]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(apache, 2.2.0) |
a996bdf4 CP |
2 | |
3 | # | |
20fa7032 | 4 | # NOTES: |
a996bdf4 CP |
5 | # This policy will work with SUEXEC enabled as part of the Apache |
6 | # configuration. However, the user CGI scripts will run under the | |
296273a7 | 7 | # system_u:system_r:httpd_user_script_t. |
a996bdf4 | 8 | # |
296273a7 | 9 | # The user CGI scripts must be labeled with the httpd_user_script_exec_t |
a996bdf4 | 10 | # type, and the directory containing the scripts should also be labeled |
20fa7032 | 11 | # with these types. This policy allows the user role to perform that |
296273a7 CP |
12 | # relabeling. If it is desired that only admin role should be able to relabel |
13 | # the user CGI scripts, then relabel rule for user roles should be removed. | |
a996bdf4 CP |
14 | # |
15 | ||
16 | ######################################## | |
17 | # | |
18 | # Declarations | |
19 | # | |
20 | ||
3eaa9939 DW |
21 | selinux_genbool(httpd_bool_t) |
22 | ||
56e1b3d2 CP |
23 | ## <desc> |
24 | ## <p> | |
25 | ## Allow Apache to modify public files | |
dd9e1de3 CP |
26 | ## used for public file transfer services. Directories/Files must |
27 | ## be labeled public_content_rw_t. | |
56e1b3d2 CP |
28 | ## </p> |
29 | ## </desc> | |
0bfccda4 | 30 | gen_tunable(allow_httpd_anon_write, false) |
56e1b3d2 CP |
31 | |
32 | ## <desc> | |
33 | ## <p> | |
34 | ## Allow Apache to use mod_auth_pam | |
35 | ## </p> | |
36 | ## </desc> | |
0bfccda4 | 37 | gen_tunable(allow_httpd_mod_auth_pam, false) |
56e1b3d2 | 38 | |
3eaa9939 DW |
39 | ## <desc> |
40 | ## <p> | |
41 | ## Allow httpd scripts and modules execmem/execstack | |
42 | ## </p> | |
43 | ## </desc> | |
44 | gen_tunable(httpd_execmem, false) | |
45 | ||
46 | ## <desc> | |
47 | ## <p> | |
48 | ## Allow httpd daemon to change system limits | |
49 | ## </p> | |
50 | ## </desc> | |
51 | gen_tunable(httpd_setrlimit, false) | |
52 | ||
56e1b3d2 CP |
53 | ## <desc> |
54 | ## <p> | |
55 | ## Allow httpd to use built in scripting (usually php) | |
56 | ## </p> | |
57 | ## </desc> | |
0bfccda4 | 58 | gen_tunable(httpd_builtin_scripting, false) |
56e1b3d2 CP |
59 | |
60 | ## <desc> | |
61 | ## <p> | |
dd9e1de3 | 62 | ## Allow HTTPD scripts and modules to connect to the network using TCP. |
56e1b3d2 CP |
63 | ## </p> |
64 | ## </desc> | |
0bfccda4 | 65 | gen_tunable(httpd_can_network_connect, false) |
56e1b3d2 | 66 | |
3eaa9939 DW |
67 | ## <desc> |
68 | ## <p> | |
69 | ## Allow HTTPD scripts and modules to connect to cobbler over the network. | |
70 | ## </p> | |
71 | ## </desc> | |
72 | gen_tunable(httpd_can_network_connect_cobbler, false) | |
73 | ||
56e1b3d2 CP |
74 | ## <desc> |
75 | ## <p> | |
dd9e1de3 | 76 | ## Allow HTTPD scripts and modules to connect to databases over the network. |
56e1b3d2 CP |
77 | ## </p> |
78 | ## </desc> | |
79 | gen_tunable(httpd_can_network_connect_db, false) | |
