From 7ac5b8c69fb19fd7fcc66a3455991a56eb037a7f Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Oct 14 2012 15:53:15 +0000 Subject: Changes to the apache module and relevant dependencies Move gpg_web_t to apache module Signed-off-by: Dominick Grift --- diff --git a/apache.te b/apache.te index fefc878..0c64de9 100644 --- a/apache.te +++ b/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.5.6) +policy_module(apache, 2.5.7) ######################################## # @@ -17,6 +17,13 @@ gen_tunable(allow_httpd_anon_write, false) ## ##

+## Determine whether httpd can use mod_auth_pam. +##

+## +gen_tunable(allow_httpd_mod_auth_pam, false) + +## +##

## Determine whether httpd can use built in scripting. ##

## @@ -124,6 +131,16 @@ gen_tunable(httpd_enable_homedirs, false) ## ##

+## Determine whether httpd gpg can modify +## public files used for public file +## transfer services. Directories/Files must +## be labeled public_content_rw_t. +##

+## +gen_tunable(httpd_gpg_anon_write, false) + +## +##

## Determine whether httpd can execute ## its temporary content. ##

@@ -337,6 +354,11 @@ domain_type(httpd_passwd_t) domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) role system_r types httpd_passwd_t; +type httpd_gpg_t; +domain_type(httpd_gpg_t) +gpg_entry_type(httpd_gpg_t) +role system_r types httpd_gpg_t; + optional_policy(` prelink_object_file(httpd_modules_t) ') @@ -500,6 +522,14 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) +ifdef(`TODO',` + tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chk_passwd(httpd_t) + + logging_send_audit_msgs(httpd_t) + ') +') + ifdef(`hide_broken_symptoms',` libs_exec_lib_files(httpd_t) ') @@ -556,6 +586,10 @@ tunable_policy(`httpd_builtin_scripting',` read_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) ') +tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_spec_domtrans(httpd_t, httpd_gpg_t) +') + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -732,12 +766,6 @@ optional_policy(` ') optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_domtrans_web(httpd_t) - ') -') - -optional_policy(` kerberos_keytab_template(httpd, httpd_t) kerberos_manage_host_rcache(httpd_t) kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") @@ -1324,3 +1352,31 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) + +######################################## +# +# GPG local policy +# + +allow httpd_gpg_t self:process setrlimit; + +allow httpd_gpg_t httpd_t:fd use; +allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +allow httpd_gpg_t httpd_t:process sigchld; + +dev_read_rand(httpd_gpg_t) +dev_read_urand(httpd_gpg_t) + +files_read_usr_files(httpd_gpg_t) + +miscfiles_read_localization(httpd_gpg_t) + +gpg_exec(httpd_gpg_t) + +tunable_policy(`httpd_gpg_anon_write',` + miscfiles_manage_public_files(httpd_gpg_t) +') + +optional_policy(` + apache_manage_sys_rw_content(httpd_gpg_t) +') diff --git a/gpg.if b/gpg.if index a035833..4a4180a 100644 --- a/gpg.if +++ b/gpg.if @@ -88,9 +88,43 @@ interface(`gpg_exec',` can_exec($1, gpg_exec_t) ') +######################################## +## +## Execute gpg in a specified domain. +## +## +##

+## Execute gpg in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed to transition. +## +## +## +## +## Domain to transition to. +## +## +# +interface(`gpg_spec_domtrans',` + gen_require(` + type gpg_exec_t; + ') + + corecmd_search_bin($1) + domain_auto_trans($1, gpg_exec_t, $2) +') + ###################################### ## -## Execute gpg in the gpg web domain. +## Execute gpg in the gpg web domain. (Deprecated) ## ## ## @@ -99,12 +133,26 @@ interface(`gpg_exec',` ## # interface(`gpg_domtrans_web',` + refpolicywarn(`$0($*) has been deprecated.') +') + +###################################### +## +## Make gpg executable files an +## entrypoint for the specified domain. +## +## +## +## The domain for which gpg_exec_t is an entrypoint. +## +## +# +interface(`gpg_entry_type',` gen_require(` - type gpg_web_t, gpg_exec_t; + type gpg_exec_t; ') - corecmd_search_bin($1) - domtrans_pattern($1, gpg_exec_t, gpg_web_t) + domain_entry_file($1, gpg_exec_t) ') ######################################## diff --git a/gpg.te b/gpg.te index 72cce5b..80c8cb3 100644 --- a/gpg.te +++ b/gpg.te @@ -1,4 +1,4 @@ -policy_module(gpg, 2.7.1) +policy_module(gpg, 2.7.2) ######################################## # @@ -14,16 +14,6 @@ policy_module(gpg, 2.7.1) ## gen_tunable(gpg_agent_env_file, false) -## -##

-## Determine whether gpg web can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -##

-## -gen_tunable(gpg_web_anon_write, false) - attribute_role gpg_roles; roleattribute system_r gpg_roles; @@ -78,11 +68,6 @@ userdom_user_tmp_file(gpg_pinentry_tmp_t) type gpg_pinentry_tmpfs_t; userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) -type gpg_web_t; -domain_type(gpg_web_t) -domain_entry_file(gpg_web_t, gpg_exec_t) -role system_r types gpg_web_t; - ######################################## # # Local policy @@ -359,27 +344,3 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) ') - -############################# -# -# Web local policy -# - -allow gpg_web_t self:process setrlimit; - -dev_read_rand(gpg_web_t) -dev_read_urand(gpg_web_t) - -can_exec(gpg_web_t, gpg_exec_t) - -files_read_usr_files(gpg_web_t) - -miscfiles_read_localization(gpg_web_t) - -tunable_policy(`gpg_web_anon_write',` - miscfiles_manage_public_files(gpg_web_t) -') - -optional_policy(` - apache_manage_sys_rw_content(gpg_web_t) -')