]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/apache.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
add main part of role-o-matic
[people/stevee/selinux-policy.git] / policy / modules / services / apache.if
CommitLineData
a996bdf4
CP		 1## <summary>Apache web server</summary>
2
b1421d87
CP		 3########################################
4## <summary>
5## Create a set of derived types for apache
6## web content.
7## </summary>
8## <param name="prefix">
885b83ec 9## <summary>
b1421d87 10## The prefix to be used for deriving type names.
885b83ec 11## </summary>
b1421d87
CP		 12## </param>
13#
a996bdf4 14template(`apache_content_template',`
a3cf80d8
CP		 15 gen_require(`
16 attribute httpdcontent;
17 attribute httpd_exec_scripts;
123a990b 18 attribute httpd_script_exec_type;
a3cf80d8
CP		 19 type httpd_t, httpd_suexec_t, httpd_log_t;
20 ')
b1421d87
CP		 21 # allow write access to public file transfer
22 # services files.
23 gen_tunable(allow_httpd_$1_script_anon_write,false)
24
a996bdf4
CP		 25 #This type is for webpages
26 type httpd_$1_content_t, httpdcontent; # customizable
27 files_type(httpd_$1_content_t)
28
29 # This type is used for .htaccess files
30 type httpd_$1_htaccess_t; # customizable;
31 files_type(httpd_$1_htaccess_t)
32
33 # Type that CGI scripts run as
34 type httpd_$1_script_t;
35 domain_type(httpd_$1_script_t)
36 role system_r types httpd_$1_script_t;
37
38 # This type is used for executable scripts files
123a990b 39 type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
0f27d98d 40 corecmd_shell_entry_type(httpd_$1_script_t)
a996bdf4
CP		 41 domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
42
43 # The following three are the only areas that
44 # scripts can read, read/write, or append to
45 type httpd_$1_script_ro_t, httpdcontent; # customizable
46 files_type(httpd_$1_script_ro_t)
47
48 type httpd_$1_script_rw_t, httpdcontent; # customizable
49 files_type(httpd_$1_script_rw_t)
50
51 type httpd_$1_script_ra_t, httpdcontent; # customizable
52 files_type(httpd_$1_script_ra_t)
53
54 allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
55
56 domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
57 allow httpd_suexec_t httpd_$1_script_t:fd use;
58 allow httpd_$1_script_t httpd_suexec_t:fd use;
59 allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
60 allow httpd_$1_script_t httpd_suexec_t:process sigchld;
61
62 allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
63
64 allow httpd_$1_script_t self:fifo_file rw_file_perms;
2e0a8801 65 allow httpd_$1_script_t self:unix_stream_socket connectto;
a996bdf4
CP		 66
67 allow httpd_$1_script_t httpd_t:fifo_file write;
68 # apache should set close-on-exec
69 dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
70
71 # Allow the script process to search the cgi directory, and users directory
72 allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
73
74 allow httpd_$1_script_t httpd_log_t:file { getattr append };
75 allow httpd_$1_script_t httpd_log_t:dir search;
76 logging_search_logs(httpd_$1_script_t)
77
78 can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
79 allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
80
81 allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
82 allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
83 allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
84
85 allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
86 allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
87 allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
88
89 allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
90 allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
91 allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
92 allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
93 allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
103fe280 94 files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
a996bdf4 95
e749cd12
CP		 96 kernel_dontaudit_search_sysctl(httpd_$1_script_t)
97 kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
98
a996bdf4
CP		 99 dev_read_rand(httpd_$1_script_t)
100 dev_read_urand(httpd_$1_script_t)
101
fb63d0b5 102 corecmd_exec_all_executables(httpd_$1_script_t)
a996bdf4
CP		 103
104 files_exec_etc_files(httpd_$1_script_t)
105 files_read_etc_files(httpd_$1_script_t)
106 files_search_home(httpd_$1_script_t)
107
108 libs_use_ld_so(httpd_$1_script_t)
109 libs_use_shared_libs(httpd_$1_script_t)
110 libs_exec_ld_so(httpd_$1_script_t)
111 libs_exec_lib_files(httpd_$1_script_t)
112
113 miscfiles_read_fonts(httpd_$1_script_t)
b1421d87 114 miscfiles_read_public_files(httpd_$1_script_t)
a996bdf4
CP		 115
116 seutil_dontaudit_search_config(httpd_$1_script_t)
117
e749cd12 118 tunable_policy(`httpd_enable_cgi && httpd_unified',`
522b59bb 119 allow httpd_$1_script_t httpdcontent:file entrypoint;
e749cd12
CP		 120 allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
121 allow httpd_$1_script_t httpdcontent:file create_file_perms;
122 allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
