* [refpolicy] [PATCH 1/2] apache: align filecontexts
@ 2017-09-10 15:11 Christian Göttsche
2017-09-10 15:11 ` [refpolicy] [PATCH 2/2] apache: update Christian Göttsche
2017-09-11 23:08 ` [refpolicy] [PATCH 1/2] apache: align filecontexts Chris PeBenito
0 siblings, 2 replies; 11+ messages in thread
From: Christian Göttsche @ 2017-09-10 15:11 UTC (permalink / raw)
To: refpolicy
---
apache.fc | 378 +++++++++++++++++++++++++++++++-------------------------------
1 file changed, 189 insertions(+), 189 deletions(-)
diff --git a/apache.fc b/apache.fc
index 9d4d847..16fb1a6 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,194 +1,194 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--
2.14.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-10 15:11 [refpolicy] [PATCH 1/2] apache: align filecontexts Christian Göttsche
@ 2017-09-10 15:11 ` Christian Göttsche
2017-09-11 23:13 ` Chris PeBenito
2017-09-11 23:08 ` [refpolicy] [PATCH 1/2] apache: align filecontexts Chris PeBenito
1 sibling, 1 reply; 11+ messages in thread
From: Christian Göttsche @ 2017-09-10 15:11 UTC (permalink / raw)
To: refpolicy
- add filecontexts
- add reload interface (e.g. for logrotate)
- remove old aliases
- use new userdom_use_inherited_user_terminals
- more strict log access
---
apache.fc | 7 +++++++
apache.if | 19 +++++++++++++++++++
apache.te | 31 +++++++++++--------------------
3 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/apache.fc b/apache.fc
index 16fb1a6..12397e9 100644
--- a/apache.fc
+++ b/apache.fc
@@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
@@ -144,6 +145,8 @@ ifdef(`distro_suse',`
/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
+
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -177,6 +180,8 @@ ifdef(`distro_suse',`
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -189,6 +194,8 @@ ifdef(`distro_suse',`
/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/apache.if b/apache.if
index 91191ec..135e2f5 100644
--- a/apache.if
+++ b/apache.if
@@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
dontaudit $1 httpd_t:tcp_socket { read write };
')
+########################################
+## <summary>
+## Reload the httpd service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_reload',`
+ gen_require(`
+ type httpd_unit_t;
+ class service { reload status };
+ ')
+
+ allow $1 httpd_unit_t:service { reload status };
+')
+
########################################
## <summary>
## Read all appendable content
diff --git a/apache.te b/apache.te
index 1c10521..68b0d69 100644
--- a/apache.te
+++ b/apache.te
@@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
-typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
-typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
-typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
-typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
-typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
-typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
-typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
-typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
-typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
-typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
-typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
-typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
@@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
-userdom_use_unpriv_users_fds(httpd_t)
-
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
+',`
+ dontaudit httpd_t self:process execmem;
')
tunable_policy(`httpd_can_sendmail',`
@@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
+',`
+ dontaudit httpd_t self:capability sys_resource;
')
tunable_policy(`httpd_ssi_exec',`
@@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
')
@@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
',`
userdom_dontaudit_use_user_terminals(httpd_helper_t)
')
@@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
--
2.14.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/2] apache: align filecontexts
2017-09-10 15:11 [refpolicy] [PATCH 1/2] apache: align filecontexts Christian Göttsche
2017-09-10 15:11 ` [refpolicy] [PATCH 2/2] apache: update Christian Göttsche
@ 2017-09-11 23:08 ` Chris PeBenito
1 sibling, 0 replies; 11+ messages in thread
From: Chris PeBenito @ 2017-09-11 23:08 UTC (permalink / raw)
To: refpolicy
On 09/10/2017 11:11 AM, Christian G?ttsche via refpolicy wrote:
> ---
> apache.fc | 378 +++++++++++++++++++++++++++++++-------------------------------
> 1 file changed, 189 insertions(+), 189 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 9d4d847..16fb1a6 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -1,194 +1,194 @@
> -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
> -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
> HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
> -HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
> -
> -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
> -/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
> -/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> -/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -
> -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -
> -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -
> -/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -
> -/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
> -/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> -/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -
> -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> -/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> -
> -/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
> -
> -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
> +
> +/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
> +/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
> +/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +
> +/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +
> +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +
> +/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +
> +/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
> +/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> +/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +
> +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> +/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> +
> +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
> +
> +/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
>
> ifdef(`distro_suse',`
> -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> ')
>
> -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -
> -/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
> -
> -/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> -/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
> -
> -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
> -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -
> -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> -/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +
> +/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
