]>
Commit | Line | Data |
---|---|---|
a996bdf4 CP |
1 | ## <summary>Apache web server</summary> |
2 | ||
b1421d87 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## Create a set of derived types for apache | |
6 | ## web content. | |
7 | ## </summary> | |
8 | ## <param name="prefix"> | |
885b83ec | 9 | ## <summary> |
b1421d87 | 10 | ## The prefix to be used for deriving type names. |
885b83ec | 11 | ## </summary> |
b1421d87 CP |
12 | ## </param> |
13 | # | |
a996bdf4 | 14 | template(`apache_content_template',` |
a3cf80d8 CP |
15 | gen_require(` |
16 | attribute httpdcontent; | |
17 | attribute httpd_exec_scripts; | |
123a990b | 18 | attribute httpd_script_exec_type; |
a3cf80d8 CP |
19 | type httpd_t, httpd_suexec_t, httpd_log_t; |
20 | ') | |
b1421d87 CP |
21 | # allow write access to public file transfer |
22 | # services files. | |
23 | gen_tunable(allow_httpd_$1_script_anon_write,false) | |
24 | ||
a996bdf4 CP |
25 | #This type is for webpages |
26 | type httpd_$1_content_t, httpdcontent; # customizable | |
27 | files_type(httpd_$1_content_t) | |
28 | ||
29 | # This type is used for .htaccess files | |
30 | type httpd_$1_htaccess_t; # customizable; | |
31 | files_type(httpd_$1_htaccess_t) | |
32 | ||
33 | # Type that CGI scripts run as | |
34 | type httpd_$1_script_t; | |
35 | domain_type(httpd_$1_script_t) | |
36 | role system_r types httpd_$1_script_t; | |
37 | ||
38 | # This type is used for executable scripts files | |
123a990b | 39 | type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; |
0f27d98d | 40 | corecmd_shell_entry_type(httpd_$1_script_t) |
a996bdf4 CP |
41 | domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) |
42 | ||
43 | # The following three are the only areas that | |
44 | # scripts can read, read/write, or append to | |
45 | type httpd_$1_script_ro_t, httpdcontent; # customizable | |
46 | files_type(httpd_$1_script_ro_t) | |
47 | ||
48 | type httpd_$1_script_rw_t, httpdcontent; # customizable | |
49 | files_type(httpd_$1_script_rw_t) | |
50 | ||
51 | type httpd_$1_script_ra_t, httpdcontent; # customizable | |
52 | files_type(httpd_$1_script_ra_t) | |
53 | ||
54 | allow httpd_t httpd_$1_htaccess_t:file r_file_perms; | |
55 | ||
56 | domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) | |
57 | allow httpd_suexec_t httpd_$1_script_t:fd use; | |
58 | allow httpd_$1_script_t httpd_suexec_t:fd use; | |
59 | allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms; | |
60 | allow httpd_$1_script_t httpd_suexec_t:process sigchld; | |
61 | ||
62 | allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; | |
63 | ||
64 | allow httpd_$1_script_t self:fifo_file rw_file_perms; | |
2e0a8801 | 65 | allow httpd_$1_script_t self:unix_stream_socket connectto; |
a996bdf4 CP |
66 | |
67 | allow httpd_$1_script_t httpd_t:fifo_file write; | |
68 | # apache should set close-on-exec | |
69 | dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; | |
70 | ||
71 | # Allow the script process to search the cgi directory, and users directory | |
72 | allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; | |
73 | ||
74 | allow httpd_$1_script_t httpd_log_t:file { getattr append }; | |
75 | allow httpd_$1_script_t httpd_log_t:dir search; | |
76 | logging_search_logs(httpd_$1_script_t) | |
77 | ||
78 | can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) | |
79 | allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; | |
80 | ||
81 | allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms; | |
82 | allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms; | |
83 | allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read }; | |
84 | ||
85 | allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search }; | |
86 | allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr }; | |
87 | allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read }; | |
88 | ||
89 | allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms; | |
90 | allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms; | |
91 | allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; | |
92 | allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; | |
93 | allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; | |
103fe280 | 94 | files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) |
a996bdf4 | 95 | |
e749cd12 CP |
96 | kernel_dontaudit_search_sysctl(httpd_$1_script_t) |
97 | kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) | |
98 | ||
a996bdf4 CP |
99 | dev_read_rand(httpd_$1_script_t) |
100 | dev_read_urand(httpd_$1_script_t) | |
101 | ||
fb63d0b5 | 102 | corecmd_exec_all_executables(httpd_$1_script_t) |
a996bdf4 CP |
103 | |
104 | files_exec_etc_files(httpd_$1_script_t) | |
105 | files_read_etc_files(httpd_$1_script_t) | |
106 | files_search_home(httpd_$1_script_t) | |