80 | ||
81 | ## <desc> | |
82 | ## <p> | |
83 | ## Allow httpd to act as a relay | |
84 | ## </p> | |
85 | ## </desc> | |
86 | gen_tunable(httpd_can_network_relay, false) | |
87 | ||
60def66b CP |
88 | ## <desc> |
89 | ## <p> | |
90 | ## Allow http daemon to send mail | |
91 | ## </p> | |
92 | ## </desc> | |
93 | gen_tunable(httpd_can_sendmail, false) | |
94 | ||
3eaa9939 DW |
95 | ## <desc> |
96 | ## <p> | |
97 | ## Allow http daemon to check spam | |
98 | ## </p> | |
99 | ## </desc> | |
100 | gen_tunable(httpd_can_check_spam, false) | |
101 | ||
60def66b CP |
102 | ## <desc> |
103 | ## <p> | |
104 | ## Allow Apache to communicate with avahi service via dbus | |
105 | ## </p> | |
106 | ## </desc> | |
107 | gen_tunable(httpd_dbus_avahi, false) | |
108 | ||
56e1b3d2 CP |
109 | ## <desc> |
110 | ## <p> | |
111 | ## Allow httpd cgi support | |
112 | ## </p> | |
113 | ## </desc> | |
0bfccda4 | 114 | gen_tunable(httpd_enable_cgi, false) |
56e1b3d2 CP |
115 | |
116 | ## <desc> | |
117 | ## <p> | |
118 | ## Allow httpd to act as a FTP server by | |
119 | ## listening on the ftp port. | |
120 | ## </p> | |
121 | ## </desc> | |
0bfccda4 | 122 | gen_tunable(httpd_enable_ftp_server, false) |
56e1b3d2 CP |
123 | |
124 | ## <desc> | |
125 | ## <p> | |
126 | ## Allow httpd to read home directories | |
127 | ## </p> | |
128 | ## </desc> | |
0bfccda4 | 129 | gen_tunable(httpd_enable_homedirs, false) |
56e1b3d2 | 130 | |
3eaa9939 DW |
131 | ## <desc> |
132 | ## <p> | |
133 | ## Allow httpd to read user content | |
134 | ## </p> | |
135 | ## </desc> | |
136 | gen_tunable(httpd_read_user_content, false) | |
137 | ||
56e1b3d2 CP |
138 | ## <desc> |
139 | ## <p> | |
dd9e1de3 | 140 | ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. |
56e1b3d2 CP |
141 | ## </p> |
142 | ## </desc> | |
0bfccda4 | 143 | gen_tunable(httpd_ssi_exec, false) |
56e1b3d2 | 144 | |
3eaa9939 DW |
145 | ## <desc> |
146 | ## <p> | |
147 | ## Allow Apache to execute tmp content. | |
148 | ## </p> | |
149 | ## </desc> | |
150 | gen_tunable(httpd_tmp_exec, false) | |
151 | ||
56e1b3d2 CP |
152 | ## <desc> |
153 | ## <p> | |
dd9e1de3 CP |
154 | ## Unify HTTPD to communicate with the terminal. |
155 | ## Needed for entering the passphrase for certificates at | |
156 | ## the terminal. | |
56e1b3d2 CP |
157 | ## </p> |
158 | ## </desc> | |
0bfccda4 | 159 | gen_tunable(httpd_tty_comm, false) |
56e1b3d2 CP |
160 | |
161 | ## <desc> | |
162 | ## <p> | |
dd9e1de3 | 163 | ## Unify HTTPD handling of all content files. |
56e1b3d2 CP |
164 | ## </p> |
165 | ## </desc> | |
0bfccda4 | 166 | gen_tunable(httpd_unified, false) |
56e1b3d2 | 167 | |
60def66b CP |
168 | ## <desc> |
169 | ## <p> | |
170 | ## Allow httpd to access cifs file systems | |
171 | ## </p> | |
172 | ## </desc> | |
173 | gen_tunable(httpd_use_cifs, false) | |
174 | ||
175 | ## <desc> | |
176 | ## <p> | |
3eaa9939 | 177 | ## Allow httpd to run gpg in gpg-web domain |
