Skip to content

WIP: apache: tag nginx httpd_runtime files #903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

WIP: apache: tag nginx httpd_runtime files #903

wants to merge 2 commits into from

Conversation

aerusso
Copy link
Contributor

@aerusso aerusso commented May 10, 2025

nginx has runtime files that should be appropriately labeled

@aerusso
Copy link
Contributor Author

aerusso commented May 10, 2025

I'm not sure of the best way to handle the nginx transition to allow -t to work correctly. This approach overloads http_helper_roles to allow directly starting nginx in the httpd_t domain. If that is too much authority, maybe we can create a weaker role (perhaps reuse httpd_helper_t?) that http_exec_t can domtrans to, and is powerful enough to read the configuration files, restart the server, etc.

@aerusso
Copy link
Contributor Author

aerusso commented May 10, 2025

apachectl is already marked at httpd_exec_t, so this problem is not specific to nginx. I can make a new domain, like httpd_ctl_t, with associated httpd_ctl_roles. Would that be the preferred way to do this?

@pebenito
Copy link
Member

apachectl is already marked at httpd_exec_t, so this problem is not specific to nginx. I can make a new domain, like httpd_ctl_t, with associated httpd_ctl_roles. Would that be the preferred way to do this?

This sounds like the best way forward.

aerusso added 2 commits May 13, 2025 18:45
@aerusso
apache: tag nginx httpd_runtime files
145d2c4 
nginx has runtime files that should be appropriately labeled.

Signed-off-by: Antonio Enrico Russo <[email protected]>
@aerusso
apache: allow nginx -t
27a65fe 
nginx needs to be executable by system administrators to be able to run
various actions, including the critical test option -t.

This provides appropriate execution authority to do so.

Signed-off-by: Antonio Enrico Russo <[email protected]>
@aerusso
Copy link
Contributor Author

aerusso commented May 19, 2025

I went forward and created a httpd_ctl_t domain. It's a little frustrating, because nginx -t really wants to check a lot of things out. It actually needs to be able to bind to various ports.

Indeed, it even wants to open various files (for example, the error log that is, at least on my machine, owned by www-data, and root is not explicitly granted access to it). Therefore, it winds up using dac_override. I suppose we could try to interact with various distributions and upstream to make sure that root is given read access to that file, and then we could remove dac_override from both httpd_t and httpd_ctl_t, but for right now this means that httpd_ctl_t needs quite a bit of permission.

pebenito
pebenito reviewed Jun 4, 2025
View reviewed changes
policy/modules/admin/logrotate.te
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_ctl_domtrans(logrotate_t)
apache_ctl_domtrans_from_httpd(logrotate_t)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a non-from interface call from the apache module. The from interfaces are intended for users to use without having to modify the policy sources.

policy/modules/services/apache.te
Comment on lines +973 to +1001
manage_dirs_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
allow httpd_ctl_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_ctl_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_ctl_t, httpd_tmp_t, dir)

manage_dirs_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_ctl_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_ctl_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
mmap_manage_files_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
manage_lnk_files_pattern(httpd_ctl_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_ctl_t, httpd_var_lib_t, { dir file })

setattr_dirs_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_dirs_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_files_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
manage_sock_files_pattern(httpd_ctl_t, httpd_runtime_t, httpd_runtime_t)
files_runtime_filetrans(httpd_ctl_t, httpd_runtime_t, { file sock_file dir })

manage_dirs_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_ctl_t, squirrelmail_spool_t, squirrelmail_spool_t)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this plus especially the port binding makes me reconsider my position...

Overall, I'm beginning to feel this seems too much like httpd_t to make it worthwhile. I'm not definitely saying no, but I'm leaning that direction.

Another option would be to move nginx into a new domain.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I've been thinking about how to handle this change. Would it make sense to create an attribute httpd_domains that would be common to both nginx and apache? If we opted to do that, should I create a new httpd module for the common parts, and an nginx module for the new domain?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a possibility. I'd have to see the full extent of rules that use it.

@aerusso aerusso changed the title apache: tag nginx httpd_runtime files WIP: apache: tag nginx httpd_runtime files Jul 11, 2025
@pebenito pebenito marked this pull request as draft September 3, 2025 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pebenito pebenito pebenito left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aerusso @pebenito