123 can_exec(httpd_$1_script_t, httpdcontent)
a996bdf4
CP		 124 ')
125
b1421d87
CP		 126 tunable_policy(`allow_httpd_$1_script_anon_write',`
127 miscfiles_manage_public_files(httpd_$1_script_t)
128 ')
129
a996bdf4
CP		 130 # Allow the web server to run scripts and serve pages
131 tunable_policy(`httpd_builtin_scripting',`
132 allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
133 allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
134 allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
135 allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
136
137 allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
138 allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
139 allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
140
141 allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
142 allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
143 allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
144
145 allow httpd_t httpd_$1_content_t:dir r_dir_perms;
146 allow httpd_t httpd_$1_content_t:file r_file_perms;
147 allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
148 ')
149
150 tunable_policy(`httpd_enable_cgi',`
e749cd12
CP		 151 allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
152
153 # privileged users run the script:
154 domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
155 allow httpd_exec_scripts httpd_$1_script_t:fd use;
156 allow httpd_$1_script_t httpd_exec_scripts:fd use;
157 allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
158 allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
159
160 # apache runs the script:
a996bdf4
CP		 161 domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
162 allow httpd_t httpd_$1_script_t:fd use;
163 allow httpd_$1_script_t httpd_t:fd use;
164 allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
165 allow httpd_$1_script_t httpd_t:process sigchld;
166
167 allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
168 allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
169 allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
170
171 allow httpd_$1_script_t self:process signal_perms;
172 allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
173
174 allow httpd_$1_script_t httpd_t:fd use;
175 allow httpd_$1_script_t httpd_t:process sigchld;
176
177 kernel_read_system_state(httpd_$1_script_t)
178
179 dev_read_urand(httpd_$1_script_t)
180
181 fs_getattr_xattr_fs(httpd_$1_script_t)
182
183 files_read_etc_runtime_files(httpd_$1_script_t)
184 files_read_usr_files(httpd_$1_script_t)
185
1815bad1 186 libs_read_lib_files(httpd_$1_script_t)
a996bdf4
CP		 187
188 miscfiles_read_localization(httpd_$1_script_t)
189 ')
190
8cfa5a00
CP		 191 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
192 allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
193 allow httpd_$1_script_t self:udp_socket create_socket_perms;
194
195 corenet_non_ipsec_sendrecv(httpd_$1_script_t)
196 corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
197 corenet_udp_sendrecv_all_if(httpd_$1_script_t)
8cfa5a00
CP		 198 corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
199 corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
8cfa5a00
CP		 200 corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
201 corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
8cfa5a00
CP		 202 corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
203 corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
141cffdd
CP		 204 corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
205 corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
8cfa5a00
CP		 206
207 sysnet_read_config(httpd_$1_script_t)
208 ')
209
a996bdf4
CP		 210 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
211 allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
212 allow httpd_$1_script_t self:udp_socket create_socket_perms;
bd70373d 213
e9a4084d 214 corenet_non_ipsec_sendrecv(httpd_$1_script_t)
a996bdf4
CP		 215 corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
216 corenet_udp_sendrecv_all_if(httpd_$1_script_t)
a996bdf4
CP		 217 corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
218 corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
a996bdf4
CP		 219 corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
220 corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
a996bdf4 221 corenet_tcp_connect_all_ports(httpd_$1_script_t)
141cffdd 222 corenet_sendrecv_all_client_packets(httpd_$1_script_t)
a996bdf4
CP		 223
224 sysnet_read_config(httpd_$1_script_t)
225 ')
226
bb7170f6 227 optional_policy(`
a996bdf4
CP		 228 mta_send_mail(httpd_$1_script_t)
229 ')
230
bb7170f6 231 optional_policy(`
a996bdf4
CP		 232 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
233 nis_use_ypbind_uncond(httpd_$1_script_t)
234 ')
235 ')
236
bb7170f6 237 optional_policy(`
1815bad1 238 nscd_socket_use(httpd_$1_script_t)
a996bdf4 239 ')
a996bdf4
CP		 240')
241
b1421d87
CP		 242#######################################
243## <summary>
bbcd3c97 244## The per role template for the apache module.
