[refpolicy] [PATCH 0/3] Gentoo patch upstreaming

[refpolicy] [PATCH 0/3] Gentoo patch upstreaming

[Sven Vermeulen]

A few patches from Gentoo's policy tree ready to be upstreamed.

Sven Vermeulen (3):
  Introduce alsa domains
  Support read/append/manage functions for various httpd content
  dnsmasq reads MTU sysctl

 alsa.if       |  25 ++++++++++++
 alsa.te       |  17 +++++++++
 apache.if     | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 apache.te     |   3 ++
 dnsmasq.te    |   1 +
 mozilla.te    |   3 +-
 mplayer.te    |   2 +-
 pulseaudio.te |   2 +-
 8 files changed, 167 insertions(+), 6 deletions(-)

-- 
1.8.3.2

[refpolicy] [PATCH 1/3] Introduce alsa domains

[Sven Vermeulen]

Some plugins in the ALSA ecosystem (including the default dmix/pcm
plugins) use SysV IPC resources to collaborate access to the sound
subsystem between ALSA-enabled applications.

These applications thus require access to the ALSA semaphore created by
the first application that uses access to the sound subsystem as well as
the shared memory. If they don't, then sound is not available for the
subsequent applications, like with mplayer:

alsa-lib: pcm_dmix.c:989:(snd_pcm_dmix_open) unable to create IPC
semaphore

As this means that all ALSA enabled domains need access to the
semaphores of all other ALSA enabled domains, starting to sum up all
these domains is not manageable. As a result, an attribute called
"alsadomain" is created which is assigned to all domains that use ALSA.
Then, we grant the following:

  allow alsadomain alsadomain:sem create_sem_perms;
  allow alsadomain alsadomain:shm rw_shm_perms;

The second 'failure' one would get is access to the Linux shared memory.
This is not all covered only by the shm class, but also through tmpfs,
as can be seen in the following denial:

  type=AVC msg=audit(1396182569.016:1763): avc:  denied  { write } for
  pid=1047 comm="mplayer"
  path=2F535953563030353661346435202864656C6574656429 dev="tmpfs"
  ino=1867789 scontext=staff_u:staff_r:mplayer_t
  tcontext=staff_u:object_r:mozilla_plugin_tmpfs_t tclass=file

In the above denial, we notice that mplayer failed to write to shared
memory created by the mozilla_plugin_t domain (and thus labeled as
mozilla_plugin_tmpfs_t). This is shared memory, as can be decomposed
from the path:

  python -c 'import base64;
  print(base64.b16decode("2F535953563030353661346435202864656C6574656429"));'

  b'/SYSV0056a4d5 (deleted)'

That means we also need to grant ALSA domains read/write access to the
tmpfs types of the ALSA domains. For this, we create an attribute called
"alsatmpfsfile" which is assigned to the tmpfs_t types of those ALSA
domains, with:

  allow alsadomain alsatmpfsfile:file rw_file_perms;

With this in place, we now create an interface called "alsa_domain" that
assigns the attributes to the ALSA enabled applications, such as this:

alsa_domain(mplayer_t, mplayer_tmpfs_t)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 alsa.if       | 25 +++++++++++++++++++++++++
 alsa.te       | 17 +++++++++++++++++
 mozilla.te    |  3 +--
 mplayer.te    |  2 +-
 pulseaudio.te |  2 +-
 5 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/alsa.if b/alsa.if
index ca8d8cf..ef7eb3d 100644
--- a/alsa.if
+++ b/alsa.if
@@ -2,6 +2,31 @@
 
 ########################################
 ## <summary>
+##	Mark the selected domain as an ALSA-capable domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that links with ALSA
+##	</summary>
+## </param>
+## <param name="tmpfstype">
+##	<summary>
+##	Tmpfs type used for shared memory of the given domain
+##	</summary>
+## </param>
+#
+interface(`alsa_domain',`
+	gen_require(`
+		attribute alsadomain;
+		attribute alsatmpfsfile;
+	')
+
+	typeattribute $1 alsadomain;
+	typeattribute $2 alsatmpfsfile;
+')
+
+########################################
+## <summary>
 ##	Role access for alsa.
 ## </summary>
 ## <param name="role">
diff --git a/alsa.te b/alsa.te
index 814b426..4fd8018 100644
--- a/alsa.te
+++ b/alsa.te
@@ -5,12 +5,16 @@ policy_module(alsa, 1.13.0)
 # Declarations
 #
 
