From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-792020-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E996F138A69
	for <garchives@archives.gentoo.org>; Sat, 11 Apr 2015 10:07:33 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 50D85E084D;
	Sat, 11 Apr 2015 10:07:28 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DD035E0825
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Apr 2015 10:07:27 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7FE3A340B76
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Apr 2015 10:07:26 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 247B115AD7
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Apr 2015 10:07:23 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1428746796.0a6928fa71555cc766096220d66e802f95269443.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/uwsgi.fc policy/modules/contrib/uwsgi.if policy/modules/contrib/uwsgi.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 0a6928fa71555cc766096220d66e802f95269443
X-VCS-Branch: nginx
Date: Sat, 11 Apr 2015 10:07:23 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 18728126-6be7-46ec-810d-b1a11ba7d304
X-Archives-Hash: 21325ca8a5ba135163c4c1e56a17677b
Message-ID: <20150411100723.9l-U0l75KthgrIo4Nwni8whxSdnUDbKMfbBvKnSz87Q@z>

commit:     0a6928fa71555cc766096220d66e802f95269443
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr  9 09:45:41 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:36 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0a6928fa

Introduce policy for uWSGI, written by me

 policy/modules/contrib/uwsgi.fc |   9 +++
 policy/modules/contrib/uwsgi.if | 140 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/uwsgi.te |  88 +++++++++++++++++++++++++
 3 files changed, 237 insertions(+)

diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..7d2210b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)?					gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.*				--	gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)?					gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)?					gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so				--	gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.*					gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)?					gen_context(system_u:object_r:uwsgi_content_t,s0)

diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..761f8cd
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,140 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+##	Connect to uwsgi using a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+	gen_require(`
+		type uwsgi_t, uwsgi_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+	stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+##	Manage uwsgi content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+	gen_require(`
+		type uwsgi_content_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+	manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+	manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+	manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+	manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+	optional_policy(`
+		apache_manage_sys_content($1)
+	')
+')
+
+########################################
+## <summary>
+##	Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+	gen_require(`
+		type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+	domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+##	Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+	gen_require(`
+		type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+	gen_require(`
+		type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+		type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+		type uwsgi_content_t, uwsgi_content_exec_t;
+	')
+
+	allow $1 uwsgi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, uwsgi_t)
+
+	files_search_etc($1)
+	admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+	files_search_var($1)
+	admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+	logging_search_logs($1)
+	admin_pattern($1, { uwsgi_var_log_t })
+
+	files_search_pids($1)
+	admin_pattern($1, uwsgi_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, uwsgi_tmp_t)
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+	can_exec($1, uwsgi_content_exec_t)
+
+	optional_policy(`
+		apache_manage_sys_content($1)
+	')
+')

diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..e177865
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+	apache_search_sys_content(uwsgi_t)
+	apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+	cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(uwsgi_t)
+')