MITRE
 
About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Employees Site Map
  Home > Security-Enhanced Linux >
General Policy for Apache

The Apache server is allowed to:

  • accept user requests for web pages
  • read web pages
  • execute scripts
  • check password protection on web pages and scripts
  • display web pages back to the user
  • send and receive messages to and from the network
  • bind to port 80
  • read web configuration files located in /etc/httpd/conf
  • read and append to web log files located in /var/log/httpd
  • execute system libraries and Apache-specific libraries

The system boot process is allowed to start the Apache server.

The web administrator is allowed to:

  • create and modify system web pages
  • modify and execute system scripts
  • specify password protection on system web pages and scripts
  • specify which files can be accessed by system scripts

Users are allowed to:

  • send requests for web pages to the Apache server
  • modify user web pages
  • modify and execute user scripts
  • specify password protection on their web pages and scripts
  • specify which files can be accessed by user scripts.

Script processes are allowed to:

  • execute script interpreters and libraries
  • read, write, and append specially marked files

Role and Type Definitions

A new role and several new types were defined to implement policy rules for Apache. They are listed below:

httpd_adm_rWeb administrator
httpd_tApache daemon
httpd_sys_content_tSystem web pages
httpd_user_content_tUser web pages
httpd_sys_script_tSystem script files
httpd_user_script_tUser script files
httpd_sys_htaccess_tAccess files for system web directories
httpd_user_htaccess_tAccess files for user web directories
httpd_config_tApache configuration files in /etc/httpd/conf
httpd_log_files_tApache log files located in /var/log/httpd
httpd_modules_tLibraries included with Apache
httpd_exec_tApache executable file
httpd _admin_tWeb administrator shell process
httpd_sys_script_process_tSystem script process
httpd_user_script_process_tUser script process
httpd_sys_script_r_tFiles that can be read by system scripts
httpd_sys_script_rw_tFiles that be read and written by system scripts
httpd_sys_script_a_tFiles that can be appended by system scripts
httpd_user_script_r_tFiles that can be read by user scripts
httpd_user_script_rw_tFiles that can be read and written to by user scripts
httpd_user_script_a_tFiles that be appended to by user scripts
httpd_suexec_tSuexec executable file
httpd_suexec_process_tUser script process with user privleges

Policy Stated with Type Definitions

The policy states that a process of type httpd_t (the Apache daemon) can:

  • connect to the network and bind to port 80
  • read files of type httpd_sys_content_t (system web pages) or httpd_user_content_t (user web pages)
  • execute files of type httpd_sys_script_t (system scripts) and type httpd_user_script_t (user scripts)
  • read files of type httpd_sys_htaccess_t (files that provide password protection on directories containing system web pages and scripts) and httpd_user_htaccess_t (files that provide password protection on directories containing user web pages and scripts)
  • read files of type httpd_config_t (web configuration files)
  • read and append files of type httpd_log_files_t (log files)
  • execute files of type lib_t (system libraries) and httpd_modules_t (httpd libraries)

The policy allows files of type initrc_t to execute files of type httpd_exec_t. This allows the boot process to run the Apache daemon.

The policy allows a web administrator (a user with the httpd_adm_r role) to change the context of his shell to httpd_admin_t. The policy allows a process with this context to:

  • execute files of type httpd_exec_t (the Apache daemon)
  • modify files of type httpd_sys_content_t (system web pages)
  • modify and execute files of type httpd_sys_script_t (system scripts)
  • create files of type httpd_sys_htaccess_t (password protection files)
  • create files of type httpd_sys_script_r_t (files or directories that can be read by system scripts), httpd_sys_script_rw_t, (files or directories that can be read and written by system scripts), and httpd_sys_script_a_t (files or directories that can be appended by system scripts).

  • read and write files of type httpd_config_t and httpd_log_files_t (the web configuration files and web log files)

The policy allows a user to:

  • send requests to port 80 either locally or via the network
  • modify files of type httpd_user_content_t (user web pages)
  • modify and execute files of type httpd_user_script_t (user scripts)
  • create files of type httpd_user_htaccess_t (password protection files)
  • create files of type httpd_user_script_r_t (files that can be read by user scripts ), httpd_user_script_rw_t, (files that can be read and written by user scripts), and httpd_user_script_a_t (files that can be appended by user scripts).

Apache can be configured to either call or not call suexec prior to running a script. With RedHat 7.1, the default configuration is for Apache to call suexec. Calling suexec allows the script process to run with the privileges of the user owning the script. We modified suexec to also transition the user identifier in the security context to the user identifier of the script. Therefore, the user identifier associated with the script will be recorded in log files if the script does something malicious. If suexec is not called, the user identifier of the script is not recorded, but the script will not have user privileges.

When a script is executed, the following security context transitions automatically take place:

  • When the daemon executes a system script (httpd_sys_script_t), the process type transitions to httpd_sys_script_process_t.
  • When the daemon executes a user script (httpd_user_script_t) and Apache is configured to use the modified suexec to run user scripts, the user id of the process changes to the user id associated with the script, the role transitions to user_r and the type first transitions to httpd_suexec_process_t and then transitions the httpd_user_script_process_t. The resulting process runs with user level permissions.
  • When the daemon executes a user script and Apache is not configured to use modified suexec to run user scripts, the user id and role do not change. The type transitions to httpd_user_script_t.

  • When a user executes a user script, the process type transitions to httpd_user_script_process_t.

The policy allows processes of type httpd_sys_script_process_t (system script processes) and httpd_user_script_process_t to:

  • execute files of type bin_t (scripts)
  • execute files of type lib_t (libraries)

The policy allows processes of type httpd_sys_script_process_t (system script processes) to:

  • read files of type httpd_sys_script_r_t
  • read and write files of type httpd_sys_script_rw_t
  • append files of type httpd_sys_script_a_t

The policy allows processes of type httpd_user_script_process_t (user script processes) to:

  • read files of type httpd_user_script_r_t
  • read and write files of type httpd_user_script_rw_t
  • append files of type httpd_user_script_a_t

Everything not explicitly allowed by the policy is denied.

For more information, please contact Amy Herzog using the employee directory.

Page last updated: January 13, 2004   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Serving as Architects of Information Advantage.™
Copyright © 1997-2008, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
 

Privacy Policy | Contact Us

Boston Business Journal Best Places to Work 2007 Computerworld Best Places to Work in IT 2005-2008 Fortune 100 Best Places to Work 2002-2008