+attribute alsadomain;
+attribute alsatmpfsfile;
+
 attribute_role alsa_roles;
 
 type alsa_t;
 type alsa_exec_t;
 init_system_domain(alsa_t, alsa_exec_t)
 role alsa_roles types alsa_t;
+typeattribute alsa_t alsadomain;
 
 type alsa_etc_rw_t;
 files_config_file(alsa_etc_rw_t)
@@ -20,6 +24,7 @@ files_tmp_file(alsa_tmp_t)
 
 type alsa_tmpfs_t;
 files_tmpfs_file(alsa_tmpfs_t)
+typeattribute alsa_tmpfs_t alsatmpfsfile;
 
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
@@ -29,6 +34,18 @@ userdom_user_home_content(alsa_home_t)
 
 ########################################
 #
+# alsadomain policy
+#
+
+allow alsadomain alsadomain:sem create_sem_perms;
+allow alsadomain alsadomain:shm rw_shm_perms;
+allow alsadomain alsatmpfsfile:file rw_file_perms;
+
+alsa_read_rw_config(alsadomain)
+alsa_read_home_files(alsadomain)
+
+########################################
+#
 # Local policy
 #
 
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4..63f0875 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -518,8 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mozilla_plugin_t)
-	alsa_read_home_files(mozilla_plugin_t)
+	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
 ')
 
 optional_policy(`
diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..6300573 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -250,7 +250,7 @@ tunable_policy(`allow_mplayer_execstack',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mplayer_t)
+	alsa_domain(mplayer_t, mplayer_tmpfs_t)
 ')
 
 optional_policy(`
diff --git a/pulseaudio.te b/pulseaudio.te
index 4665af2..5a8f356 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -144,7 +144,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(pulseaudio_t)
+	alsa_domain(pulseaudio_t, pulseaudio_tmpfs_t)
 ')
 
 optional_policy(`
-- 
1.8.3.2

[refpolicy] [PATCH 2/3] Support read/append/manage functions for various httpd content

[Sven Vermeulen]

We make the web content types as defined by the apache module more
generic in use so that other domains, who need to interact with these
types, can do so without getting too many privileges assigned (like with
apache_manage_all_content).

Within the apache module, the apache_content_template() allows creation
of additional derived types for "apache web content". But this is
actually being used to label generic web content, and it creates
additional types based on the prefix.

When we want to support additional web servers (or parsers used by web
servers, such as php-fpm) that do not run within the apache-provided
domains, they have a hard time accessing the data. There is currently
one interface available (apache_manage_all_content) but that is a lot of
privileges for a parser that possibly just needs to read content.

In this patch, we create additional attributes (httpd_ra_content for
read/append data, and httpd_rw_content for read/write content) and
define interfaces to manage the types that have these attributes
assigned.

This is the result of the discussion of June 2012, which was version 3
of the patchset (I never came to finish up the commit), see also
http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 apache.if | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 apache.te |   3 ++
 2 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/apache.if b/apache.if
index f6eb485..717c6f7 100644
--- a/apache.if
+++ b/apache.if
@@ -15,6 +15,7 @@ template(`apache_content_template',`
 	gen_require(`
 		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
 		attribute httpd_script_domains, httpd_htaccess_type;
+		attribute httpd_rw_content, httpd_ra_content;
 		type httpd_t, httpd_suexec_t;
 	')
 
@@ -48,11 +49,11 @@ template(`apache_content_template',`
 	corecmd_shell_entry_type(httpd_$1_script_t)
 	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
 
-	type httpd_$1_rw_content_t, httpdcontent; # customizable
+	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
 	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
 	files_type(httpd_$1_rw_content_t)
 
-	type httpd_$1_ra_content_t, httpdcontent; # customizable
+	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
 	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
 	files_type(httpd_$1_ra_content_t)
 
@@ -391,6 +392,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
+##	Read all appendable content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_all_ra_content',`
+	gen_require(`
+		attribute httpd_ra_content;
+	')
+
+	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+##	Append to all appendable web content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_append_all_ra_content',`
+	gen_require(`
+		attribute httpd_ra_content;
+	')
+
+	append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+##	Read all read/write content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_all_rw_content',`
+	gen_require(`
+		attribute httpd_rw_content;
+	')
+
+	read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+	read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+##	Manage all read/write content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_all_rw_content',`
+	gen_require(`
+		attribute httpd_rw_content;
+	')
+
+	manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+	manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+	manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+########################################
+## <summary>
+##	Read all web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_all_content',`
+	gen_require(`
+		attribute httpdcontent, httpd_script_exec_type;
+	')
+
+	read_files_pattern($1, httpdcontent, httpdcontent)
+	read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+	read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+	read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+#######################################
+## <summary>
+##	Search all apache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_all_content',`
+	gen_require(`
+		attribute httpdcontent;
+	')
+
+	allow $1 httpdcontent:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	all httpd content.
 ## </summary>
diff --git a/apache.te b/apache.te
index a9322c3..3645d88 100644
--- a/apache.te
+++ b/apache.te
@@ -257,6 +257,9 @@ attribute httpd_htaccess_type;
 # domains that can exec all scripts
 attribute httpd_exec_scripts;
 
