In refpolicy there are about eight modules that have calls to apache_content_template in their private policy. These template calls are located in optional policy blocks. This is so that these modules do not depend on the apache module being present.
The problem is that seven out of these eight modules have file context specifications containing a executable type, that is declared in the apache content template, in their file context file. As far as i know file context specifications are never optional.
So even though calls to apache content template are optional, they really aren't because the file context specifications that accompany them are not optional.
This means that eight modules depend on the apache module being installed. Try to de-install the apache module (semodule -r apache) and you will be presented with some very unclear errors. Most people will not know what to do.
So how can we fix that?
Well here is an example. We use the apache_cgi_domain() instead:
########################################
#
# BackupPC admin private declarations.
#
type backuppc_admin_t, backuppc_domains;
type backuppc_admin_exec_t;
domain_type(backuppc_admin_t)
domain_entry_file(backuppc_admin_t, backuppc_admin_exec_t)
role system_r types backuppc_admin_t;
########################################
#
# BackupPC admin private policy.
#
optional_policy(`
apache_cgi_domain(backuppc_admin_t, backuppc_admin_exec_t)
')
/usr/share/BackupPC/sbin/BackupPC_Admin -- gen_context(system_u:object_r:backuppc_admin_exec_t, s0)
This way we can make the call to apache_cgi_domain() *really* optional. It is a bit more work initially but in my view this is maintainable unlike apache_content_template.
Linux Security Summit 2023 Videos & Slides
-
Videos and slides from the 2023 Linux Security summits may be found here:
Linux Security Summit North America (LSS-NA), May 10-12 2023, Vancouver,
Canada. ...
9 maanden geleden