> +
> +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> +/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
> +
> +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
> +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +
> +/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-10 15:11 ` [refpolicy] [PATCH 2/2] apache: update Christian Göttsche
@ 2017-09-11 23:13 ` Chris PeBenito
2017-09-12 4:17 ` Russell Coker
0 siblings, 1 reply; 11+ messages in thread
From: Chris PeBenito @ 2017-09-11 23:13 UTC (permalink / raw)
To: refpolicy
On 09/10/2017 11:11 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - add reload interface (e.g. for logrotate)
> - remove old aliases
> - use new userdom_use_inherited_user_terminals
> - more strict log access
> ---
> apache.fc | 7 +++++++
> apache.if | 19 +++++++++++++++++++
> apache.te | 31 +++++++++++--------------------
> 3 files changed, 37 insertions(+), 20 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 16fb1a6..12397e9 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
>
> @@ -144,6 +145,8 @@ ifdef(`distro_suse',`
> /var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
> +
> /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> @@ -177,6 +180,8 @@ ifdef(`distro_suse',`
>
> /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -189,6 +194,8 @@ ifdef(`distro_suse',`
> /var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> /var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> /var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> diff --git a/apache.if b/apache.if
> index 91191ec..135e2f5 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
> dontaudit $1 httpd_t:tcp_socket { read write };
> ')
>
> +########################################
> +## <summary>
> +## Reload the httpd service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_reload',`
> + gen_require(`
> + type httpd_unit_t;
> + class service { reload status };
> + ')
> +
> + allow $1 httpd_unit_t:service { reload status };
> +')
> +
> ########################################
> ## <summary>
> ## Read all appendable content
> diff --git a/apache.te b/apache.te
> index 1c10521..68b0d69 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
> userdom_user_home_content(httpd_user_script_exec_t)
> userdom_user_home_content(httpd_user_ra_content_t)
> userdom_user_home_content(httpd_user_rw_content_t)
> -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
> -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
> -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
> -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
> -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
> -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
> -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
> -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
> -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
> -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
> -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
> -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
>
> type httpd_var_lib_t;
> files_type(httpd_var_lib_t)
> @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> logging_log_filetrans(httpd_t, httpd_log_t, file)
This reverses a recent change, but I can't remember why we changed it.
Russell?
> @@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> -userdom_use_unpriv_users_fds(httpd_t)
> -
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> @@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
>
> tunable_policy(`httpd_execmem',`
> allow httpd_t self:process { execmem execstack };
> +',`
> + dontaudit httpd_t self:process execmem;
Should dontaudit the execstack for completeness.
> ')
>
> tunable_policy(`httpd_can_sendmail',`
> @@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
> tunable_policy(`httpd_setrlimit',`
> allow httpd_t self:process setrlimit;
> allow httpd_t self:capability sys_resource;
> +',`
> + dontaudit httpd_t self:capability sys_resource;
Same here, dontaudit setrlimit.
> ')
>
> tunable_policy(`httpd_ssi_exec',`
> @@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_t)
> + userdom_use_inherited_user_terminals(httpd_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_t)
> ')
> @@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
> logging_send_syslog_msg(httpd_helper_t)
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_helper_t)
> + userdom_use_inherited_user_terminals(httpd_helper_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_helper_t)
> ')
> @@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_suexec_t)
> + userdom_use_inherited_user_terminals(httpd_suexec_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_suexec_t)
> ')
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-11 23:13 ` Chris PeBenito
@ 2017-09-12 4:17 ` Russell Coker
2017-09-12 9:56 ` Christian Göttsche
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2017-09-12 4:17 UTC (permalink / raw)
To: refpolicy
On Monday, 11 September 2017 7:13:22 PM AEST Chris PeBenito wrote:
> > @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> > files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
> >
> > manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > logging_log_filetrans(httpd_t, httpd_log_t, file)
>
> This reverses a recent change, but I can't remember why we changed it.
> Russell?
I can't remember either. But usually the case is that the application needs
some write access in some situation and therefore we have required every
access that matters.
It's not as if this change really restricts things anyway, httpd_t can still
copy the log data to a new file and unless you are tracking Inode numbers or
creation time you won't notice. I don't think create+read+append access is
meaningfully more restricting than manage_file_perms.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-12 4:17 ` Russell Coker
@ 2017-09-12 9:56 ` Christian Göttsche
2017-09-12 21:23 ` Chris PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Christian Göttsche @ 2017-09-12 9:56 UTC (permalink / raw)
To: refpolicy
> It's not as if this change really restricts things anyway, httpd_t can still
> copy the log data to a new file and unless you are tracking Inode numbers or
> creation time you won't notice. I don't think create+read+append access is
> meaningfully more restricting than manage_file_perms.
My idea is, that the domain can not overwrite the existing logs or
tamper with them in any way.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-12 9:56 ` Christian Göttsche
@ 2017-09-12 21:23 ` Chris PeBenito
2017-09-13 0:44 ` Russell Coker
0 siblings, 1 reply; 11+ messages in thread
From: Chris PeBenito @ 2017-09-12 21:23 UTC (permalink / raw)
To: refpolicy
On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>> It's not as if this change really restricts things anyway, httpd_t can still
>> copy the log data to a new file and unless you are tracking Inode numbers or
>> creation time you won't notice. I don't think create+read+append access is
>> meaningfully more restricting than manage_file_perms.