b1421d87
CP		 245## </summary>
246## <desc>
247## <p>
248## This template creates types used for web pages
249## and web cgi to be used from the user home directory.
250## </p>
251## <p>
252## This template is invoked automatically for each user, and
253## generally does not need to be invoked directly
254## by policy writers.
255## </p>
256## </desc>
257## <param name="userdomain_prefix">
885b83ec 258## <summary>
b1421d87
CP		 259## The prefix of the user domain (e.g., user
260## is the prefix for user_t).
885b83ec 261## </summary>
b1421d87
CP		 262## </param>
263## <param name="user_domain">
885b83ec 264## <summary>
b1421d87 265## The type of the user domain.
885b83ec 266## </summary>
b1421d87
CP		 267## </param>
268## <param name="user_role">
885b83ec 269## <summary>
b1421d87 270## The role associated with the user domain.
885b83ec 271## </summary>
b1421d87
CP		 272## </param>
273#
bbcd3c97 274template(`apache_per_role_template', `
0efe52ae
CP		 275 gen_require(`
276 attribute httpdcontent, httpd_script_domains;
277 attribute httpd_exec_scripts;
278 type httpd_t, httpd_suexec_t, httpd_log_t;
279 ')
a996bdf4
CP		 280
281 apache_content_template($1)
282
e749cd12 283 typeattribute httpd_$1_content_t httpd_script_domains;
103fe280 284 userdom_user_home_content($1,httpd_$1_content_t)
a996bdf4
CP		 285
286 role $3 types httpd_$1_script_t;
287
288 allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
289
290 allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
291
292 allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
293 allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
294 allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
295
296 allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
297 allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
298 allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
299
300 allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
301 allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
302 allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
303
304 allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
305 allow $2 httpd_$1_script_exec_t:file create_file_perms;
306 allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
307
308 allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
309 allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
310 allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
311
e749cd12
CP		 312 tunable_policy(`httpd_enable_cgi',`
313 # If a user starts a script by hand it gets the proper context
314 domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
315 allow $2 httpd_$1_script_t:fd use;
316 allow httpd_$1_script_t $2:fd use;
317 allow httpd_$1_script_t $2:fifo_file rw_file_perms;
318 allow httpd_$1_script_t $2:process sigchld;
319 ')
a996bdf4 320
e749cd12
CP		 321 tunable_policy(`httpd_enable_cgi && httpd_unified',`
322 allow httpd_$1_script_t httpdcontent:file entrypoint;
a996bdf4 323
e749cd12
CP		 324 domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
325 allow $2 httpd_$1_script_t:fd use;
326 allow httpd_$1_script_t $2:fd use;
327 allow httpd_$1_script_t $2:fifo_file rw_file_perms;
328 allow httpd_$1_script_t $2:process sigchld;
a996bdf4
CP		 329 ')
330
331 # allow accessing files/dirs below the users home dir
332 tunable_policy(`httpd_enable_homedirs',`
103fe280
CP		 333 userdom_search_user_home_dirs($1,httpd_t)
334 userdom_search_user_home_dirs($1,httpd_suexec_t)
335 userdom_search_user_home_dirs($1,httpd_$1_script_t)
a996bdf4
CP		 336 ')
337')
338
123a990b
CP		 339########################################
340## <summary>
341## Read httpd user scripts executables.