107 | ||
108 | libs_use_ld_so(httpd_$1_script_t) | |
109 | libs_use_shared_libs(httpd_$1_script_t) | |
110 | libs_exec_ld_so(httpd_$1_script_t) | |
111 | libs_exec_lib_files(httpd_$1_script_t) | |
112 | ||
113 | miscfiles_read_fonts(httpd_$1_script_t) | |
b1421d87 | 114 | miscfiles_read_public_files(httpd_$1_script_t) |
a996bdf4 CP |
115 | |
116 | seutil_dontaudit_search_config(httpd_$1_script_t) | |
117 | ||
e749cd12 | 118 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
522b59bb | 119 | allow httpd_$1_script_t httpdcontent:file entrypoint; |
e749cd12 CP |
120 | allow httpd_$1_script_t httpdcontent:dir create_dir_perms; |
121 | allow httpd_$1_script_t httpdcontent:file create_file_perms; | |
122 | allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms; | |
123 | can_exec(httpd_$1_script_t, httpdcontent) | |
a996bdf4 CP |
124 | ') |
125 | ||
b1421d87 CP |
126 | tunable_policy(`allow_httpd_$1_script_anon_write',` |
127 | miscfiles_manage_public_files(httpd_$1_script_t) | |
128 | ') | |
129 | ||
a996bdf4 CP |
130 | # Allow the web server to run scripts and serve pages |
131 | tunable_policy(`httpd_builtin_scripting',` | |
132 | allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms; | |
133 | allow httpd_t httpd_$1_script_rw_t:file create_file_perms; | |
134 | allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; | |
135 | allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; | |
136 | ||
137 | allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms; | |
138 | allow httpd_t httpd_$1_script_ra_t:file ra_file_perms; | |
139 | allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read }; | |
140 | ||
141 | allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms; | |
142 | allow httpd_t httpd_$1_script_ro_t:file r_file_perms; | |
143 | allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read }; | |
144 | ||
145 | allow httpd_t httpd_$1_content_t:dir r_dir_perms; | |
146 | allow httpd_t httpd_$1_content_t:file r_file_perms; | |
147 | allow httpd_t httpd_$1_content_t:lnk_file { getattr read }; | |
148 | ') | |
149 | ||
150 | tunable_policy(`httpd_enable_cgi',` | |
e749cd12 CP |
151 | allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; |
152 | ||
153 | # privileged users run the script: | |
154 | domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) | |
155 | allow httpd_exec_scripts httpd_$1_script_t:fd use; | |
156 | allow httpd_$1_script_t httpd_exec_scripts:fd use; | |
157 | allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms; | |
158 | allow httpd_$1_script_t httpd_exec_scripts:process sigchld; | |
159 | ||
160 | # apache runs the script: | |
a996bdf4 CP |
161 | domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) |
162 | allow httpd_t httpd_$1_script_t:fd use; | |
163 | allow httpd_$1_script_t httpd_t:fd use; | |
164 | allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms; | |
165 | allow httpd_$1_script_t httpd_t:process sigchld; | |
166 | ||
167 | allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; | |
168 | allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; | |
169 | allow httpd_t httpd_$1_script_exec_t:file r_file_perms; | |
170 | ||
171 | allow httpd_$1_script_t self:process signal_perms; | |
172 | allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; | |
173 | ||
174 | allow httpd_$1_script_t httpd_t:fd use; | |
175 | allow httpd_$1_script_t httpd_t:process sigchld; | |
176 | ||
177 | kernel_read_system_state(httpd_$1_script_t) | |
178 | ||
179 | dev_read_urand(httpd_$1_script_t) | |
180 | ||
181 | fs_getattr_xattr_fs(httpd_$1_script_t) | |
182 | ||
183 | files_read_etc_runtime_files(httpd_$1_script_t) | |
184 | files_read_usr_files(httpd_$1_script_t) | |
185 | ||
1815bad1 | 186 | libs_read_lib_files(httpd_$1_script_t) |
a996bdf4 CP |
187 | |
188 | miscfiles_read_localization(httpd_$1_script_t) | |
189 | ') | |
190 | ||
8cfa5a00 CP |
191 | tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` |
192 | allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; | |
193 | allow httpd_$1_script_t self:udp_socket create_socket_perms; | |
194 | ||
195 | corenet_non_ipsec_sendrecv(httpd_$1_script_t) | |
196 | corenet_tcp_sendrecv_all_if(httpd_$1_script_t) | |
197 | corenet_udp_sendrecv_all_if(httpd_$1_script_t) | |
8cfa5a00 CP |
198 | corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) |
199 | corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) | |
8cfa5a00 CP |
200 | corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) |
201 | corenet_udp_sendrecv_all_ports(httpd_$1_script_t) | |
8cfa5a00 CP |
202 | corenet_tcp_connect_postgresql_port(httpd_$1_script_t) |
203 | corenet_tcp_connect_mysqld_port(httpd_$1_script_t) | |
141cffdd CP |
204 | corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t) |