>
> My idea is, that the domain can not overwrite the existing logs or
> tamper with them in any way.
I'm inclined to restore the previous permissions (this patch) unless
there is a solid case for keeping what we have.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-12 21:23 ` Chris PeBenito
@ 2017-09-13 0:44 ` Russell Coker
2017-09-13 8:09 ` Christian Göttsche
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2017-09-13 0:44 UTC (permalink / raw)
To: refpolicy
On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
> >> It's not as if this change really restricts things anyway, httpd_t can
> >> still copy the log data to a new file and unless you are tracking Inode
> >> numbers or creation time you won't notice. I don't think
> >> create+read+append access is meaningfully more restricting than
> >> manage_file_perms.
> >
> > My idea is, that the domain can not overwrite the existing logs or
> > tamper with them in any way.
>
> I'm inclined to restore the previous permissions (this patch) unless
> there is a solid case for keeping what we have.
OK give that a go and we'll do more tests about how it works.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-13 0:44 ` Russell Coker
@ 2017-09-13 8:09 ` Christian Göttsche
2017-09-13 22:45 ` Chris PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Christian Göttsche @ 2017-09-13 8:09 UTC (permalink / raw)
To: refpolicy
Or should I create a boolean for the log manage permissions?
2017-09-13 2:44 GMT+02:00 Russell Coker <russell@coker.com.au>:
> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>> >> It's not as if this change really restricts things anyway, httpd_t can
>> >> still copy the log data to a new file and unless you are tracking Inode
>> >> numbers or creation time you won't notice. I don't think
>> >> create+read+append access is meaningfully more restricting than
>> >> manage_file_perms.
>> >
>> > My idea is, that the domain can not overwrite the existing logs or
>> > tamper with them in any way.
>>
>> I'm inclined to restore the previous permissions (this patch) unless
>> there is a solid case for keeping what we have.
>
> OK give that a go and we'll do more tests about how it works.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-13 8:09 ` Christian Göttsche
@ 2017-09-13 22:45 ` Chris PeBenito
2017-09-14 3:07 ` Russell Coker
0 siblings, 1 reply; 11+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:45 UTC (permalink / raw)
To: refpolicy
On 09/13/2017 04:09 AM, Christian G?ttsche wrote:
> Or should I create a boolean for the log manage permissions?
No. If we find that under certain situations the manage permissions are
needed, we can reconsider then.
> 2017-09-13 2:44 GMT+02:00 Russell Coker <russell@coker.com.au>:
>> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
>>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>>>>> It's not as if this change really restricts things anyway, httpd_t can
>>>>> still copy the log data to a new file and unless you are tracking Inode
>>>>> numbers or creation time you won't notice. I don't think
>>>>> create+read+append access is meaningfully more restricting than
>>>>> manage_file_perms.
>>>>
>>>> My idea is, that the domain can not overwrite the existing logs or
>>>> tamper with them in any way.
>>>
>>> I'm inclined to restore the previous permissions (this patch) unless
>>> there is a solid case for keeping what we have.
>>
>> OK give that a go and we'll do more tests about how it works.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/2] apache: update
2017-09-13 22:45 ` Chris PeBenito
@ 2017-09-14 3:07 ` Russell Coker
0 siblings, 0 replies; 11+ messages in thread
From: Russell Coker @ 2017-09-14 3:07 UTC (permalink / raw)
To: refpolicy
On Wednesday, 13 September 2017 6:45:56 PM AEST Chris PeBenito wrote:
> On 09/13/2017 04:09 AM, Christian G?ttsche wrote:
> > Or should I create a boolean for the log manage permissions?
>
> No. If we find that under certain situations the manage permissions are
> needed, we can reconsider then.
I agree. Having lots of booleans is annoying, confusing, and not good for
security in practice.
When something like this is up for debate I think it's best to have a default
policy of removing the access in question and waiting for more evidence of why
it's needed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2017-09-14 3:07 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-10 15:11 [refpolicy] [PATCH 1/2] apache: align filecontexts Christian Göttsche
2017-09-10 15:11 ` [refpolicy] [PATCH 2/2] apache: update Christian Göttsche
2017-09-11 23:13 ` Chris PeBenito
2017-09-12 4:17 ` Russell Coker
2017-09-12 9:56 ` Christian Göttsche
2017-09-12 21:23 ` Chris PeBenito
2017-09-13 0:44 ` Russell Coker
2017-09-13 8:09 ` Christian Göttsche
2017-09-13 22:45 ` Chris PeBenito
2017-09-14 3:07 ` Russell Coker
2017-09-11 23:08 ` [refpolicy] [PATCH 1/2] apache: align filecontexts Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.