+attribute httpd_ra_content;
+attribute httpd_rw_content;
+
 attribute httpd_script_exec_type;
 
 # all script domains
-- 
1.8.3.2

[refpolicy] [PATCH 3/3] dnsmasq reads MTU sysctl

[Sven Vermeulen]

The dnsmasq application reads in the value of the
/proc/sys/net/ipv6/conf/*/mtu values.

This is confirmed through looking at the source code of dnsmasq, in
src/radv.c.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dnsmasq.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dnsmasq.te b/dnsmasq.te
index ede2f1e..08ea853 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -52,6 +52,7 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
 kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)
-- 
1.8.3.2

[refpolicy] [PATCH 3/3] dnsmasq reads MTU sysctl

[Christopher J. PeBenito]

On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> The dnsmasq application reads in the value of the
> /proc/sys/net/ipv6/conf/*/mtu values.
> 
> This is confirmed through looking at the source code of dnsmasq, in
> src/radv.c.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dnsmasq.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/dnsmasq.te b/dnsmasq.te
> index ede2f1e..08ea853 100644
> --- a/dnsmasq.te
> +++ b/dnsmasq.te
> @@ -52,6 +52,7 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
>  files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
>  
>  kernel_read_kernel_sysctls(dnsmasq_t)
> +kernel_read_net_sysctls(dnsmasq_t)
>  kernel_read_network_state(dnsmasq_t)
>  kernel_read_system_state(dnsmasq_t)
>  kernel_request_load_module(dnsmasq_t)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/3] Introduce alsa domains

[Christopher J. PeBenito]

On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> Some plugins in the ALSA ecosystem (including the default dmix/pcm
> plugins) use SysV IPC resources to collaborate access to the sound
> subsystem between ALSA-enabled applications.
> 
> These applications thus require access to the ALSA semaphore created by
> the first application that uses access to the sound subsystem as well as
> the shared memory. If they don't, then sound is not available for the
> subsequent applications, like with mplayer:
> 
> alsa-lib: pcm_dmix.c:989:(snd_pcm_dmix_open) unable to create IPC
> semaphore
> 
> As this means that all ALSA enabled domains need access to the
> semaphores of all other ALSA enabled domains, starting to sum up all
> these domains is not manageable. As a result, an attribute called
> "alsadomain" is created which is assigned to all domains that use ALSA.
> Then, we grant the following:
> 
>   allow alsadomain alsadomain:sem create_sem_perms;
>   allow alsadomain alsadomain:shm rw_shm_perms;
> 
> The second 'failure' one would get is access to the Linux shared memory.
> This is not all covered only by the shm class, but also through tmpfs,
> as can be seen in the following denial:
> 
>   type=AVC msg=audit(1396182569.016:1763): avc:  denied  { write } for
>   pid=1047 comm="mplayer"
>   path=2F535953563030353661346435202864656C6574656429 dev="tmpfs"
>   ino=1867789 scontext=staff_u:staff_r:mplayer_t
>   tcontext=staff_u:object_r:mozilla_plugin_tmpfs_t tclass=file
> 
> In the above denial, we notice that mplayer failed to write to shared
> memory created by the mozilla_plugin_t domain (and thus labeled as
> mozilla_plugin_tmpfs_t). This is shared memory, as can be decomposed
> from the path:
> 
>   python -c 'import base64;
>   print(base64.b16decode("2F535953563030353661346435202864656C6574656429"));'
> 
>   b'/SYSV0056a4d5 (deleted)'
> 
> That means we also need to grant ALSA domains read/write access to the
> tmpfs types of the ALSA domains. For this, we create an attribute called
> "alsatmpfsfile" which is assigned to the tmpfs_t types of those ALSA
> domains, with:
> 
>   allow alsadomain alsatmpfsfile:file rw_file_perms;
> 
> With this in place, we now create an interface called "alsa_domain" that
> assigns the attributes to the ALSA enabled applications, such as this:
> 
> alsa_domain(mplayer_t, mplayer_tmpfs_t)

This is a frightening access.  Are you sure there isn't some tool we can (ab)use to run on boot so that the correct IPC objects are created, e.g. with an alsa_t type?