205 | corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t) | |
8cfa5a00 CP |
206 | |
207 | sysnet_read_config(httpd_$1_script_t) | |
208 | ') | |
209 | ||
a996bdf4 CP |
210 | tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` |
211 | allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; | |
212 | allow httpd_$1_script_t self:udp_socket create_socket_perms; | |
bd70373d | 213 | |
e9a4084d | 214 | corenet_non_ipsec_sendrecv(httpd_$1_script_t) |
a996bdf4 CP |
215 | corenet_tcp_sendrecv_all_if(httpd_$1_script_t) |
216 | corenet_udp_sendrecv_all_if(httpd_$1_script_t) | |
a996bdf4 CP |
217 | corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) |
218 | corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) | |
a996bdf4 CP |
219 | corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) |
220 | corenet_udp_sendrecv_all_ports(httpd_$1_script_t) | |
a996bdf4 | 221 | corenet_tcp_connect_all_ports(httpd_$1_script_t) |
141cffdd | 222 | corenet_sendrecv_all_client_packets(httpd_$1_script_t) |
a996bdf4 CP |
223 | |
224 | sysnet_read_config(httpd_$1_script_t) | |
225 | ') | |
226 | ||
bb7170f6 | 227 | optional_policy(` |
a996bdf4 CP |
228 | mta_send_mail(httpd_$1_script_t) |
229 | ') | |
230 | ||
bb7170f6 | 231 | optional_policy(` |
a996bdf4 CP |
232 | tunable_policy(`httpd_enable_cgi && allow_ypbind',` |
233 | nis_use_ypbind_uncond(httpd_$1_script_t) | |
234 | ') | |
235 | ') | |
236 | ||
bb7170f6 | 237 | optional_policy(` |
1815bad1 | 238 | nscd_socket_use(httpd_$1_script_t) |
a996bdf4 | 239 | ') |
a996bdf4 CP |
240 | ') |
241 | ||
b1421d87 CP |
242 | ####################################### |
243 | ## <summary> | |
bbcd3c97 | 244 | ## The per role template for the apache module. |
b1421d87 CP |
245 | ## </summary> |
246 | ## <desc> | |
247 | ## <p> | |
248 | ## This template creates types used for web pages | |
249 | ## and web cgi to be used from the user home directory. | |
250 | ## </p> | |
251 | ## <p> | |
252 | ## This template is invoked automatically for each user, and | |
253 | ## generally does not need to be invoked directly | |
254 | ## by policy writers. | |
255 | ## </p> | |
256 | ## </desc> | |
257 | ## <param name="userdomain_prefix"> | |
885b83ec | 258 | ## <summary> |
b1421d87 CP |
259 | ## The prefix of the user domain (e.g., user |
260 | ## is the prefix for user_t). | |
885b83ec | 261 | ## </summary> |
b1421d87 CP |
262 | ## </param> |
263 | ## <param name="user_domain"> | |
885b83ec | 264 | ## <summary> |
b1421d87 | 265 | ## The type of the user domain. |
885b83ec | 266 | ## </summary> |
b1421d87 CP |
267 | ## </param> |
268 | ## <param name="user_role"> | |
885b83ec | 269 | ## <summary> |
b1421d87 | 270 | ## The role associated with the user domain. |
885b83ec | 271 | ## </summary> |
b1421d87 CP |
272 | ## </param> |
273 | # | |
bbcd3c97 | 274 | template(`apache_per_role_template', ` |
0efe52ae CP |
275 | gen_require(` |
276 | attribute httpdcontent, httpd_script_domains; | |
277 | attribute httpd_exec_scripts; | |
278 | type httpd_t, httpd_suexec_t, httpd_log_t; | |
279 | ') | |
a996bdf4 CP |
280 | |
281 | apache_content_template($1) | |
282 | ||
e749cd12 | 283 | typeattribute httpd_$1_content_t httpd_script_domains; |
103fe280 | 284 | userdom_user_home_content($1,httpd_$1_content_t) |
a996bdf4 CP |
285 | |
286 | role $3 types httpd_$1_script_t; | |
287 | ||
288 | allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; | |
289 | ||
290 | allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; | |
291 | ||
292 | allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom }; | |
293 | allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom }; | |
294 | allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom }; | |
295 | ||
296 | allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom }; | |
297 | allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom }; | |
298 | allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom }; | |
299 | ||
300 | allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom }; | |
301 | allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom }; | |
302 | allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom }; | |
303 | ||
304 | allow $2 httpd_$1_script_exec_t:dir create_dir_perms; | |
305 | allow $2 httpd_$1_script_exec_t:file create_file_perms; | |
306 | allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms; | |
307 | ||
308 | allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom }; | |
309 | allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom }; | |
310 | allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom }; | |
311 | ||
e749cd12 CP |
312 | tunable_policy(`httpd_enable_cgi',` |
313 | # If a user starts a script by hand it gets the proper context | |
314 | domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t) | |