342## </summary>
343## <param name="domain_prefix">
344## <summary>
345## Prefix of the domain. Example, user would be
346## the prefix for the uder_t domain.
347## </summary>
348## </param>
349## <param name="domain">
350## <summary>
351## Domain allowed access.
352## </summary>
353## </param>
354#
355template(`apache_read_user_scripts',`
356 gen_require(`
357 type httpd_$1_script_exec_t;
358 ')
359
360 allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
361 allow $2 httpd_$1_script_exec_t:file r_file_perms;
362 allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
363')
364
365########################################
366## <summary>
367## Read user web content.
368## </summary>
369## <param name="domain_prefix">
370## <summary>
371## Prefix of the domain. Example, user would be
372## the prefix for the uder_t domain.
373## </summary>
374## </param>
375## <param name="domain">
376## <summary>
377## Domain allowed access.
378## </summary>
379## </param>
380#
381template(`apache_read_user_content',`
382 gen_require(`
383 type httpd_$1_content_t;
384 ')
385
386 allow $2 httpd_$1_content_t:dir r_dir_perms;
387 allow $2 httpd_$1_content_t:file r_file_perms;
388 allow $2 httpd_$1_content_t:lnk_file { getattr read };
389')
390
a996bdf4
CP		 391########################################
392## <summary>
b1421d87 393## Transition to apache.
a996bdf4
CP		 394## </summary>
395## <param name="domain">
885b83ec 396## <summary>
a996bdf4 397## Domain allowed access.
885b83ec 398## </summary>
a996bdf4
CP		 399## </param>
400#
401interface(`apache_domtrans',`
402 gen_require(`
403 type httpd_t, httpd_exec_t;
a996bdf4
CP		 404 ')
405
406 corecmd_search_sbin($1)
407 domain_auto_trans($1,httpd_exec_t,httpd_t)
408
409 allow $1 httpd_t:fd use;
410 allow httpd_t $1:fd use;
411 allow httpd_t $1:fifo_file rw_file_perms;
412 allow httpd_t $1:process sigchld;
413')
414
415########################################
416## <summary>
417## Send a null signal to apache.
418## </summary>
419## <param name="domain">
885b83ec 420## <summary>
799a0b43 421## Domain allowed access.
885b83ec 422## </summary>
a996bdf4
CP		 423## </param>
424#
425interface(`apache_signull',`
426 gen_require(`
427 type httpd_t;
428 ')
429
430 allow $1 httpd_t:process signull;
431')
432
799a0b43
CP		 433########################################
434## <summary>
435## Send a SIGCHLD signal to apache.
436## </summary>
437## <param name="domain">
885b83ec 438## <summary>
799a0b43 439## Domain allowed access.
885b83ec 440## </summary>
799a0b43
CP		 441## </param>
442#
443interface(`apache_sigchld',`
444 gen_require(`
445 type httpd_t;
446 ')
447
448 allow $1 httpd_t:process sigchld;
449')
450
451########################################
452## <summary>
453## Inherit and use file descriptors from Apache.
454## </summary>
455## <param name="domain">
885b83ec 456## <summary>
799a0b43 457## Domain allowed access.
885b83ec 458## </summary>
799a0b43
CP		 459## </param>
460#
1c1ac67f 461interface(`apache_use_fds',`
799a0b43
CP		 462 gen_require(`
463 type httpd_t;
464 ')
465
466 allow $1 httpd_t:fd use;
467')
468
e749cd12
CP		 469########################################
470## <summary>
471## Do not audit attempts to read and write Apache
472## unix domain stream sockets.
473## </summary>
474## <param name="domain">
885b83ec 475## <summary>
e749cd12 476## Domain allowed access.
885b83ec 477## </summary>
e749cd12
CP		 478## </param>
479#
1815bad1 480interface(`apache_dontaudit_rw_stream_sockets',`
e749cd12
CP		 481 gen_require(`
482 type httpd_t;
483 ')
484
485 dontaudit $1 httpd_t:unix_stream_socket { read write };
486')
487
488########################################
489## <summary>
490## Do not audit attempts to read and write Apache
491## TCP sockets.
