From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1099289-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 89185138334
	for <garchives@archives.gentoo.org>; Sat, 13 Jul 2019 07:01:23 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D0F62E0821;
	Sat, 13 Jul 2019 07:01:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9A40EE0821
	for <gentoo-commits@lists.gentoo.org>; Sat, 13 Jul 2019 07:01:18 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id DA5BF347905
	for <gentoo-commits@lists.gentoo.org>; Sat, 13 Jul 2019 07:01:16 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id DA1A6715
	for <gentoo-commits@lists.gentoo.org>; Sat, 13 Jul 2019 07:01:13 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1563000194.a59bba5a73324e8d769dd47bb44353784a27f416.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/apache.fc policy/modules/services/apache.if policy/modules/services/apache.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: a59bba5a73324e8d769dd47bb44353784a27f416
X-VCS-Branch: master
Date: Sat, 13 Jul 2019 07:01:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 746df80d-fbd6-4d2d-a50b-e3fde71204da
X-Archives-Hash: bfcde6c84f93fc151f3e41b031f6e096

commit:     a59bba5a73324e8d769dd47bb44353784a27f416
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Tue May 28 14:02:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a59bba5a

apache: Web content rules simplification.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/apache.fc |  3 ++-
 policy/modules/services/apache.if | 24 ++----------------------
 policy/modules/services/apache.te | 27 +++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index f3202453..36bff004 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -179,7 +179,8 @@ ifdef(`distro_suse',`
 /var/spool/viewvc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 
 /var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs					-d	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs/.*						gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 /var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 94878d66..2934337b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -15,7 +15,7 @@ template(`apache_content_template',`
 	gen_require(`
 		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
 		attribute httpd_script_domains, httpd_htaccess_type;
-		attribute httpd_rw_content, httpd_ra_content;
+		attribute httpd_ro_content, httpd_rw_content, httpd_ra_content;
 		type httpd_t, httpd_suexec_t;
 	')
 
@@ -34,7 +34,7 @@ template(`apache_content_template',`
 	## </desc>
 	gen_tunable(allow_httpd_$1_script_anon_write, false)
 
-	type httpd_$1_content_t, httpdcontent; # customizable
+	type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 	files_type(httpd_$1_content_t)
 
@@ -79,30 +79,10 @@ template(`apache_content_template',`
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
 	tunable_policy(`allow_httpd_$1_script_anon_write',`
 		miscfiles_manage_public_files(httpd_$1_script_t)
 	')
 
-	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
-
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
-	')
-
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index ee95b305..e87a74ac 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -258,6 +258,7 @@ attribute httpd_htaccess_type;
 attribute httpd_exec_scripts;
 
 attribute httpd_ra_content;
+attribute httpd_ro_content;
 attribute httpd_rw_content;
 
 attribute httpd_script_exec_type;
@@ -400,6 +401,12 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+allow httpd_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:dir manage_dir_perms;
@@ -597,6 +604,20 @@ tunable_policy(`httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir list_dir_perms;
 	allow httpd_t httpdcontent:file read_file_perms;
 	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+
+	allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+	allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+	allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms;
+
+	manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_fifo_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_lnk_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_sock_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+')
+
+tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+	can_exec(httpd_t, httpd_rw_content)
 ')
 
 tunable_policy(`httpd_enable_cgi',`
@@ -945,6 +966,12 @@ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
 allow httpd_suexec_t self:tcp_socket { accept listen };
 allow httpd_suexec_t self:unix_stream_socket { accept listen };
 
+allow httpd_suexec_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_suexec_t httpd_ro_content:dir list_dir_perms;
+allow httpd_suexec_t httpd_ro_content:file read_file_perms;
+allow httpd_suexec_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)