315 | allow $2 httpd_$1_script_t:fd use; | |
316 | allow httpd_$1_script_t $2:fd use; | |
317 | allow httpd_$1_script_t $2:fifo_file rw_file_perms; | |
318 | allow httpd_$1_script_t $2:process sigchld; | |
319 | ') | |
a996bdf4 | 320 | |
e749cd12 CP |
321 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
322 | allow httpd_$1_script_t httpdcontent:file entrypoint; | |
a996bdf4 | 323 | |
e749cd12 CP |
324 | domain_auto_trans($2, httpdcontent, httpd_$1_script_t) |
325 | allow $2 httpd_$1_script_t:fd use; | |
326 | allow httpd_$1_script_t $2:fd use; | |
327 | allow httpd_$1_script_t $2:fifo_file rw_file_perms; | |
328 | allow httpd_$1_script_t $2:process sigchld; | |
a996bdf4 CP |
329 | ') |
330 | ||
331 | # allow accessing files/dirs below the users home dir | |
332 | tunable_policy(`httpd_enable_homedirs',` | |
103fe280 CP |
333 | userdom_search_user_home_dirs($1,httpd_t) |
334 | userdom_search_user_home_dirs($1,httpd_suexec_t) | |
335 | userdom_search_user_home_dirs($1,httpd_$1_script_t) | |
a996bdf4 CP |
336 | ') |
337 | ') | |
338 | ||
123a990b CP |
339 | ######################################## |
340 | ## <summary> | |
341 | ## Read httpd user scripts executables. | |
342 | ## </summary> | |
343 | ## <param name="domain_prefix"> | |
344 | ## <summary> | |
345 | ## Prefix of the domain. Example, user would be | |
346 | ## the prefix for the uder_t domain. | |
347 | ## </summary> | |
348 | ## </param> | |
349 | ## <param name="domain"> | |
350 | ## <summary> | |
351 | ## Domain allowed access. | |
352 | ## </summary> | |
353 | ## </param> | |
354 | # | |
355 | template(`apache_read_user_scripts',` | |
356 | gen_require(` | |
357 | type httpd_$1_script_exec_t; | |
358 | ') | |
359 | ||
360 | allow $2 httpd_$1_script_exec_t:dir r_dir_perms; | |
361 | allow $2 httpd_$1_script_exec_t:file r_file_perms; | |
362 | allow $2 httpd_$1_script_exec_t:lnk_file { getattr read }; | |
363 | ') | |
364 | ||
365 | ######################################## | |
366 | ## <summary> | |
367 | ## Read user web content. | |
368 | ## </summary> | |
369 | ## <param name="domain_prefix"> | |
370 | ## <summary> | |
371 | ## Prefix of the domain. Example, user would be | |
372 | ## the prefix for the uder_t domain. | |
373 | ## </summary> | |
374 | ## </param> | |
375 | ## <param name="domain"> | |
376 | ## <summary> | |
377 | ## Domain allowed access. | |
378 | ## </summary> | |
379 | ## </param> | |
380 | # | |
381 | template(`apache_read_user_content',` | |
382 | gen_require(` | |
383 | type httpd_$1_content_t; | |
384 | ') | |
385 | ||
386 | allow $2 httpd_$1_content_t:dir r_dir_perms; | |
387 | allow $2 httpd_$1_content_t:file r_file_perms; | |
388 | allow $2 httpd_$1_content_t:lnk_file { getattr read }; | |
389 | ') | |
390 | ||
a996bdf4 CP |
391 | ######################################## |
392 | ## <summary> | |
b1421d87 | 393 | ## Transition to apache. |
a996bdf4 CP |
394 | ## </summary> |
395 | ## <param name="domain"> | |
885b83ec | 396 | ## <summary> |
a996bdf4 | 397 | ## Domain allowed access. |
885b83ec | 398 | ## </summary> |
a996bdf4 CP |
399 | ## </param> |
400 | # | |
401 | interface(`apache_domtrans',` | |
402 | gen_require(` | |
403 | type httpd_t, httpd_exec_t; | |
a996bdf4 CP |
404 | ') |
405 | ||
406 | corecmd_search_sbin($1) | |
407 | domain_auto_trans($1,httpd_exec_t,httpd_t) | |
408 | ||
409 | allow $1 httpd_t:fd use; | |
410 | allow httpd_t $1:fd use; | |
411 | allow httpd_t $1:fifo_file rw_file_perms; | |
412 | allow httpd_t $1:process sigchld; | |
413 | ') | |
414 | ||
415 | ######################################## | |
416 | ## <summary> | |
417 | ## Send a null signal to apache. | |
418 | ## </summary> | |
419 | ## <param name="domain"> | |
885b83ec | 420 | ## <summary> |
799a0b43 | 421 | ## Domain allowed access. |
885b83ec | 422 | ## </summary> |
a996bdf4 CP |
423 | ## </param> |
424 | # | |
425 | interface(`apache_signull',` | |
426 | gen_require(` | |
427 | type httpd_t; | |
428 | ') | |
429 | ||
430 | allow $1 httpd_t:process signull; | |
431 | ') | |
432 | ||
799a0b43 CP |
433 | ######################################## |
434 | ## <summary> | |
435 | ## Send a SIGCHLD signal to apache. | |
436 | ## </summary> | |
437 | ## <param name="domain"> | |
885b83ec | 438 | ## <summary> |
799a0b43 | 439 | ## Domain allowed access. |
885b83ec | 440 | ## </summary> |
799a0b43 CP |
441 | ## </param> |
442 | # | |
443 | interface(`apache_sigchld',` | |
444 | gen_require(` | |
445 | type httpd_t; | |
446 | ') | |
447 | ||
448 | allow $1 httpd_t:process sigchld; | |
449 | ') | |
450 | ||
451 | ######################################## | |
452 | ## <summary> | |
453 | ## Inherit and use file descriptors from Apache. | |
454 | ## </summary> | |
455 | ## <param name="domain"> | |
885b83ec | 456 | ## <summary> |
799a0b43 | 457 | ## Domain allowed access. |
885b83ec | 458 | ## </summary> |
799a0b43 CP |
459 | ## </param> |
460 | # | |
1c1ac67f | 461 | interface(`apache_use_fds',` |
799a0b43 CP |
462 | gen_require(` |
463 | type httpd_t; | |
464 | ') | |
465 | ||
466 | allow $1 httpd_t:fd use; | |
467 | ') | |
468 | ||
e749cd12 CP |
469 | ######################################## |
470 | ## <summary> | |
471 | ## Do not audit attempts to read and write Apache | |
472 | ## unix domain stream sockets. | |
473 | ## </summary> | |
474 | ## <param name="domain"> | |
885b83ec | 475 | ## <summary> |
e749cd12 | 476 | ## Domain allowed access. |
885b83ec | 477 | ## </summary> |
e749cd12 CP |
478 | ## </param> |
479 | # | |
1815bad1 | 480 | interface(`apache_dontaudit_rw_stream_sockets',` |
e749cd12 CP |
481 | gen_require(` |
482 | type httpd_t; | |
483 | ') | |
484 | ||
485 | dontaudit $1 httpd_t:unix_stream_socket { read write }; | |
486 | ') | |
487 | ||
488 | ######################################## | |
489 | ## <summary> | |
490 | ## Do not audit attempts to read and write Apache | |
491 | ## TCP sockets. | |
492 | ## </summary> | |
493 | ## <param name="domain"> | |
885b83ec | 494 | ## <summary> |
e749cd12 | 495 | ## Domain allowed access. |
885b83ec | 496 | ## </summary> |
e749cd12 CP |
497 | ## </param> |
498 | # | |
1815bad1 | 499 | interface(`apache_dontaudit_rw_tcp_sockets',` |
e749cd12 CP |
500 | gen_require(` |
501 | type httpd_t; | |
502 | ') | |
503 | ||
504 | dontaudit $1 httpd_t:tcp_socket { read write }; | |
505 | ') | |
506 | ||
5bd9fd7b | 507 | ######################################## |
013d746a CP |
508 | ## <summary> |
509 | ## Create, read, write, and delete all web content. | |
510 | ## </summary> | |
511 | ## <param name="domain"> | |
512 | ## <summary> | |
513 | ## Domain allowed access. | |
514 | ## </summary> | |
515 | ## </param> | |
bbcd3c97 | 516 | ## <rolecap/> |
013d746a CP |
517 | # |
518 | interface(`apache_manage_all_content',` | |
519 | gen_require(` | |
123a990b | 520 | attribute httpdcontent, httpd_script_exec_type; |
013d746a CP |
521 | ') |
522 | ||
523 | allow $1 httpdcontent:dir manage_dir_perms; | |
524 | allow $1 httpdcontent:file manage_file_perms; | |
525 | allow $1 httpdcontent:lnk_file create_lnk_perms; | |
123a990b CP |
526 | |
527 | allow $1 httpd_script_exec_type:dir manage_dir_perms; | |
528 | allow $1 httpd_script_exec_type:file manage_file_perms; | |
529 | allow $1 httpd_script_exec_type:lnk_file create_lnk_perms; | |
530 | ||
013d746a CP |
531 | ') |
532 | ||
533 | ######################################## | |
5bd9fd7b CP |
534 | ## <summary> |
535 | ## Allow the specified domain to read | |
536 | ## and write Apache cache files. | |
537 | ## </summary> | |
538 | ## <param name="domain"> | |
539 | ## <summary> | |
540 | ## Domain allowed access. | |
541 | ## </summary> | |
542 | ## </param> | |
543 | # | |
544 | interface(`apache_rw_cache_files',` | |
545 | gen_require(` | |
546 | type httpd_cache_t; | |
547 | ') | |
548 | ||
549 | allow $1 httpd_cache_t:file rw_file_perms; | |
550 | ') | |
551 | ||
a996bdf4 CP |
552 | ######################################## |
553 | ## <summary> | |
554 | ## Allow the specified domain to read | |
555 | ## apache configuration files. | |
556 | ## </summary> | |
557 | ## <param name="domain"> | |
885b83ec | 558 | ## <summary> |
a996bdf4 | 559 | ## Domain allowed access. |
885b83ec | 560 | ## </summary> |
a996bdf4 | 561 | ## </param> |
bbcd3c97 | 562 | ## <rolecap/> |
a996bdf4 CP |
563 | # |
564 | interface(`apache_read_config',` | |
565 | gen_require(` | |
566 | type httpd_config_t; | |
567 | ') | |
568 | ||
569 | files_search_etc($1) | |
570 | allow $1 httpd_config_t:dir r_dir_perms; | |
571 | allow $1 httpd_config_t:file r_file_perms; | |
572 | allow $1 httpd_config_t:lnk_file { getattr read }; | |
573 | ') | |
6e99a6cf | 574 | |
123a990b CP |
575 | ######################################## |
576 | ## <summary> | |
577 | ## Allow the specified domain to manage | |
578 | ## apache configuration files. | |
579 | ## </summary> | |
580 | ## <param name="domain"> | |
581 | ## <summary> | |
582 | ## Domain allowed access. | |
583 | ## </summary> | |
584 | ## </param> | |
585 | # | |
586 | interface(`apache_manage_config',` | |
587 | gen_require(` | |
588 | type httpd_config_t; | |
589 | ') | |
590 | ||
591 | files_search_etc($1) | |
592 | allow $1 httpd_config_t:dir manage_dir_perms; | |
593 | allow $1 httpd_config_t:file manage_file_perms; | |
594 | allow $1 httpd_config_t:lnk_file { getattr read }; | |
595 | ') | |
596 | ||
6e99a6cf CP |
597 | ######################################## |
598 | ## <summary> | |
c2b18fa1 CP |
599 | ## Execute the Apache helper program with |
600 | ## a domain transition. | |
6e99a6cf CP |
601 | ## </summary> |
602 | ## <param name="domain"> | |
885b83ec | 603 | ## <summary> |
6e99a6cf | 604 | ## Domain allowed access. |
885b83ec | 605 | ## </summary> |
6e99a6cf CP |
606 | ## </param> |
607 | # | |
c2b18fa1 | 608 | interface(`apache_domtrans_helper',` |
6e99a6cf | 609 | gen_require(` |
c2b18fa1 | 610 | type httpd_helper_t, httpd_helper_exec_t; |
6e99a6cf CP |
611 | ') |
612 | ||
c2b18fa1 CP |
613 | corecmd_search_sbin($1) |
614 | domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t) | |
615 | ||
616 | allow $1 httpd_helper_t:fd use; | |
617 | allow httpd_helper_t $1:fd use; | |
618 | allow httpd_helper_t $1:fifo_file rw_file_perms; | |
619 | allow httpd_helper_t $1:process sigchld; | |
620 | ') | |
621 | ||
622 | ######################################## | |
623 | ## <summary> | |
624 | ## Execute the Apache helper program with | |
625 | ## a domain transition, and allow the | |
626 | ## specified role the dmidecode domain. | |
627 | ## </summary> | |
628 | ## <param name="domain"> | |
885b83ec | 629 | ## <summary> |
c2b18fa1 | 630 | ## Domain allowed access. |
885b83ec | 631 | ## </summary> |
c2b18fa1 CP |
632 | ## </param> |
633 | ## <param name="role"> | |
885b83ec | 634 | ## <summary> |
c2b18fa1 | 635 | ## The role to be allowed the dmidecode domain. |
885b83ec | 636 | ## </summary> |
c2b18fa1 CP |
637 | ## </param> |
638 | ## <param name="terminal"> | |
885b83ec | 639 | ## <summary> |
c2b18fa1 | 640 | ## The type of the terminal allow the dmidecode domain to use. |
885b83ec | 641 | ## </summary> |
c2b18fa1 | 642 | ## </param> |
bbcd3c97 | 643 | ## <rolecap/> |
c2b18fa1 CP |
644 | # |
645 | interface(`apache_run_helper',` | |
646 | gen_require(` | |
647 | type httpd_helper_t; | |
648 | ') | |
649 | ||
650 | apache_domtrans_helper($1) | |
651 | role $2 types httpd_helper_t; | |
652 | allow httpd_helper_t $3:chr_file rw_term_perms; | |
6e99a6cf | 653 | ') |
799a0b43 | 654 | |
be4690a5 CP |
655 | ######################################## |
656 | ## <summary> | |
657 | ## Allow the specified domain to read | |
658 | ## apache log files. | |
659 | ## </summary> | |
660 | ## <param name="domain"> | |
885b83ec | 661 | ## <summary> |
be4690a5 | 662 | ## Domain allowed access. |
885b83ec | 663 | ## </summary> |
be4690a5 | 664 | ## </param> |
bbcd3c97 | 665 | ## <rolecap/> |
be4690a5 CP |
666 | # |
667 | interface(`apache_read_log',` | |
668 | gen_require(` | |
669 | type httpd_log_t; | |
670 | ') | |
671 | ||
f1e604bb | 672 | logging_search_logs($1) |
be4690a5 CP |
673 | allow $1 httpd_log_t:dir r_dir_perms; |
674 | allow $1 httpd_log_t:file r_file_perms; | |
675 | allow $1 httpd_log_t:lnk_file { getattr read }; | |
676 | ') | |
677 | ||
f1e604bb CP |
678 | ######################################## |
679 | ## <summary> | |
680 | ## Allow the specified domain to append | |
681 | ## to apache log files. | |
682 | ## </summary> | |
683 | ## <param name="domain"> | |
684 | ## <summary> | |
685 | ## Domain allowed access. | |
686 | ## </summary> | |
687 | ## </param> | |
688 | # | |
689 | interface(`apache_append_log',` | |
690 | gen_require(` | |
691 | type httpd_log_t; | |
692 | ') | |
693 | ||
694 | logging_search_logs($1) | |
695 | allow $1 httpd_log_t:dir r_dir_perms; | |
696 | allow $1 httpd_log_t:file append; | |
697 | ') | |
698 | ||
799a0b43 CP |
699 | ######################################## |
700 | ## <summary> | |
701 | ## Do not audit attempts to append to the | |
702 | ## Apache logs. | |
703 | ## </summary> | |
704 | ## <param name="domain"> | |
885b83ec | 705 | ## <summary> |
799a0b43 | 706 | ## Domain to not audit. |
885b83ec | 707 | ## </summary> |
799a0b43 CP |
708 | ## </param> |
709 | # | |
710 | interface(`apache_dontaudit_append_log',` | |
711 | gen_require(` | |
712 | type httpd_log_t; | |
713 | ') | |
714 | ||
e749cd12 | 715 | dontaudit $1 httpd_log_t:file { getattr append }; |
799a0b43 | 716 | ') |
c2b18fa1 | 717 | |
123a990b CP |
718 | ######################################## |
719 | ## <summary> | |
720 | ## Allow the specified domain to manage | |
721 | ## to apache log files. | |
722 | ## </summary> | |
723 | ## <param name="domain"> | |
724 | ## <summary> | |
725 | ## Domain allowed access. | |
726 | ## </summary> | |
727 | ## </param> | |
728 | # | |
729 | interface(`apache_manage_log',` | |
730 | gen_require(` | |
731 | type httpd_log_t; | |
732 | ') | |
733 | ||
734 | logging_search_logs($1) | |
735 | allow $1 httpd_log_t:dir manage_dir_perms; | |
736 | allow $1 httpd_log_t:file manage_file_perms; | |
737 | allow $1 httpd_log_t:lnk_file { getattr read }; | |
738 | ') | |
739 | ||
c6d4c8f1 CP |
740 | ######################################## |
741 | ## <summary> | |
742 | ## Do not audit attempts to search Apache | |
743 | ## module directories. | |
744 | ## </summary> | |