492## </summary>
493## <param name="domain">
885b83ec 494## <summary>
e749cd12 495## Domain allowed access.
885b83ec 496## </summary>
e749cd12
CP		 497## </param>
498#
1815bad1 499interface(`apache_dontaudit_rw_tcp_sockets',`
e749cd12
CP		 500 gen_require(`
501 type httpd_t;
502 ')
503
504 dontaudit $1 httpd_t:tcp_socket { read write };
505')
506
5bd9fd7b 507########################################
013d746a
CP		 508## <summary>
509## Create, read, write, and delete all web content.
510## </summary>
511## <param name="domain">
512## <summary>
513## Domain allowed access.
514## </summary>
515## </param>
bbcd3c97 516## <rolecap/>
013d746a
CP		 517#
518interface(`apache_manage_all_content',`
519 gen_require(`
123a990b 520 attribute httpdcontent, httpd_script_exec_type;
013d746a
CP		 521 ')
522
523 allow $1 httpdcontent:dir manage_dir_perms;
524 allow $1 httpdcontent:file manage_file_perms;
525 allow $1 httpdcontent:lnk_file create_lnk_perms;
123a990b
CP		 526
527 allow $1 httpd_script_exec_type:dir manage_dir_perms;
528 allow $1 httpd_script_exec_type:file manage_file_perms;
529 allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
530
013d746a
CP		 531')
532
533########################################
5bd9fd7b
CP		 534## <summary>
535## Allow the specified domain to read
536## and write Apache cache files.
537## </summary>
538## <param name="domain">
539## <summary>
540## Domain allowed access.
541## </summary>
542## </param>
543#
544interface(`apache_rw_cache_files',`
545 gen_require(`
546 type httpd_cache_t;
547 ')
548
549 allow $1 httpd_cache_t:file rw_file_perms;
550')
551
a996bdf4
CP		 552########################################
553## <summary>
554## Allow the specified domain to read
555## apache configuration files.
556## </summary>
557## <param name="domain">
885b83ec 558## <summary>
a996bdf4 559## Domain allowed access.
885b83ec 560## </summary>
a996bdf4 561## </param>
bbcd3c97 562## <rolecap/>
a996bdf4
CP		 563#
564interface(`apache_read_config',`
565 gen_require(`
566 type httpd_config_t;
567 ')
568
569 files_search_etc($1)
570 allow $1 httpd_config_t:dir r_dir_perms;
571 allow $1 httpd_config_t:file r_file_perms;
572 allow $1 httpd_config_t:lnk_file { getattr read };
573')
6e99a6cf 574
123a990b
CP		 575########################################
576## <summary>
577## Allow the specified domain to manage
578## apache configuration files.
579## </summary>
580## <param name="domain">
581## <summary>
582## Domain allowed access.
583## </summary>
584## </param>
585#
586interface(`apache_manage_config',`
587 gen_require(`
588 type httpd_config_t;
589 ')
590
591 files_search_etc($1)
592 allow $1 httpd_config_t:dir manage_dir_perms;
593 allow $1 httpd_config_t:file manage_file_perms;
594 allow $1 httpd_config_t:lnk_file { getattr read };
595')
596
6e99a6cf
CP		 597########################################
598## <summary>
c2b18fa1
CP		 599## Execute the Apache helper program with
600## a domain transition.
6e99a6cf
CP		 601## </summary>
602## <param name="domain">
885b83ec 603## <summary>
6e99a6cf 604## Domain allowed access.
885b83ec 605## </summary>
6e99a6cf
CP		 606## </param>
607#
c2b18fa1 608interface(`apache_domtrans_helper',`
6e99a6cf 609 gen_require(`
c2b18fa1 610 type httpd_helper_t, httpd_helper_exec_t;
6e99a6cf
CP		 611 ')
612
c2b18fa1
CP		 613 corecmd_search_sbin($1)
614 domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
615
616 allow $1 httpd_helper_t:fd use;
617 allow httpd_helper_t $1:fd use;
618 allow httpd_helper_t $1:fifo_file rw_file_perms;
619 allow httpd_helper_t $1:process sigchld;
620')
621
622########################################
623## <summary>
624## Execute the Apache helper program with
625## a domain transition, and allow the
626## specified role the dmidecode domain.