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  alsa.if       | 25 +++++++++++++++++++++++++
>  alsa.te       | 17 +++++++++++++++++
>  mozilla.te    |  3 +--
>  mplayer.te    |  2 +-
>  pulseaudio.te |  2 +-
>  5 files changed, 45 insertions(+), 4 deletions(-)
> 
> diff --git a/alsa.if b/alsa.if
> index ca8d8cf..ef7eb3d 100644
> --- a/alsa.if
> +++ b/alsa.if
> @@ -2,6 +2,31 @@
>  
>  ########################################
>  ## <summary>
> +##	Mark the selected domain as an ALSA-capable domain
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain that links with ALSA
> +##	</summary>
> +## </param>
> +## <param name="tmpfstype">
> +##	<summary>
> +##	Tmpfs type used for shared memory of the given domain
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_domain',`
> +	gen_require(`
> +		attribute alsadomain;
> +		attribute alsatmpfsfile;
> +	')
> +
> +	typeattribute $1 alsadomain;
> +	typeattribute $2 alsatmpfsfile;
> +')
> +
> +########################################
> +## <summary>
>  ##	Role access for alsa.
>  ## </summary>
>  ## <param name="role">
> diff --git a/alsa.te b/alsa.te
> index 814b426..4fd8018 100644
> --- a/alsa.te
> +++ b/alsa.te
> @@ -5,12 +5,16 @@ policy_module(alsa, 1.13.0)
>  # Declarations
>  #
>  
> +attribute alsadomain;
> +attribute alsatmpfsfile;
> +
>  attribute_role alsa_roles;
>  
>  type alsa_t;
>  type alsa_exec_t;
>  init_system_domain(alsa_t, alsa_exec_t)
>  role alsa_roles types alsa_t;
> +typeattribute alsa_t alsadomain;
>  
>  type alsa_etc_rw_t;
>  files_config_file(alsa_etc_rw_t)
> @@ -20,6 +24,7 @@ files_tmp_file(alsa_tmp_t)
>  
>  type alsa_tmpfs_t;
>  files_tmpfs_file(alsa_tmpfs_t)
> +typeattribute alsa_tmpfs_t alsatmpfsfile;
>  
>  type alsa_var_lib_t;
>  files_type(alsa_var_lib_t)
> @@ -29,6 +34,18 @@ userdom_user_home_content(alsa_home_t)
>  
>  ########################################
>  #
> +# alsadomain policy
> +#
> +
> +allow alsadomain alsadomain:sem create_sem_perms;
> +allow alsadomain alsadomain:shm rw_shm_perms;
> +allow alsadomain alsatmpfsfile:file rw_file_perms;
> +
> +alsa_read_rw_config(alsadomain)
> +alsa_read_home_files(alsadomain)
> +
> +########################################
> +#
>  # Local policy
>  #
>  
> diff --git a/mozilla.te b/mozilla.te
> index 11ac8e4..63f0875 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -518,8 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mozilla_plugin_t)
> -	alsa_read_home_files(mozilla_plugin_t)
> +	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
>  ')
>  
>  optional_policy(`
> diff --git a/mplayer.te b/mplayer.te
> index 0f03cd9..6300573 100644
> --- a/mplayer.te
> +++ b/mplayer.te
> @@ -250,7 +250,7 @@ tunable_policy(`allow_mplayer_execstack',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mplayer_t)
> +	alsa_domain(mplayer_t, mplayer_tmpfs_t)
>  ')
>  
>  optional_policy(`
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..5a8f356 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -144,7 +144,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(pulseaudio_t)
> +	alsa_domain(pulseaudio_t, pulseaudio_tmpfs_t)
>  ')
>  
>  optional_policy(`
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/3] Support read/append/manage functions for various httpd content

[Christopher J. PeBenito]

On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> We make the web content types as defined by the apache module more
> generic in use so that other domains, who need to interact with these
> types, can do so without getting too many privileges assigned (like with
> apache_manage_all_content).
> 
> Within the apache module, the apache_content_template() allows creation
> of additional derived types for "apache web content". But this is
> actually being used to label generic web content, and it creates
> additional types based on the prefix.
> 
> When we want to support additional web servers (or parsers used by web
> servers, such as php-fpm) that do not run within the apache-provided
> domains, they have a hard time accessing the data. There is currently
> one interface available (apache_manage_all_content) but that is a lot of
> privileges for a parser that possibly just needs to read content.
> 
> In this patch, we create additional attributes (httpd_ra_content for
> read/append data, and httpd_rw_content for read/write content) and
> define interfaces to manage the types that have these attributes
> assigned.
> 
> This is the result of the discussion of June 2012, which was version 3
> of the patchset (I never came to finish up the commit), see also
> http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html