745 | ## <param name="domain"> | |
885b83ec | 746 | ## <summary> |
c6d4c8f1 | 747 | ## Domain to not audit. |
885b83ec | 748 | ## </summary> |
c6d4c8f1 CP |
749 | ## </param> |
750 | # | |
751 | interface(`apache_dontaudit_search_modules',` | |
752 | gen_require(` | |
753 | type httpd_modules_t; | |
754 | ') | |
755 | ||
756 | allow $1 httpd_modules_t:dir r_dir_perms; | |
757 | ') | |
758 | ||
c2b18fa1 CP |
759 | ######################################## |
760 | ## <summary> | |
761 | ## Allow the specified domain to list | |
762 | ## the contents of the apache modules | |
763 | ## directory. | |
764 | ## </summary> | |
765 | ## <param name="domain"> | |
885b83ec | 766 | ## <summary> |
c2b18fa1 | 767 | ## Domain allowed access. |
885b83ec | 768 | ## </summary> |
c2b18fa1 CP |
769 | ## </param> |
770 | # | |
771 | interface(`apache_list_modules',` | |
772 | gen_require(` | |
773 | type httpd_modules_t; | |
774 | ') | |
775 | ||
776 | allow $1 httpd_modules_t:dir r_dir_perms; | |
777 | ') | |
778 | ||
2bcdbd8c CP |
779 | ######################################## |
780 | ## <summary> | |
781 | ## Allow the specified domain to execute | |
782 | ## apache modules. | |
783 | ## </summary> | |
784 | ## <param name="domain"> | |
885b83ec | 785 | ## <summary> |
2bcdbd8c | 786 | ## Domain allowed access. |
885b83ec | 787 | ## </summary> |
2bcdbd8c CP |
788 | ## </param> |
789 | # | |
790 | interface(`apache_exec_modules',` | |
791 | gen_require(` | |
792 | type httpd_modules_t; | |
793 | ') | |
794 | ||
795 | allow $1 httpd_modules_t:dir r_dir_perms; | |
796 | allow $1 httpd_modules_t:lnk_file r_file_perms; | |
797 | can_exec($1,httpd_modules_t) | |
798 | ') | |
799 | ||
123a990b CP |
800 | ######################################## |
801 | ## <summary> | |
802 | ## Execute a domain transition to run httpd_rotatelogs. | |
803 | ## </summary> | |
804 | ## <param name="domain"> | |
805 | ## <summary> | |
806 | ## Domain allowed access. | |
807 | ## </summary> | |
808 | ## </param> | |
809 | # | |
810 | interface(`apache_domtrans_rotatelogs',` | |
811 | gen_require(` | |
812 | type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; | |
813 | ') | |
814 | ||
815 | domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t) | |
816 | ||
817 | allow httpd_rotatelogs_t $1:fd use; | |
818 | allow httpd_rotatelogs_t $1:fifo_file rw_file_perms; | |
819 | allow httpd_rotatelogs_t $1:process sigchld; | |
820 | ') | |
821 | ||
be4690a5 CP |
822 | ######################################## |
823 | ## <summary> | |
824 | ## Allow the specified domain to manage | |
825 | ## apache system content files. | |
826 | ## </summary> | |
827 | ## <param name="domain"> | |
885b83ec | 828 | ## <summary> |
be4690a5 | 829 | ## Domain allowed access. |
885b83ec | 830 | ## </summary> |
be4690a5 | 831 | ## </param> |
bbcd3c97 | 832 | ## <rolecap/> |
be4690a5 CP |
833 | # |
834 | # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr | |
835 | interface(`apache_manage_sys_content',` | |
836 | gen_require(` | |
77f6e2cd | 837 | type httpd_sys_content_t; |
be4690a5 CP |
838 | ') |
839 | ||
840 | files_search_var($1) | |
841 | allow $1 httpd_sys_content_t:dir create_dir_perms; | |
842 | allow $1 httpd_sys_content_t:file create_file_perms; | |
843 | allow $1 httpd_sys_content_t:lnk_file create_lnk_perms; | |
844 | ') | |
845 | ||
c2b18fa1 CP |
846 | ######################################## |
847 | ## <summary> | |
848 | ## Execute all web scripts in the system | |
849 | ## script domain. | |
850 | ## </summary> | |
851 | ## <param name="domain"> | |
885b83ec | 852 | ## <summary> |
c2b18fa1 | 853 | ## Domain allowed access. |
885b83ec | 854 | ## </summary> |
c2b18fa1 CP |
855 | ## </param> |
856 | # | |
857 | # cjp: this interface specifically added to allow | |
858 | # sysadm_t to run scripts | |
859 | interface(`apache_domtrans_sys_script',` | |
860 | gen_require(` | |
861 | attribute httpdcontent; | |
862 | type httpd_sys_script_t; | |
863 | ') | |
864 | ||
865 | tunable_policy(`httpd_enable_cgi && httpd_unified',` | |
866 | domain_auto_trans($1, httpdcontent, httpd_sys_script_t) | |
867 | ||
868 | allow $1 httpd_sys_script_t:fd use; | |
869 | allow httpd_sys_script_t $1:fd use; | |
870 | allow httpd_sys_script_t $1:fifo_file rw_file_perms; | |
871 | allow httpd_sys_script_t $1:process sigchld; | |
872 | ') | |
873 | ') | |
e749cd12 CP |
874 | |
875 | ######################################## | |
876 | ## <summary> | |
877 | ## Do not audit attempts to read and write Apache | |
878 | ## system script unix domain stream sockets. | |
879 | ## </summary> | |
880 | ## <param name="domain"> | |
885b83ec | 881 | ## <summary> |
e749cd12 | 882 | ## Domain allowed access. |
885b83ec | 883 | ## </summary> |
e749cd12 CP |
884 | ## </param> |
885 | # | |