627## </summary>
628## <param name="domain">
885b83ec 629## <summary>
c2b18fa1 630## Domain allowed access.
885b83ec 631## </summary>
c2b18fa1
CP		 632## </param>
633## <param name="role">
885b83ec 634## <summary>
c2b18fa1 635## The role to be allowed the dmidecode domain.
885b83ec 636## </summary>
c2b18fa1
CP		 637## </param>
638## <param name="terminal">
885b83ec 639## <summary>
c2b18fa1 640## The type of the terminal allow the dmidecode domain to use.
885b83ec 641## </summary>
c2b18fa1 642## </param>
bbcd3c97 643## <rolecap/>
c2b18fa1
CP		 644#
645interface(`apache_run_helper',`
646 gen_require(`
647 type httpd_helper_t;
648 ')
649
650 apache_domtrans_helper($1)
651 role $2 types httpd_helper_t;
652 allow httpd_helper_t $3:chr_file rw_term_perms;
6e99a6cf 653')
799a0b43 654
be4690a5
CP		 655########################################
656## <summary>
657## Allow the specified domain to read
658## apache log files.
659## </summary>
660## <param name="domain">
885b83ec 661## <summary>
be4690a5 662## Domain allowed access.
885b83ec 663## </summary>
be4690a5 664## </param>
bbcd3c97 665## <rolecap/>
be4690a5
CP		 666#
667interface(`apache_read_log',`
668 gen_require(`
669 type httpd_log_t;
670 ')
671
f1e604bb 672 logging_search_logs($1)
be4690a5
CP		 673 allow $1 httpd_log_t:dir r_dir_perms;
674 allow $1 httpd_log_t:file r_file_perms;
675 allow $1 httpd_log_t:lnk_file { getattr read };
676')
677
f1e604bb
CP		 678########################################
679## <summary>
680## Allow the specified domain to append
681## to apache log files.
682## </summary>
683## <param name="domain">
684## <summary>
685## Domain allowed access.
686## </summary>
687## </param>
688#
689interface(`apache_append_log',`
690 gen_require(`
691 type httpd_log_t;
692 ')
693
694 logging_search_logs($1)
695 allow $1 httpd_log_t:dir r_dir_perms;
696 allow $1 httpd_log_t:file append;
697')
698
799a0b43
CP		 699########################################
700## <summary>
701## Do not audit attempts to append to the
702## Apache logs.
703## </summary>
704## <param name="domain">
885b83ec 705## <summary>
799a0b43 706## Domain to not audit.
885b83ec 707## </summary>
799a0b43
CP		 708## </param>
709#
710interface(`apache_dontaudit_append_log',`
711 gen_require(`
712 type httpd_log_t;
713 ')
714
e749cd12 715 dontaudit $1 httpd_log_t:file { getattr append };
799a0b43 716')
c2b18fa1 717
123a990b
CP		 718########################################
719## <summary>
720## Allow the specified domain to manage
721## to apache log files.
722## </summary>
723## <param name="domain">
724## <summary>
725## Domain allowed access.
726## </summary>
727## </param>
728#
729interface(`apache_manage_log',`
730 gen_require(`
731 type httpd_log_t;
732 ')
733
734 logging_search_logs($1)
735 allow $1 httpd_log_t:dir manage_dir_perms;
736 allow $1 httpd_log_t:file manage_file_perms;
737 allow $1 httpd_log_t:lnk_file { getattr read };
738')
739
c6d4c8f1
CP		 740########################################
741## <summary>
742## Do not audit attempts to search Apache
743## module directories.
744## </summary>
745## <param name="domain">
885b83ec 746## <summary>
c6d4c8f1 747## Domain to not audit.