Merged.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.if | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>  apache.te |   3 ++
>  2 files changed, 121 insertions(+), 2 deletions(-)
> 
> diff --git a/apache.if b/apache.if
> index f6eb485..717c6f7 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -15,6 +15,7 @@ template(`apache_content_template',`
>  	gen_require(`
>  		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
>  		attribute httpd_script_domains, httpd_htaccess_type;
> +		attribute httpd_rw_content, httpd_ra_content;
>  		type httpd_t, httpd_suexec_t;
>  	')
>  
> @@ -48,11 +49,11 @@ template(`apache_content_template',`
>  	corecmd_shell_entry_type(httpd_$1_script_t)
>  	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
>  
> -	type httpd_$1_rw_content_t, httpdcontent; # customizable
> +	type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
>  	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
>  	files_type(httpd_$1_rw_content_t)
>  
> -	type httpd_$1_ra_content_t, httpdcontent; # customizable
> +	type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
>  	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
>  	files_type(httpd_$1_ra_content_t)
>  
> @@ -391,6 +392,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
>  
>  ########################################
>  ## <summary>
> +##	Read all appendable content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	read_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +	read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Append to all appendable web content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_append_all_ra_content',`
> +	gen_require(`
> +		attribute httpd_ra_content;
> +	')
> +
> +	append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Read all read/write content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	read_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage all read/write content
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_manage_all_rw_content',`
> +	gen_require(`
> +		attribute httpd_rw_content;
> +	')
> +
> +	manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +	manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
> +')
> +########################################
> +## <summary>
> +##	Read all web content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_read_all_content',`
> +	gen_require(`
> +		attribute httpdcontent, httpd_script_exec_type;
> +	')
> +
> +	read_files_pattern($1, httpdcontent, httpdcontent)
> +	read_lnk_files_pattern($1, httpdcontent, httpdcontent)
> +
> +	read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +	read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
> +')
> +
> +#######################################
> +## <summary>
> +##	Search all apache content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`apache_search_all_content',`
> +	gen_require(`
> +		attribute httpdcontent;
> +	')
> +
> +	allow $1 httpdcontent:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete
>  ##	all httpd content.
>  ## </summary>
> diff --git a/apache.te b/apache.te
> index a9322c3..3645d88 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -257,6 +257,9 @@ attribute httpd_htaccess_type;
>  # domains that can exec all scripts
>  attribute httpd_exec_scripts;
>  
> +attribute httpd_ra_content;
> +attribute httpd_rw_content;
> +
>  attribute httpd_script_exec_type;
>  
>  # all script domains
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/3] Introduce alsa domains

[Sven Vermeulen]

On Fri, Apr 04, 2014 at 04:22:45PM -0400, Christopher J. PeBenito wrote:
[...]
> > As this means that all ALSA enabled domains need access to the
> > semaphores of all other ALSA enabled domains, starting to sum up all
> > these domains is not manageable. As a result, an attribute called
> > "alsadomain" is created which is assigned to all domains that use ALSA.
> > Then, we grant the following:
> > 
> >   allow alsadomain alsadomain:sem create_sem_perms;
> >   allow alsadomain alsadomain:shm rw_shm_perms;
[...]
> >   allow alsadomain alsatmpfsfile:file rw_file_perms;
> > 
> > With this in place, we now create an interface called "alsa_domain" that
> > assigns the attributes to the ALSA enabled applications, such as this:
> > 
> > alsa_domain(mplayer_t, mplayer_tmpfs_t)
> 
> This is a frightening access.  Are you sure there isn't some tool we can (ab)use to run on boot so that the correct IPC objects are created, e.g. with an alsa_t type?

There is an "aserver" application but I have no idea if that does what you
would want it to do. The only information I found about it was a user that
couldn't get it to work, and there is no documentation on it. The code makes
me believe it doesn't register the same IPC resources as the ALSA plugins -
it seems to be more about proxying requests towards a remote system. The
"aserver" application is also not called in any init script here.

Another approach we might be interested in taking is to support SELinux
transitions for IPC resources based on the provided IPC key. IPC keys are
statically used identifiers that applications, who want to access the same
IPC resources, use to differentiate one IPC resource from another. So it's
similar to a file name in that regards - but of course not the same.

Unlike IPC identifiers (which are generated by the Linux kernel upon
reservation of an IPC resource) IPC keys remain the same. For instance, in
alsa-lib, the default alsa.conf sets:
  defaults.pcm.ipc_key 5678923

If we would support transitions for IPC resources based on the key, that
would be very flexible. But that will need updates on linux/security/selinux
as that isn't supported as of yet.

Wkr,
	Sven Vermeulen