* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:28 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:28 UTC (permalink / raw
To: gentoo-commits
commit: b2a65872838c2d177c55f0471d6c6b84b40c532c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:27:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2a65872
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 141 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 238 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..4eeda43
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..f5bf09b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,141 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_domain:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_var_lib($1)
+ admin_pattern($1, uwsgi_data_t)
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..f4a79ce
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:28 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:28 UTC (permalink / raw
To: gentoo-commits
commit: e0dd6abfcd2f8bed0051d08f09940fd7b00ad605
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:27:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0dd6abf
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:35 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:35 UTC (permalink / raw
To: gentoo-commits
commit: 49a9bef7301f3ad20771f365eef3d4b4a68a2c33
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:34:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49a9bef7
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:35 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:35 UTC (permalink / raw
To: gentoo-commits
commit: 186dce3354c02234097a6c6c89b825184b3cfc40
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:34:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=186dce33
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 141 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 238 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..4eeda43
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..c738398
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,141 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_var_lib($1)
+ admin_pattern($1, uwsgi_data_t)
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..f4a79ce
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:39 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:39 UTC (permalink / raw
To: gentoo-commits
commit: c6722d335c223053a66cc72e86666d18df58fb5c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:39:15 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6722d33
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 138 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 235 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..4eeda43
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..39da3e5
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,138 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..f4a79ce
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 8:39 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 8:39 UTC (permalink / raw
To: gentoo-commits
commit: 28442bfaabc792a4df1b9936c000b8553df302f3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:39:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=28442bfa
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 9:49 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e249c7e2a3350238aae1badf4f07373e420ccdb0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 09:48:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e249c7e2
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 138 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 235 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..7d2210b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* -- gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so -- gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..8513c7c
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,138 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..e177865
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 9:49 Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e79f1f685bd0e7361828c4ddc59c13e17faa20ef
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 09:48:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e79f1f68
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
2015-04-11 10:10 Jason Zaman
@ 2015-04-11 10:07 ` Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 10:07 UTC (permalink / raw
To: gentoo-commits
commit: 0a6928fa71555cc766096220d66e802f95269443
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0a6928fa
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 140 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 237 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..7d2210b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* -- gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so -- gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..761f8cd
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,140 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ files_search_var($1)
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ logging_search_logs($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..e177865
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 10:07 Jason Zaman
2015-04-11 10:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 10:07 UTC (permalink / raw
To: gentoo-commits
commit: 2943dc689d38767103194b6913308a08c3fd84b3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:37 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2943dc68
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-04-11 10:07 [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/ Jason Zaman
@ 2015-04-11 10:10 ` Jason Zaman
0 siblings, 0 replies; 11+ messages in thread
From: Jason Zaman @ 2015-04-11 10:10 UTC (permalink / raw
To: gentoo-commits
commit: 2943dc689d38767103194b6913308a08c3fd84b3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:37 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2943dc68
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-04-11 10:10 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-11 10:07 [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/ Jason Zaman
2015-04-11 10:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2015-04-11 10:10 Jason Zaman
2015-04-11 10:07 ` [gentoo-commits] proj/hardened-refpolicy:nginx " Jason Zaman
2015-04-11 9:49 Jason Zaman
2015-04-11 9:49 Jason Zaman
2015-04-11 8:39 Jason Zaman
2015-04-11 8:39 Jason Zaman
2015-04-11 8:35 Jason Zaman
2015-04-11 8:35 Jason Zaman
2015-04-11 8:28 Jason Zaman
2015-04-11 8:28 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox