]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/apache.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update f14
[people/stevee/selinux-policy.git] / policy / modules / services / apache.te
CommitLineData
29af4c13 1policy_module(apache, 2.2.0)
a996bdf4
CP		 2
3#
20fa7032 4# NOTES:
a996bdf4
CP		 5# This policy will work with SUEXEC enabled as part of the Apache
6# configuration. However, the user CGI scripts will run under the
296273a7 7# system_u:system_r:httpd_user_script_t.
a996bdf4 8#
296273a7 9# The user CGI scripts must be labeled with the httpd_user_script_exec_t
a996bdf4 10# type, and the directory containing the scripts should also be labeled
20fa7032 11# with these types. This policy allows the user role to perform that
296273a7
CP		 12# relabeling. If it is desired that only admin role should be able to relabel
13# the user CGI scripts, then relabel rule for user roles should be removed.
a996bdf4
CP		 14#
15
16########################################
17#
18# Declarations
19#
20
3eaa9939
DW		 21selinux_genbool(httpd_bool_t)
22
56e1b3d2
CP		 23## <desc>
24## <p>
25## Allow Apache to modify public files
dd9e1de3
CP		 26## used for public file transfer services. Directories/Files must
27## be labeled public_content_rw_t.
56e1b3d2
CP		 28## </p>
29## </desc>
0bfccda4 30gen_tunable(allow_httpd_anon_write, false)
56e1b3d2
CP		 31
32## <desc>
33## <p>
34## Allow Apache to use mod_auth_pam
35## </p>
36## </desc>
0bfccda4 37gen_tunable(allow_httpd_mod_auth_pam, false)
56e1b3d2 38
3eaa9939
DW		 39## <desc>
40## <p>
41## Allow httpd scripts and modules execmem/execstack
42## </p>
43## </desc>
44gen_tunable(httpd_execmem, false)
45
46## <desc>
47## <p>
48## Allow httpd daemon to change system limits
49## </p>
50## </desc>
51gen_tunable(httpd_setrlimit, false)
52
56e1b3d2
CP		 53## <desc>
54## <p>
55## Allow httpd to use built in scripting (usually php)
56## </p>
57## </desc>
0bfccda4 58gen_tunable(httpd_builtin_scripting, false)
56e1b3d2
CP		 59
60## <desc>
61## <p>
dd9e1de3 62## Allow HTTPD scripts and modules to connect to the network using TCP.
56e1b3d2
CP		 63## </p>
64## </desc>
0bfccda4 65gen_tunable(httpd_can_network_connect, false)
56e1b3d2 66
3eaa9939
DW		 67## <desc>
68## <p>
69## Allow HTTPD scripts and modules to connect to cobbler over the network.
70## </p>
71## </desc>
72gen_tunable(httpd_can_network_connect_cobbler, false)
73
56e1b3d2
CP		 74## <desc>
75## <p>
dd9e1de3 76## Allow HTTPD scripts and modules to connect to databases over the network.
56e1b3d2
CP		 77## </p>
78## </desc>
79gen_tunable(httpd_can_network_connect_db, false)
80
81## <desc>
82## <p>
83## Allow httpd to act as a relay
84## </p>
85## </desc>
86gen_tunable(httpd_can_network_relay, false)
87
60def66b
CP		 88## <desc>
89## <p>
90## Allow http daemon to send mail
91## </p>
92## </desc>
93gen_tunable(httpd_can_sendmail, false)
94
3eaa9939
DW		 95## <desc>
96## <p>
97## Allow http daemon to check spam
98## </p>
99## </desc>
100gen_tunable(httpd_can_check_spam, false)
101
60def66b
CP		 102## <desc>
103## <p>
104## Allow Apache to communicate with avahi service via dbus
105## </p>
106## </desc>
107gen_tunable(httpd_dbus_avahi, false)
108
56e1b3d2
CP		 109## <desc>
110## <p>
111## Allow httpd cgi support
112## </p>
113## </desc>
0bfccda4 114gen_tunable(httpd_enable_cgi, false)
56e1b3d2
CP		 115
116## <desc>
117## <p>
118## Allow httpd to act as a FTP server by
119## listening on the ftp port.
120## </p>
121## </desc>
0bfccda4 122gen_tunable(httpd_enable_ftp_server, false)
56e1b3d2
CP		 123
124## <desc>
125## <p>
126## Allow httpd to read home directories
127## </p>
128## </desc>
0bfccda4 129gen_tunable(httpd_enable_homedirs, false)
56e1b3d2 130
3eaa9939
DW		 131## <desc>
132## <p>
133## Allow httpd to read user content
134## </p>
135## </desc>
136gen_tunable(httpd_read_user_content, false)
137
56e1b3d2
CP		 138## <desc>
139## <p>
dd9e1de3 140## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
56e1b3d2
CP		 141## </p>
142## </desc>
0bfccda4 143gen_tunable(httpd_ssi_exec, false)
56e1b3d2 144
3eaa9939
DW		 145## <desc>
146## <p>
147## Allow Apache to execute tmp content.
148## </p>
149## </desc>
150gen_tunable(httpd_tmp_exec, false)
151
56e1b3d2
CP		 152## <desc>
153## <p>
dd9e1de3
CP		 154## Unify HTTPD to communicate with the terminal.
155## Needed for entering the passphrase for certificates at
156## the terminal.
56e1b3d2
CP		 157## </p>
158## </desc>
0bfccda4 159gen_tunable(httpd_tty_comm, false)
56e1b3d2
CP		 160
161## <desc>
162## <p>
dd9e1de3 163## Unify HTTPD handling of all content files.
56e1b3d2
CP		 164## </p>
165## </desc>
0bfccda4 166gen_tunable(httpd_unified, false)
56e1b3d2 167
60def66b
CP		 168## <desc>
169## <p>
170## Allow httpd to access cifs file systems
171## </p>
172## </desc>
173gen_tunable(httpd_use_cifs, false)
174
175## <desc>
176## <p>
3eaa9939 177## Allow httpd to run gpg in gpg-web domain
60def66b
CP		 178## </p>
179## </desc>
180gen_tunable(httpd_use_gpg, false)
181
182## <desc>
183## <p>
184## Allow httpd to access nfs file systems
185## </p>
186## </desc>
187gen_tunable(httpd_use_nfs, false)
188
3eaa9939
DW		 189## <desc>
190## <p>
191## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
192## </p>
193## </desc>
194gen_tunable(allow_httpd_sys_script_anon_write, false)
195
a996bdf4 196attribute httpdcontent;
a334d291 197attribute httpd_user_content_type;
a996bdf4 198
e749cd12
CP		 199# domains that can exec all users scripts
200attribute httpd_exec_scripts;
201
123a990b 202attribute httpd_script_exec_type;
a334d291 203attribute httpd_user_script_exec_type;
123a990b 204
e749cd12
CP		 205# user script domains
206attribute httpd_script_domains;
207
a996bdf4
CP		 208type httpd_t;
209type httpd_exec_t;
0bfccda4 210init_daemon_domain(httpd_t, httpd_exec_t)
e749cd12 211role system_r types httpd_t;
a996bdf4
CP		 212
213# httpd_cache_t is the type given to the /var/cache/httpd
214# directory and the files under that directory
215type httpd_cache_t;
216files_type(httpd_cache_t)
217
218# httpd_config_t is the type given to the configuration files
219type httpd_config_t;
220files_type(httpd_config_t)
221
222type httpd_helper_t;
a996bdf4 223type httpd_helper_exec_t;
e749cd12 224domain_type(httpd_helper_t)
0bfccda4 225domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
e749cd12 226role system_r types httpd_helper_t;
a996bdf4 227
83caba3e
CP		 228type httpd_initrc_exec_t;
229init_script_file(httpd_initrc_exec_t)
230
a996bdf4
CP		 231type httpd_lock_t;
232files_lock_file(httpd_lock_t)
233
234type httpd_log_t;
235logging_log_file(httpd_log_t)
236
20fa7032 237# httpd_modules_t is the type given to module files (libraries)
a996bdf4
CP		 238# that come with Apache /etc/httpd/modules and /usr/lib/apache
239type httpd_modules_t;
240files_type(httpd_modules_t)
241
242type httpd_php_t;
a996bdf4 243type httpd_php_exec_t;
e749cd12 244domain_type(httpd_php_t)
0bfccda4 245domain_entry_file(httpd_php_t, httpd_php_exec_t)
e749cd12 246role system_r types httpd_php_t;
a996bdf4
CP		 247
248type httpd_php_tmp_t;
249files_tmp_file(httpd_php_tmp_t)
250
123a990b
CP		 251type httpd_rotatelogs_t;
252type httpd_rotatelogs_exec_t;
253init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
254
a996bdf4
CP		 255type httpd_squirrelmail_t;
256files_type(httpd_squirrelmail_t)
257
258# SUEXEC runs user scripts as their own user ID
259type httpd_suexec_t; #, daemon;
a996bdf4 260type httpd_suexec_exec_t;
e749cd12 261domain_type(httpd_suexec_t)
0bfccda4 262domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
e749cd12 263role system_r types httpd_suexec_t;
a996bdf4
CP		 264
265type httpd_suexec_tmp_t;
266files_tmp_file(httpd_suexec_tmp_t)
267
c2b18fa1
CP		 268# setup the system domain for system CGI scripts
269apache_content_template(sys)
3eaa9939
DW		 270
271typeattribute httpd_sys_content_t httpdcontent; # customizable
272typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
273typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
c2b18fa1 274
a996bdf4
CP		 275type httpd_tmp_t;
276files_tmp_file(httpd_tmp_t)
277
278type httpd_tmpfs_t;
279files_tmpfs_file(httpd_tmpfs_t)
280
296273a7
CP		 281apache_content_template(user)
282ubac_constrained(httpd_user_script_t)
3eaa9939
DW		 283typeattribute httpd_user_content_t httpdcontent;
284typeattribute httpd_user_rw_content_t httpdcontent;
285typeattribute httpd_user_ra_content_t httpdcontent;
286
296273a7
CP		 287userdom_user_home_content(httpd_user_content_t)
288userdom_user_home_content(httpd_user_htaccess_t)
289userdom_user_home_content(httpd_user_script_exec_t)
83caba3e
CP		 290userdom_user_home_content(httpd_user_ra_content_t)
291userdom_user_home_content(httpd_user_rw_content_t)
296273a7
CP		 292typeattribute httpd_user_script_t httpd_script_domains;
293typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
3eaa9939 294typealias httpd_user_content_t alias httpd_unconfined_content_t;
296273a7 295typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
83caba3e
CP		 296typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
297typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
296273a7
CP		 298typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
299typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
300typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
301typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
302typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
303typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
83caba3e
CP		 304typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
305typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
306typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
307typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
296273a7 308
a996bdf4
CP		 309# for apache2 memory mapped files
310type httpd_var_lib_t;
311files_type(httpd_var_lib_t)
312
313type httpd_var_run_t;
314files_pid_file(httpd_var_run_t)
315
316# File Type of squirrelmail attachments
317type squirrelmail_spool_t;
318files_tmp_file(squirrelmail_spool_t)
319
bb7170f6 320optional_policy(`
2c243586
CP		 321 prelink_object_file(httpd_modules_t)
322')
323
a996bdf4
CP		 324########################################
325#
326# Apache server local policy
327#
328
60def66b 329allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
a996bdf4
CP		 330dontaudit httpd_t self:capability { net_admin sys_tty_config };
331allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
332allow httpd_t self:fd use;
c0868a7a
CP		 333allow httpd_t self:sock_file read_sock_file_perms;
334allow httpd_t self:fifo_file rw_fifo_file_perms;
a996bdf4
CP		 335allow httpd_t self:shm create_shm_perms;
336allow httpd_t self:sem create_sem_perms;
337allow httpd_t self:msgq create_msgq_perms;
338allow httpd_t self:msg { send receive };
e9a4084d
CP		 339allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
340allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
33c7e6b4 341allow httpd_t self:tcp_socket create_stream_socket_perms;
e9a4084d 342allow httpd_t self:udp_socket create_socket_perms;
a996bdf4
CP		 343
344# Allow httpd_t to put files in /var/cache/httpd etc
0bfccda4
CP		 345manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
346manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
347manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
3eaa9939 348files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
a996bdf4
CP		 349
350# Allow the httpd_t to read the web servers config files
c0868a7a 351allow httpd_t httpd_config_t:dir list_dir_perms;
0bfccda4
CP		 352read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
353read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
a996bdf4
CP		 354
355can_exec(httpd_t, httpd_exec_t)
356
c0868a7a 357allow httpd_t httpd_lock_t:file manage_file_perms;
0bfccda4 358files_lock_filetrans(httpd_t, httpd_lock_t, file)
a996bdf4 359
c0868a7a 360allow httpd_t httpd_log_t:dir setattr;
0bfccda4
CP		 361create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
362append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
363read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
364read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
c2b18fa1
CP		 365# cjp: need to refine create interfaces to
366# cut this back to add_name only
0bfccda4 367logging_log_filetrans(httpd_t, httpd_log_t, file)
a996bdf4 368
c0868a7a 369allow httpd_t httpd_modules_t:dir list_dir_perms;
0bfccda4
CP		 370mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
371read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
60def66b 372read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
a996bdf4 373
d6d16b97
CP		 374apache_domtrans_rotatelogs(httpd_t)
375# Apache-httpd needs to be able to send signals to the log rotate procs.
376allow httpd_t httpd_rotatelogs_t:process signal_perms;
377
0bfccda4
CP		 378manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
379manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
380manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
a996bdf4 381
0b36a214 382allow httpd_t httpd_suexec_exec_t:file read_file_perms;
725926c5 383
c0868a7a 384allow httpd_t httpd_sys_content_t:dir list_dir_perms;
0bfccda4
CP		 385read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
386read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
3d37bca1 387
60def66b
CP		 388allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
389
0bfccda4
CP		 390manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
391manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
60def66b
CP		 392manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
393files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
a996bdf4 394
0bfccda4
CP		 395manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
396manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
397manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
398manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
399manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
20fa7032 400fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
a996bdf4 401
0bfccda4
CP		 402manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
403files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
a996bdf4 404
60def66b
CP		 405setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
406manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
0bfccda4
CP		 407manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
408manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
60def66b 409files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
a996bdf4 410
0bfccda4
CP		 411manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
412manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
413manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
a996bdf4 414
445522dc 415kernel_read_kernel_sysctls(httpd_t)
a996bdf4
CP		 416# for modules that want to access /proc/meminfo
417kernel_read_system_state(httpd_t)
3eaa9939 418kernel_search_network_sysctl(httpd_t)
a996bdf4 419
19006686
CP		 420corenet_all_recvfrom_unlabeled(httpd_t)
421corenet_all_recvfrom_netlabel(httpd_t)
668b3093
CP		 422corenet_tcp_sendrecv_generic_if(httpd_t)
423corenet_udp_sendrecv_generic_if(httpd_t)
c1262146
CP		 424corenet_tcp_sendrecv_generic_node(httpd_t)
425corenet_udp_sendrecv_generic_node(httpd_t)
a996bdf4
CP		 426corenet_tcp_sendrecv_all_ports(httpd_t)
427corenet_udp_sendrecv_all_ports(httpd_t)
c1262146 428corenet_tcp_bind_generic_node(httpd_t)
3eaa9939 429corenet_udp_bind_generic_node(httpd_t)
a996bdf4
CP		 430corenet_tcp_bind_http_port(httpd_t)
431corenet_tcp_bind_http_cache_port(httpd_t)
3eaa9939 432corenet_tcp_bind_ntop_port(httpd_t)
968ace93 433corenet_sendrecv_http_server_packets(httpd_t)
d6d16b97
CP		 434# Signal self for shutdown
435corenet_tcp_connect_http_port(httpd_t)
a996bdf4
CP		 436
437dev_read_sysfs(httpd_t)
438dev_read_rand(httpd_t)
439dev_read_urand(httpd_t)
c2b18fa1 440dev_rw_crypto(httpd_t)
a996bdf4
CP		 441
442fs_getattr_all_fs(httpd_t)
443fs_search_auto_mountpoints(httpd_t)
3eaa9939
DW		 444fs_read_iso9660_files(httpd_t)
445fs_read_anon_inodefs_files(httpd_t)
a996bdf4 446
77f6e2cd
CP		 447auth_use_nsswitch(httpd_t)
448
3eaa9939 449application_exec_all(httpd_t)
a996bdf4 450
15722ec9 451domain_use_interactive_fds(httpd_t)
a996bdf4 452
60def66b 453files_dontaudit_getattr_all_pids(httpd_t)
a996bdf4
CP		 454files_read_usr_files(httpd_t)
455files_list_mnt(httpd_t)
456files_search_spool(httpd_t)
457files_read_var_lib_files(httpd_t)
458files_search_home(httpd_t)
459files_getattr_home_dir(httpd_t)
460# for modules that want to access /etc/mtab
461files_read_etc_runtime_files(httpd_t)
462# Allow httpd_t to have access to files such as nisswitch.conf
463files_read_etc_files(httpd_t)
6e99a6cf
CP		 464# for tomcat
465files_read_var_lib_symlinks(httpd_t)
a996bdf4 466
d6d16b97 467fs_search_auto_mountpoints(httpd_sys_script_t)
3eaa9939
DW		 468# php uploads a file to /tmp and then execs programs to acton them
469manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
470manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
471files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
d6d16b97 472
1815bad1 473libs_read_lib_files(httpd_t)
a996bdf4
CP		 474
475logging_send_syslog_msg(httpd_t)
476
477miscfiles_read_localization(httpd_t)
478miscfiles_read_fonts(httpd_t)
6e99a6cf
CP		 479miscfiles_read_public_files(httpd_t)
480miscfiles_read_certs(httpd_t)
a996bdf4
CP		 481
482seutil_dontaudit_search_config(httpd_t)
483
103fe280 484userdom_use_unpriv_users_fds(httpd_t)
a996bdf4 485
3eaa9939
DW		 486tunable_policy(`httpd_setrlimit',`
487 allow httpd_t self:process setrlimit;
488')
489
6e99a6cf
CP		 490tunable_policy(`allow_httpd_anon_write',`
491 miscfiles_manage_public_files(httpd_t)
20fa7032 492')
6e99a6cf 493
123a990b
CP		 494#
495# We need optionals to be able to be within booleans to make this work
496#
497tunable_policy(`allow_httpd_mod_auth_pam',`
3eaa9939
DW		 498 auth_domtrans_chkpwd(httpd_t)
499 logging_send_audit_msgs(httpd_t)
500')
501
502## <desc>
503## <p>
504## Allow Apache to use mod_auth_pam
505## </p>
506## </desc>
507gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
508optional_policy(`
509tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
510 samba_domtrans_winbind_helper(httpd_t)
123a990b
CP		 511')
512')
513
6e99a6cf 514tunable_policy(`httpd_can_network_connect',`
6e99a6cf 515 corenet_tcp_connect_all_ports(httpd_t)
6e99a6cf
CP		 516')
517
bb437244
CP		 518tunable_policy(`httpd_can_network_relay',`
519 # allow httpd to work as a relay
520 corenet_tcp_connect_gopher_port(httpd_t)
521 corenet_tcp_connect_ftp_port(httpd_t)
522 corenet_tcp_connect_http_port(httpd_t)
523 corenet_tcp_connect_http_cache_port(httpd_t)
3eaa9939 524 corenet_tcp_connect_squid_port(httpd_t)
60def66b 525 corenet_tcp_connect_memcache_port(httpd_t)
141cffdd
CP		 526 corenet_sendrecv_gopher_client_packets(httpd_t)
527 corenet_sendrecv_ftp_client_packets(httpd_t)
528 corenet_sendrecv_http_client_packets(httpd_t)
529 corenet_sendrecv_http_cache_client_packets(httpd_t)
3eaa9939
DW		 530 corenet_sendrecv_squid_client_packets(httpd_t)
531')
532
533tunable_policy(`httpd_enable_cgi && httpd_unified',`
534 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
535 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
536 can_exec(httpd_sys_script_t, httpd_sys_content_t)
bb437244
CP		 537')
538
3eaa9939
DW		 539tunable_policy(`allow_httpd_sys_script_anon_write',`
540 miscfiles_manage_public_files(httpd_sys_script_t)
541')
542
60def66b
CP		 543tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
544 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
545')
546
547tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
548 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
549')
550
6e99a6cf 551tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
c0868a7a 552 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
3eaa9939
DW		 553 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
554 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
555 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
556 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
6e99a6cf 557
0bfccda4
CP		 558 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
559 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
560 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
6e99a6cf
CP		 561')
562
bea7b454
CP		 563tunable_policy(`httpd_enable_ftp_server',`
564 corenet_tcp_bind_ftp_port(httpd_t)
565')
566
e311e23a 567tunable_policy(`httpd_enable_homedirs',`
296273a7 568 userdom_read_user_home_content_files(httpd_t)
e311e23a
CP		 569')
570
3eaa9939
DW		 571tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
572 can_exec(httpd_t, httpd_tmp_t)
573')
574
575tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
576 can_exec(httpd_sys_script_t, httpd_tmp_t)
577')
578
a996bdf4
CP		 579tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
580 fs_read_nfs_files(httpd_t)
581 fs_read_nfs_symlinks(httpd_t)
582')
583
3eaa9939
DW		 584tunable_policy(`httpd_use_nfs',`
585 fs_manage_nfs_dirs(httpd_t)
586 fs_manage_nfs_files(httpd_t)
587 fs_manage_nfs_symlinks(httpd_t)
588')
589
a996bdf4
CP		 590tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
591 fs_read_cifs_files(httpd_t)
592 fs_read_cifs_symlinks(httpd_t)
593')
594
60def66b
CP		 595tunable_policy(`httpd_can_sendmail',`
596 # allow httpd to connect to mail servers
597 corenet_tcp_connect_smtp_port(httpd_t)
598 corenet_sendrecv_smtp_client_packets(httpd_t)
3eaa9939
DW		 599 corenet_tcp_connect_pop_port(httpd_t)
600 corenet_sendrecv_pop_client_packets(httpd_t)
60def66b 601 mta_send_mail(httpd_t)
3eaa9939
DW		 602 mta_signal_system_mail(httpd_t)
603')
604
605tunable_policy(`httpd_use_cifs',`
606 fs_manage_cifs_dirs(httpd_t)
607 fs_manage_cifs_files(httpd_t)
608 fs_manage_cifs_symlinks(httpd_t)
60def66b
CP		 609')
610
e749cd12 611tunable_policy(`httpd_ssi_exec',`
3f67f722 612 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
e749cd12
CP		 613 allow httpd_sys_script_t httpd_t:fd use;
614 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
615 allow httpd_sys_script_t httpd_t:process sigchld;
616')
617
6e99a6cf
CP		 618# When the admin starts the server, the server wants to access
619# the TTY or PTY associated with the session. The httpd appears
620# to run correctly without this permission, so the permission
20fa7032 621# are dontaudited here.
6e99a6cf 622tunable_policy(`httpd_tty_comm',`
296273a7 623 userdom_use_user_terminals(httpd_t)
3eaa9939 624 userdom_use_user_terminals(httpd_suexec_t)
6e99a6cf 625',`
296273a7 626 userdom_dontaudit_use_user_terminals(httpd_t)
3eaa9939 627 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
a996bdf4
CP		 628')
629
bb7170f6 630optional_policy(`
99c902f3
CP		 631 calamaris_read_www_files(httpd_t)
632')
633
60def66b
CP		 634optional_policy(`
635 ccs_read_config(httpd_t)
636')
637
1031ee6f 638optional_policy(`
3eaa9939
DW		 639 cobbler_list_config(httpd_t)
640 cobbler_read_config(httpd_t)
2968e068 641 cobbler_read_lib_files(httpd_t)
3eaa9939
DW		 642
643 tunable_policy(`httpd_can_network_connect_cobbler',`
644 corenet_tcp_connect_cobbler_port(httpd_t)
645 ')
1031ee6f
DG		 646')
647
350b6ab7
CP		 648optional_policy(`
649 cron_system_entry(httpd_t, httpd_exec_t)
650')
651
60def66b
CP		 652optional_policy(`
653 cvs_read_data(httpd_t)
654')
655
bb7170f6 656optional_policy(`
44d5d93f
CP		 657 daemontools_service_domain(httpd_t, httpd_exec_t)
658')
659
3eaa9939 660optional_policy(`
60def66b
CP		 661 dbus_system_bus_client(httpd_t)
662
663 tunable_policy(`httpd_dbus_avahi',`
664 avahi_dbus_chat(httpd_t)
665 ')
666')
667
3eaa9939
DW		 668optional_policy(`
669 gitosis_read_lib_files(httpd_t)
670')
671
60def66b
CP		 672optional_policy(`
673 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
3eaa9939 674 gpg_domtrans_web(httpd_t)
60def66b
CP		 675 ')
676')
677
bb7170f6 678optional_policy(`
83caba3e 679 kerberos_keytab_template(httpd, httpd_t)
a996bdf4
CP		 680')
681
bb7170f6 682optional_policy(`
799a0b43
CP		 683 mailman_signal_cgi(httpd_t)
684 mailman_domtrans_cgi(httpd_t)
60def66b 685 mailman_read_data_files(httpd_t)
799a0b43 686 # should have separate types for public and private archives
0500e01f 687 mailman_search_data(httpd_t)
799a0b43
CP		 688 mailman_read_archive(httpd_t)
689')
690
bb7170f6 691optional_policy(`
0b6acad1 692 # Allow httpd to work with mysql
3eaa9939 693 mysql_read_config(httpd_t)
a996bdf4 694 mysql_stream_connect(httpd_t)
1815bad1 695 mysql_rw_db_sockets(httpd_t)
0b6acad1
CP		 696
697 tunable_policy(`httpd_can_network_connect_db',`
dc1920b2 698 mysql_tcp_connect(httpd_t)
0b6acad1 699 ')
a996bdf4
CP		 700')
701
f1e604bb
CP		 702optional_policy(`
703 nagios_read_config(httpd_t)
3eaa9939 704 nagios_read_log(httpd_t)
f1e604bb
CP		 705')
706
5bd9fd7b
CP		 707optional_policy(`
708 openca_domtrans(httpd_t)
709 openca_signal(httpd_t)
710 openca_sigstop(httpd_t)
711 openca_kill(httpd_t)
712')
713
3eaa9939
DW		 714optional_policy(`
715 rpc_search_nfs_state_data(httpd_t)
716')
717
718tunable_policy(`httpd_execmem',`
719 allow httpd_t self:process { execmem execstack };
720 allow httpd_sys_script_t self:process { execmem execstack };
721 allow httpd_suexec_t self:process { execmem execstack };
722')
723
bb7170f6 724optional_policy(`
725926c5 725 # Allow httpd to work with postgresql
1815bad1 726 postgresql_stream_connect(httpd_t)
e8cb08ae 727 postgresql_unpriv_client(httpd_t)
0b6acad1
CP		 728
729 tunable_policy(`httpd_can_network_connect_db',`
730 postgresql_tcp_connect(httpd_t)
3eaa9939 731 postgresql_tcp_connect(httpd_sys_script_t)
0b6acad1 732 ')
725926c5
CP		 733')
734
bb7170f6 735optional_policy(`
a996bdf4
CP		 736 seutil_sigchld_newrole(httpd_t)
737')
738
6b19be33 739optional_policy(`
3eaa9939
DW		 740 smokeping_getattr_lib_files(httpd_t)
741')
742
743optional_policy(`
744 files_dontaudit_rw_usr_dirs(httpd_t)
6b19be33
CP		 745 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
746 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
747')
748
bb7170f6 749optional_policy(`
a996bdf4
CP		 750 udev_read_db(httpd_t)
751')
752
f30e6ea8
CP		 753optional_policy(`
754 yam_read_content(httpd_t)
755')
756
3eaa9939
DW		 757optional_policy(`
758 zarafa_stream_connect_server(httpd_t)
759')
760
a996bdf4
CP		 761########################################
762#
763# Apache helper local policy
764#
765
c0868a7a 766domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
a996bdf4 767
0b36a214 768allow httpd_helper_t httpd_config_t:file read_file_perms;
a996bdf4 769
0b36a214 770allow httpd_helper_t httpd_log_t:file append_file_perms;
a996bdf4 771
e749cd12
CP		 772logging_send_syslog_msg(httpd_helper_t)
773
296273a7 774userdom_use_user_terminals(httpd_helper_t)
aba9c7a3 775
3eaa9939
DW		 776tunable_policy(`httpd_tty_comm',`
777 userdom_use_user_terminals(httpd_helper_t)
778')
779
a996bdf4
CP		 780########################################
781#
782# Apache PHP script local policy
783#
784
785allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
786allow httpd_php_t self:fd use;
c0868a7a
CP		 787allow httpd_php_t self:fifo_file rw_fifo_file_perms;
788allow httpd_php_t self:sock_file read_sock_file_perms;
a996bdf4
CP		 789allow httpd_php_t self:unix_dgram_socket create_socket_perms;
790allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
791allow httpd_php_t self:unix_dgram_socket sendto;
792allow httpd_php_t self:unix_stream_socket connectto;
793allow httpd_php_t self:shm create_shm_perms;
794allow httpd_php_t self:sem create_sem_perms;
795allow httpd_php_t self:msgq create_msgq_perms;
796allow httpd_php_t self:msg { send receive };
797
c0868a7a 798domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
a996bdf4
CP		 799
800# allow php to read and append to apache logfiles
c0868a7a 801allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
a996bdf4 802
0bfccda4
CP		 803manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
804manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
103fe280 805files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
a996bdf4
CP		 806
807fs_search_auto_mountpoints(httpd_php_t)
808
60def66b
CP		 809auth_use_nsswitch(httpd_php_t)
810
a996bdf4 811libs_exec_lib_files(httpd_php_t)
a996bdf4 812
103fe280 813userdom_use_unpriv_users_fds(httpd_php_t)
a996bdf4 814
60def66b
CP		 815tunable_policy(`httpd_can_network_connect_db',`
816 corenet_tcp_connect_mysqld_port(httpd_t)
817 corenet_sendrecv_mysqld_client_packets(httpd_t)
818 corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
819 corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
820 corenet_tcp_connect_mysqld_port(httpd_suexec_t)
821 corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
822
823 corenet_tcp_connect_mssql_port(httpd_t)
824 corenet_sendrecv_mssql_client_packets(httpd_t)
825 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
826 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
827 corenet_tcp_connect_mssql_port(httpd_suexec_t)
828 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
a996bdf4
CP		 829')
830
bb7170f6 831optional_policy(`
60def66b
CP		 832 mysql_stream_connect(httpd_php_t)
833 mysql_read_config(httpd_php_t)
a996bdf4
CP		 834')
835
5fe7de9e
CP		 836optional_policy(`
837 postgresql_stream_connect(httpd_php_t)
838')
839
a996bdf4
CP		 840########################################
841#
842# Apache suexec local policy
843#
844
845allow httpd_suexec_t self:capability { setuid setgid };
846allow httpd_suexec_t self:process signal_perms;
847allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
848
56e1b3d2 849domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
a996bdf4 850
0bfccda4
CP		 851create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
852append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
853read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
c0868a7a 854
60def66b 855allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
a996bdf4 856
0bfccda4
CP		 857manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
858manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
103fe280 859files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
a996bdf4 860
3eaa9939
DW		 861can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
862
445522dc 863kernel_read_kernel_sysctls(httpd_suexec_t)
a996bdf4
CP		 864kernel_list_proc(httpd_suexec_t)
865kernel_read_proc_symlinks(httpd_suexec_t)
866
867dev_read_urand(httpd_suexec_t)
868
3eaa9939 869fs_read_iso9660_files(httpd_suexec_t)
a996bdf4
CP		 870fs_search_auto_mountpoints(httpd_suexec_t)
871
3eaa9939 872application_exec_all(httpd_suexec_t)
a996bdf4
CP		 873
874files_read_etc_files(httpd_suexec_t)
875files_read_usr_files(httpd_suexec_t)
6e99a6cf 876files_dontaudit_search_pids(httpd_suexec_t)
725926c5 877files_search_home(httpd_suexec_t)
a996bdf4 878
c0cf6e0a
CP		 879auth_use_nsswitch(httpd_suexec_t)
880
a996bdf4
CP		 881logging_search_logs(httpd_suexec_t)
882logging_send_syslog_msg(httpd_suexec_t)
883
884miscfiles_read_localization(httpd_suexec_t)
60def66b 885miscfiles_read_public_files(httpd_suexec_t)
a996bdf4
CP		 886
887tunable_policy(`httpd_can_network_connect',`
888 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
889 allow httpd_suexec_t self:udp_socket create_socket_perms;
890
19006686
CP		 891 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
892 corenet_all_recvfrom_netlabel(httpd_suexec_t)
668b3093
CP		 893 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
894 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
c1262146
CP		 895 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
896 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
a996bdf4
CP		 897 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
898 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
a996bdf4 899 corenet_tcp_connect_all_ports(httpd_suexec_t)
141cffdd 900 corenet_sendrecv_all_client_packets(httpd_suexec_t)
a996bdf4
CP		 901')
902
3eaa9939
DW		 903read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
904read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
905read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
906
907domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
6e99a6cf 908tunable_policy(`httpd_enable_cgi && httpd_unified',`
60def66b 909 allow httpd_sys_script_t httpdcontent:file entrypoint;
c0868a7a 910 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
3eaa9939
DW		 911 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
912 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
913 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
914 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
915')
916tunable_policy(`httpd_enable_cgi',`
917 domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
e311e23a
CP		 918')
919
a996bdf4
CP		 920tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
921 fs_read_nfs_files(httpd_suexec_t)
922 fs_read_nfs_symlinks(httpd_suexec_t)
4d851fe9 923 fs_exec_nfs_files(httpd_suexec_t)
a996bdf4
CP		 924')
925
926tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
927 fs_read_cifs_files(httpd_suexec_t)
928 fs_read_cifs_symlinks(httpd_suexec_t)
4d851fe9 929 fs_exec_cifs_files(httpd_suexec_t)
a996bdf4
CP		 930')
931
bb7170f6 932optional_policy(`
799a0b43
CP		 933 mailman_domtrans_cgi(httpd_suexec_t)
934')
935
bb7170f6 936optional_policy(`
725926c5
CP		 937 mta_stub(httpd_suexec_t)
938
939 # apache should set close-on-exec
940 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
941')
942
3eaa9939
DW		 943optional_policy(`
944 mysql_stream_connect(httpd_suexec_t)
945 mysql_rw_db_sockets(httpd_suexec_t)
946 mysql_read_config(httpd_suexec_t)
947')
948
a996bdf4
CP		 949########################################
950#
951# Apache system script local policy
952#
953
60def66b
CP		 954allow httpd_sys_script_t self:process getsched;
955
956allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
6e99a6cf
CP		 957allow httpd_sys_script_t httpd_t:tcp_socket { read write };
958
959dontaudit httpd_sys_script_t httpd_config_t:dir search;
960
0b36a214 961allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
6e99a6cf 962
c0868a7a 963allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
0bfccda4
CP		 964read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
965read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
6e99a6cf 966
445522dc 967kernel_read_kernel_sysctls(httpd_sys_script_t)
6e99a6cf
CP		 968
969files_search_var_lib(httpd_sys_script_t)
970files_search_spool(httpd_sys_script_t)
971
3eaa9939
DW		 972logging_inherit_append_all_logs(httpd_sys_script_t)
973
123a990b
CP		 974# Should we add a boolean?
975apache_domtrans_rotatelogs(httpd_sys_script_t)
976
3eaa9939
DW		 977auth_use_nsswitch(httpd_sys_script_t)
978
6e99a6cf 979ifdef(`distro_redhat',`
0b36a214 980 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
6e99a6cf
CP		 981')
982
60def66b
CP		 983tunable_policy(`httpd_can_sendmail',`
984 mta_send_mail(httpd_sys_script_t)
985')
986
3eaa9939
DW		 987optional_policy(`
988 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
989 spamassassin_domtrans_client(httpd_t)
990 ')
991')
992
993fs_cifs_entry_type(httpd_sys_script_t)
994fs_read_iso9660_files(httpd_sys_script_t)
995fs_nfs_entry_type(httpd_sys_script_t)
996
997tunable_policy(`httpd_use_nfs',`
998 fs_manage_nfs_dirs(httpd_sys_script_t)
999 fs_manage_nfs_files(httpd_sys_script_t)
1000 fs_manage_nfs_symlinks(httpd_sys_script_t)
1001 fs_exec_nfs_files(httpd_sys_script_t)
1002
1003 fs_manage_nfs_dirs(httpd_suexec_t)
1004 fs_manage_nfs_files(httpd_suexec_t)
1005 fs_manage_nfs_symlinks(httpd_suexec_t)
1006 fs_exec_nfs_files(httpd_suexec_t)
1007')
1008
60def66b
CP		 1009tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1010 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1011 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1012
1013 corenet_tcp_bind_all_nodes(httpd_sys_script_t)
1014 corenet_udp_bind_all_nodes(httpd_sys_script_t)
1015 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1016 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1017 corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
1018 corenet_udp_sendrecv_all_if(httpd_sys_script_t)
1019 corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
1020 corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
1021 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1022 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1023 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1024 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1025')
1026
e311e23a 1027tunable_policy(`httpd_enable_homedirs',`
296273a7 1028 userdom_read_user_home_content_files(httpd_sys_script_t)
e311e23a
CP		 1029')
1030
d6d16b97
CP		 1031tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1032 fs_read_nfs_files(httpd_sys_script_t)
1033 fs_read_nfs_symlinks(httpd_sys_script_t)
1034')
1035
3eaa9939
DW		 1036tunable_policy(`httpd_use_cifs',`
1037 fs_manage_cifs_dirs(httpd_sys_script_t)
1038 fs_manage_cifs_files(httpd_sys_script_t)
1039 fs_manage_cifs_symlinks(httpd_sys_script_t)
1040 fs_manage_cifs_dirs(httpd_suexec_t)
1041 fs_manage_cifs_files(httpd_suexec_t)
1042 fs_manage_cifs_symlinks(httpd_suexec_t)
1043 fs_exec_cifs_files(httpd_suexec_t)
1044')
1045
d6d16b97
CP		 1046tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1047 fs_read_cifs_files(httpd_sys_script_t)
1048 fs_read_cifs_symlinks(httpd_sys_script_t)
1049')
1050
165b42d2
CP		 1051optional_policy(`
1052 clamav_domtrans_clamscan(httpd_sys_script_t)
1053')
1054
bb7170f6 1055optional_policy(`
6e99a6cf 1056 mysql_stream_connect(httpd_sys_script_t)
1815bad1 1057 mysql_rw_db_sockets(httpd_sys_script_t)
3eaa9939 1058 mysql_read_config(httpd_sys_script_t)
6e99a6cf
CP		 1059')
1060
5fe7de9e
CP		 1061optional_policy(`
1062 postgresql_stream_connect(httpd_sys_script_t)
1063')
1064
123a990b
CP		 1065########################################
1066#
1067# httpd_rotatelogs local policy
1068#
1069
60def66b
CP		 1070allow httpd_rotatelogs_t self:capability dac_override;
1071
0bfccda4 1072manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
123a990b
CP		 1073
1074kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1075kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1076kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1077
1078files_read_etc_files(httpd_rotatelogs_t)
1079
d6d16b97
CP		 1080logging_search_logs(httpd_rotatelogs_t)
1081
123a990b 1082miscfiles_read_localization(httpd_rotatelogs_t)
296273a7 1083
60def66b
CP		 1084########################################
1085#
1086# Unconfined script local policy
1087#
1088
1089optional_policy(`
1090 type httpd_unconfined_script_t;
1091 type httpd_unconfined_script_exec_t;
1092 domain_type(httpd_unconfined_script_t)
1093 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1094 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1095 unconfined_domain(httpd_unconfined_script_t)
1096
1097 role system_r types httpd_unconfined_script_t;
1098 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1099')
1100
296273a7
CP		 1101########################################
1102#
1103# User content local policy
1104#
1105
1106tunable_policy(`httpd_enable_cgi && httpd_unified',`
1107 allow httpd_user_script_t httpdcontent:file entrypoint;
3eaa9939
DW		 1108 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1109 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1110 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1111 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
296273a7
CP		 1112')
1113
1114# allow accessing files/dirs below the users home dir
1115tunable_policy(`httpd_enable_homedirs',`
3eaa9939
DW		 1116 userdom_search_user_home_content(httpd_t)
1117 userdom_search_user_home_content(httpd_suexec_t)
1118 userdom_search_user_home_content(httpd_user_script_t)
296273a7 1119')
3eaa9939
DW		 1120
1121tunable_policy(`httpd_read_user_content',`
1122 userdom_read_user_home_content_files(httpd_user_script_t)
1123 userdom_read_user_home_content_files(httpd_suexec_t)
1124')
1125
1126tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
1127 userdom_read_user_home_content_files(httpd_t)
1128')
1129
1130# Removal of fastcgi, will cause problems without the following
1131typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
1132typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
1133typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
1134typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
1135typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
1136typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
1137
The IPFire selinux policy.