diff --git a/Changelog b/Changelog index 2c8b537..f1d19ab 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add infrastructure for managing all user web content. - Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. - Patch to clean up unescaped periods in several file context entries from diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2c8a6b7..5bc5074 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -265,12 +265,19 @@ template(`apache_content_template',` template(`apache_per_role_template', ` gen_require(` attribute httpdcontent, httpd_script_domains; - attribute httpd_exec_scripts; + attribute httpd_exec_scripts, httpd_user_content_type; + attribute httpd_user_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') apache_content_template($1) + typeattribute httpd_$1_content_t httpd_user_content_type; + typeattribute httpd_$1_script_ra_t httpd_user_content_type; + typeattribute httpd_$1_script_rw_t httpd_user_content_type; + typeattribute httpd_$1_script_ro_t httpd_user_content_type; + typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; + typeattribute httpd_$1_script_t httpd_script_domains; userdom_user_home_content($1,httpd_$1_content_t) @@ -1005,6 +1012,31 @@ interface(`apache_search_sys_scripts',` ######################################## ## +## Create, read, write, and delete all user web content. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_manage_all_user_content',` + gen_require(` + attribute httpd_user_content_type, httpd_user_script_exec_type; + ') + + manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type) + manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type) + manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type) + + manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) + manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) + manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) +') + +######################################## +## ## Search system script state directory. ## ## diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index e2fecdc..a3bae43 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.8.1) +policy_module(apache,1.8.2) # # NOTES: @@ -107,11 +107,13 @@ gen_tunable(httpd_tty_comm,false) gen_tunable(httpd_unified,false) attribute httpdcontent; +attribute httpd_user_content_type; # domains that can exec all users scripts attribute httpd_exec_scripts; attribute httpd_script_exec_type; +attribute httpd_user_script_exec_type; # user script domains attribute httpd_script_domains;