, 2.1.2) # # NOTES: @@ -65,6 +65,20 @@ gen_tunable(httpd_can_network_relay, false) ## ##

+## Allow http daemon to send mail +##

+## +gen_tunable(httpd_can_sendmail, false) + +## +##

+## Allow Apache to communicate with avahi service via dbus +##

+## +gen_tunable(httpd_dbus_avahi, false) + +## +##

## Allow httpd cgi support ##

## @@ -108,6 +122,27 @@ gen_tunable(httpd_tty_comm, false) ## gen_tunable(httpd_unified, false) +## +##

+## Allow httpd to access cifs file systems +##

+## +gen_tunable(httpd_use_cifs, false) + +## +##

+## Allow httpd to run gpg +##

+## +gen_tunable(httpd_use_gpg, false) + +## +##

+## Allow httpd to access nfs file systems +##

+## +gen_tunable(httpd_use_nfs, false) + attribute httpdcontent; attribute httpd_user_content_type; @@ -232,7 +267,7 @@ optional_policy(` # Apache server local policy # -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -274,6 +309,7 @@ logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. @@ -289,9 +325,12 @@ allow httpd_t httpd_sys_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) +manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) @@ -303,9 +342,11 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_fil manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) +files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -346,6 +387,7 @@ corecmd_exec_shell(httpd_t) domain_use_interactive_fds(httpd_t) +files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -374,8 +416,6 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) - tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') @@ -399,12 +439,21 @@ tunable_policy(`httpd_can_network_relay',` corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) corenet_sendrecv_gopher_client_packets(httpd_t) corenet_sendrecv_ftp_client_packets(httpd_t) corenet_sendrecv_http_client_packets(httpd_t) corenet_sendrecv_http_cache_client_packets(httpd_t) ') +tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` + fs_nfs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) +') + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -431,6 +480,13 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_symlinks(httpd_t) ') +tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) + corenet_sendrecv_smtp_client_packets(httpd_t) + mta_send_mail(httpd_t) +') + tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; @@ -453,6 +509,10 @@ optional_policy(` ') optional_policy(` + ccs_read_config(httpd_t) +') + +optional_policy(` cobbler_search_lib(httpd_t) ') @@ -461,9 +521,27 @@ optional_policy(` ') optional_policy(` + cvs_read_data(httpd_t) +') + +optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') + optional_policy(` + dbus_system_bus_client(httpd_t) + + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_domtrans(httpd_t) + ') +') + optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') @@ -471,6 +549,7 @@ optional_policy(` optional_policy(` mailman_signal_cgi(httpd_t) mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) mailman_read_archive(httpd_t) @@ -488,7 +567,6 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) - nagios_domtrans_cgi(httpd_t) ') optional_policy(` @@ -569,16 +647,31 @@ files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) +auth_use_nsswitch(httpd_php_t) + libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) -optional_policy(` - mysql_stream_connect(httpd_php_t) +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) + + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ') optional_policy(` - nis_use_ypbind(httpd_php_t) + mysql_stream_connect(httpd_php_t) + mysql_read_config(httpd_php_t) ') optional_policy(` @@ -600,7 +693,7 @@ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -allow httpd_suexec_t httpd_t:fifo_file getattr; +allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) @@ -629,6 +722,7 @@ logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) +miscfiles_read_public_files(httpd_suexec_t) tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; @@ -647,11 +741,9 @@ tunable_policy(`httpd_can_network_connect',` ') tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -') -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -677,15 +769,14 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') -optional_policy(` - nagios_domtrans_cgi(httpd_suexec_t) -') - ######################################## # # Apache system script local policy # +allow httpd_sys_script_t self:process getsched; + +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -708,6 +799,28 @@ ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') +tunable_policy(`httpd_can_sendmail',` + mta_send_mail(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; + + corenet_tcp_bind_all_nodes(httpd_sys_script_t) + corenet_udp_bind_all_nodes(httpd_sys_script_t) + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) + corenet_tcp_sendrecv_all_if(httpd_sys_script_t) + corenet_udp_sendrecv_all_if(httpd_sys_script_t) + corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_sys_script_t) ') @@ -740,6 +853,8 @@ optional_policy(` # httpd_rotatelogs local policy # +allow httpd_rotatelogs_t self:capability dac_override; + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) @@ -754,6 +869,23 @@ miscfiles_read_localization(httpd_rotatelogs_t) ######################################## # +# Unconfined script local policy +# + +optional_policy(` + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; + domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + + role system_r types httpd_unconfined_script_t; + allow httpd_t httpd_unconfined_script_t:process signal_perms; +') + +######################################## +# # User content local policy #