885b83ec 748## </summary>
c6d4c8f1
CP		 749## </param>
750#
751interface(`apache_dontaudit_search_modules',`
752 gen_require(`
753 type httpd_modules_t;
754 ')
755
756 allow $1 httpd_modules_t:dir r_dir_perms;
757')
758
c2b18fa1
CP		 759########################################
760## <summary>
761## Allow the specified domain to list
762## the contents of the apache modules
763## directory.
764## </summary>
765## <param name="domain">
885b83ec 766## <summary>
c2b18fa1 767## Domain allowed access.
885b83ec 768## </summary>
c2b18fa1
CP		 769## </param>
770#
771interface(`apache_list_modules',`
772 gen_require(`
773 type httpd_modules_t;
774 ')
775
776 allow $1 httpd_modules_t:dir r_dir_perms;
777')
778
2bcdbd8c
CP		 779########################################
780## <summary>
781## Allow the specified domain to execute
782## apache modules.
783## </summary>
784## <param name="domain">
885b83ec 785## <summary>
2bcdbd8c 786## Domain allowed access.
885b83ec 787## </summary>
2bcdbd8c
CP		 788## </param>
789#
790interface(`apache_exec_modules',`
791 gen_require(`
792 type httpd_modules_t;
793 ')
794
795 allow $1 httpd_modules_t:dir r_dir_perms;
796 allow $1 httpd_modules_t:lnk_file r_file_perms;
797 can_exec($1,httpd_modules_t)
798')
799
123a990b
CP		 800########################################
801## <summary>
802## Execute a domain transition to run httpd_rotatelogs.
803## </summary>
804## <param name="domain">
805## <summary>
806## Domain allowed access.
807## </summary>
808## </param>
809#
810interface(`apache_domtrans_rotatelogs',`
811 gen_require(`
812 type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
813 ')
814
815 domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
816
817 allow httpd_rotatelogs_t $1:fd use;
818 allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
819 allow httpd_rotatelogs_t $1:process sigchld;
820')
821
be4690a5
CP		 822########################################
823## <summary>
824## Allow the specified domain to manage
825## apache system content files.
826## </summary>
827## <param name="domain">
885b83ec 828## <summary>
be4690a5 829## Domain allowed access.
885b83ec 830## </summary>
be4690a5 831## </param>
bbcd3c97 832## <rolecap/>
be4690a5
CP		 833#
834# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
835interface(`apache_manage_sys_content',`
836 gen_require(`
77f6e2cd 837 type httpd_sys_content_t;
be4690a5
CP		 838 ')
839
840 files_search_var($1)
841 allow $1 httpd_sys_content_t:dir create_dir_perms;
842 allow $1 httpd_sys_content_t:file create_file_perms;
843 allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
844')
845
c2b18fa1
CP		 846########################################
847## <summary>
848## Execute all web scripts in the system
849## script domain.
850## </summary>
851## <param name="domain">
885b83ec 852## <summary>
c2b18fa1 853## Domain allowed access.
885b83ec 854## </summary>
c2b18fa1
CP		 855## </param>
856#
857# cjp: this interface specifically added to allow
858# sysadm_t to run scripts
859interface(`apache_domtrans_sys_script',`
860 gen_require(`
861 attribute httpdcontent;
862 type httpd_sys_script_t;
863 ')
864
865 tunable_policy(`httpd_enable_cgi && httpd_unified',`
866 domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
867
868 allow $1 httpd_sys_script_t:fd use;
869 allow httpd_sys_script_t $1:fd use;
870 allow httpd_sys_script_t $1:fifo_file rw_file_perms;
871 allow httpd_sys_script_t $1:process sigchld;
872 ')
873')
e749cd12
CP		 874
875########################################
876## <summary>
877## Do not audit attempts to read and write Apache
878## system script unix domain stream sockets.
879## </summary>
880## <param name="domain">
885b83ec 881## <summary>
e749cd12 882## Domain allowed access.
885b83ec 883## </summary>
e749cd12
CP		 884## </param>
885#
1815bad1 886interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
e749cd12
CP		 887 gen_require(`
888 type httpd_sys_script_t;
889 ')
890
891 dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
892')
893
894########################################
895## <summary>
896## Execute all user scripts in the user
897## script domain.