1815bad1 | 886 | interface(`apache_dontaudit_rw_sys_script_stream_sockets',` |
e749cd12 CP |
887 | gen_require(` |
888 | type httpd_sys_script_t; | |
889 | ') | |
890 | ||
891 | dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; | |
892 | ') | |
893 | ||
894 | ######################################## | |
895 | ## <summary> | |
896 | ## Execute all user scripts in the user | |
897 | ## script domain. | |
898 | ## </summary> | |
899 | ## <param name="domain"> | |
885b83ec | 900 | ## <summary> |
e749cd12 | 901 | ## Domain allowed access. |
885b83ec | 902 | ## </summary> |
e749cd12 CP |
903 | ## </param> |
904 | # | |
905 | interface(`apache_domtrans_all_scripts',` | |
906 | gen_require(` | |
907 | attribute httpd_exec_scripts; | |
908 | ') | |
909 | ||
910 | typeattribute $1 httpd_exec_scripts; | |
911 | ') | |
912 | ||
913 | ######################################## | |
914 | ## <summary> | |
915 | ## Execute all user scripts in the user | |
916 | ## script domain. Add user script domains | |
917 | ## to the specified role. | |
918 | ## </summary> | |
919 | ## <param name="domain"> | |
885b83ec | 920 | ## <summary> |
e749cd12 | 921 | ## Domain allowed access. |
885b83ec | 922 | ## </summary> |
e749cd12 CP |
923 | ## </param> |
924 | ## <param name="role"> | |
885b83ec | 925 | ## <summary> |
e749cd12 | 926 | ## The role to be allowed the script domains. |
885b83ec | 927 | ## </summary> |
e749cd12 CP |
928 | ## </param> |
929 | # | |
930 | # cjp: this is missing the terminal since scripts | |
931 | # do not output to the terminal | |
932 | interface(`apache_run_all_scripts',` | |
933 | gen_require(` | |
934 | attribute httpd_exec_scripts, httpd_script_domains; | |
935 | ') | |
936 | ||
937 | role $2 types httpd_script_domains; | |
938 | apache_domtrans_all_scripts($1) | |
939 | ') | |
940 | ||
941 | ######################################## | |
942 | ## <summary> | |
943 | ## Allow the specified domain to read | |
944 | ## apache squirrelmail data. | |
945 | ## </summary> | |
946 | ## <param name="domain"> | |
885b83ec | 947 | ## <summary> |
e749cd12 | 948 | ## Domain allowed access. |
885b83ec | 949 | ## </summary> |
e749cd12 CP |
950 | ## </param> |
951 | # | |
952 | interface(`apache_read_squirrelmail_data',` | |
953 | gen_require(` | |
954 | type httpd_squirrelmail_t; | |
955 | ') | |
956 | ||
957 | allow $1 httpd_squirrelmail_t:file { getattr read }; | |
958 | ') | |
959 | ||
960 | ######################################## | |
961 | ## <summary> | |
962 | ## Allow the specified domain to append | |
963 | ## apache squirrelmail data. | |
964 | ## </summary> | |
965 | ## <param name="domain"> | |
885b83ec | 966 | ## <summary> |
e749cd12 | 967 | ## Domain allowed access. |
885b83ec | 968 | ## </summary> |
e749cd12 CP |
969 | ## </param> |
970 | # | |
971 | interface(`apache_append_squirrelmail_data',` | |
972 | gen_require(` | |
973 | type httpd_squirrelmail_t; | |
974 | ') | |
975 | ||
976 | allow $1 httpd_squirrelmail_t:file { getattr append }; | |
977 | ') | |
9fd4b818 | 978 | |
0f27d98d CP |
979 | ######################################## |
980 | ## <summary> | |
99c902f3 CP |
981 | ## Search apache system content. |
982 | ## </summary> | |
983 | ## <param name="domain"> | |
984 | ## <summary> | |
985 | ## Domain allowed access. | |
986 | ## </summary> | |
987 | ## </param> | |
988 | # | |
989 | interface(`apache_search_sys_content',` | |
990 | gen_require(` | |
991 | type httpd_sys_content_t; | |
992 | ') | |
993 | ||
994 | allow $1 httpd_sys_content_t:dir search_dir_perms; | |
995 | ') | |
996 | ||
997 | ######################################## | |
998 | ## <summary> | |
999 | ## Read apache system content. | |
0f27d98d CP |
1000 | ## </summary> |
1001 | ## <param name="domain"> | |
1002 | ## <summary> | |
1003 | ## Domain to not audit. | |
1004 | ## </summary> | |
1005 | ## </param> | |
1006 | # | |
1007 | interface(`apache_read_sys_content',` | |
1008 | gen_require(` | |
1009 | type httpd_sys_content_t; | |
1010 | ') | |
1011 | ||
1012 | allow $1 httpd_sys_content_t:dir r_dir_perms; | |
1013 | allow $1 httpd_sys_content_t:file { getattr read }; | |
0c54fcf8 | 1014 | allow $1 httpd_sys_content_t:lnk_file { getattr read }; |
0f27d98d CP |
1015 | ') |
1016 | ||
9fd4b818 CP |
1017 | ######################################## |
1018 | ## <summary> | |
1019 | ## Search system script state directory. | |
1020 | ## </summary> | |
1021 | ## <param name="domain"> | |
885b83ec | 1022 | ## <summary> |
9fd4b818 | 1023 | ## Domain to not audit. |
885b83ec | 1024 | ## </summary> |
9fd4b818 CP |
1025 | ## </param> |
1026 | # | |
1027 | interface(`apache_search_sys_script_state',` | |
1028 | gen_require(` | |
1029 | type httpd_sys_script_t; | |
1030 | ') | |
1031 | ||
1032 | allow $1 httpd_sys_script_t:dir search; | |
1033 | ') |