898## </summary>
899## <param name="domain">
885b83ec 900## <summary>
e749cd12 901## Domain allowed access.
885b83ec 902## </summary>
e749cd12
CP		 903## </param>
904#
905interface(`apache_domtrans_all_scripts',`
906 gen_require(`
907 attribute httpd_exec_scripts;
908 ')
909
910 typeattribute $1 httpd_exec_scripts;
911')
912
913########################################
914## <summary>
915## Execute all user scripts in the user
916## script domain. Add user script domains
917## to the specified role.
918## </summary>
919## <param name="domain">
885b83ec 920## <summary>
e749cd12 921## Domain allowed access.
885b83ec 922## </summary>
e749cd12
CP		 923## </param>
924## <param name="role">
885b83ec 925## <summary>
e749cd12 926## The role to be allowed the script domains.
885b83ec 927## </summary>
e749cd12
CP		 928## </param>
929#
930# cjp: this is missing the terminal since scripts
931# do not output to the terminal
932interface(`apache_run_all_scripts',`
933 gen_require(`
934 attribute httpd_exec_scripts, httpd_script_domains;
935 ')
936
937 role $2 types httpd_script_domains;
938 apache_domtrans_all_scripts($1)
939')
940
941########################################
942## <summary>
943## Allow the specified domain to read
944## apache squirrelmail data.
945## </summary>
946## <param name="domain">
885b83ec 947## <summary>
e749cd12 948## Domain allowed access.
885b83ec 949## </summary>
e749cd12
CP		 950## </param>
951#
952interface(`apache_read_squirrelmail_data',`
953 gen_require(`
954 type httpd_squirrelmail_t;
955 ')
956
957 allow $1 httpd_squirrelmail_t:file { getattr read };
958')
959
960########################################
961## <summary>
962## Allow the specified domain to append
963## apache squirrelmail data.
964## </summary>
965## <param name="domain">
885b83ec 966## <summary>
e749cd12 967## Domain allowed access.
885b83ec 968## </summary>
e749cd12
CP		 969## </param>
970#
971interface(`apache_append_squirrelmail_data',`
972 gen_require(`
973 type httpd_squirrelmail_t;
974 ')
975
976 allow $1 httpd_squirrelmail_t:file { getattr append };
977')
9fd4b818 978
0f27d98d
CP		 979########################################
980## <summary>
99c902f3
CP		 981## Search apache system content.
982## </summary>
983## <param name="domain">
984## <summary>
985## Domain allowed access.
986## </summary>
987## </param>
988#
989interface(`apache_search_sys_content',`
990 gen_require(`
991 type httpd_sys_content_t;
992 ')
993
994 allow $1 httpd_sys_content_t:dir search_dir_perms;
995')
996
997########################################
998## <summary>
999## Read apache system content.
0f27d98d
CP		 1000## </summary>
1001## <param name="domain">
1002## <summary>
1003## Domain to not audit.
1004## </summary>
1005## </param>
1006#
1007interface(`apache_read_sys_content',`
1008 gen_require(`
1009 type httpd_sys_content_t;
1010 ')
1011
1012 allow $1 httpd_sys_content_t:dir r_dir_perms;
1013 allow $1 httpd_sys_content_t:file { getattr read };
0c54fcf8 1014 allow $1 httpd_sys_content_t:lnk_file { getattr read };
0f27d98d
CP		 1015')
1016
9fd4b818
CP		 1017########################################
1018## <summary>
1019## Search system script state directory.
1020## </summary>
1021## <param name="domain">
885b83ec 1022## <summary>
9fd4b818 1023## Domain to not audit.
885b83ec 1024## </summary>
9fd4b818
CP		 1025## </param>
1026#
1027interface(`apache_search_sys_script_state',`
1028 gen_require(`
1029 type httpd_sys_script_t;
1030 ')
1031
1032 allow $1 httpd_sys_script_t:dir search;
1033')
The IPFire selinux policy.