60def66b CP |
178 | ## </p> |
179 | ## </desc> | |
180 | gen_tunable(httpd_use_gpg, false) | |
181 | ||
182 | ## <desc> | |
183 | ## <p> | |
184 | ## Allow httpd to access nfs file systems | |
185 | ## </p> | |
186 | ## </desc> | |
187 | gen_tunable(httpd_use_nfs, false) | |
188 | ||
3eaa9939 DW |
189 | ## <desc> |
190 | ## <p> | |
191 | ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. | |
192 | ## </p> | |
193 | ## </desc> | |
194 | gen_tunable(allow_httpd_sys_script_anon_write, false) | |
195 | ||
a996bdf4 | 196 | attribute httpdcontent; |
a334d291 | 197 | attribute httpd_user_content_type; |
a996bdf4 | 198 | |
e749cd12 CP |
199 | # domains that can exec all users scripts |
200 | attribute httpd_exec_scripts; | |
201 | ||
123a990b | 202 | attribute httpd_script_exec_type; |
a334d291 | 203 | attribute httpd_user_script_exec_type; |
123a990b | 204 | |
e749cd12 CP |
205 | # user script domains |
206 | attribute httpd_script_domains; | |
207 | ||
a996bdf4 CP |
208 | type httpd_t; |
209 | type httpd_exec_t; | |
0bfccda4 | 210 | init_daemon_domain(httpd_t, httpd_exec_t) |
e749cd12 | 211 | role system_r types httpd_t; |
a996bdf4 CP |
212 | |
213 | # httpd_cache_t is the type given to the /var/cache/httpd | |
214 | # directory and the files under that directory | |
215 | type httpd_cache_t; | |
216 | files_type(httpd_cache_t) | |
217 | ||
218 | # httpd_config_t is the type given to the configuration files | |
219 | type httpd_config_t; | |
220 | files_type(httpd_config_t) | |
221 | ||
222 | type httpd_helper_t; | |
a996bdf4 | 223 | type httpd_helper_exec_t; |
e749cd12 | 224 | domain_type(httpd_helper_t) |
0bfccda4 | 225 | domain_entry_file(httpd_helper_t, httpd_helper_exec_t) |
e749cd12 | 226 | role system_r types httpd_helper_t; |
a996bdf4 | 227 | |
83caba3e CP |
228 | type httpd_initrc_exec_t; |
229 | init_script_file(httpd_initrc_exec_t) | |
230 | ||
a996bdf4 CP |
231 | type httpd_lock_t; |
232 | files_lock_file(httpd_lock_t) | |
233 | ||
234 | type httpd_log_t; | |
235 | logging_log_file(httpd_log_t) | |
236 | ||
20fa7032 | 237 | # httpd_modules_t is the type given to module files (libraries) |
a996bdf4 CP |
238 | # that come with Apache /etc/httpd/modules and /usr/lib/apache |
239 | type httpd_modules_t; | |
240 | files_type(httpd_modules_t) | |
241 | ||
242 | type httpd_php_t; | |
a996bdf4 | 243 | type httpd_php_exec_t; |
e749cd12 | 244 | domain_type(httpd_php_t) |
0bfccda4 | 245 | domain_entry_file(httpd_php_t, httpd_php_exec_t) |
e749cd12 | 246 | role system_r types httpd_php_t; |
a996bdf4 CP |
247 | |
248 | type httpd_php_tmp_t; | |
249 | files_tmp_file(httpd_php_tmp_t) | |
250 | ||
123a990b CP |
251 | type httpd_rotatelogs_t; |
252 | type httpd_rotatelogs_exec_t; | |
253 | init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) | |
254 | ||
a996bdf4 CP |
255 | type httpd_squirrelmail_t; |
256 | files_type(httpd_squirrelmail_t) | |
257 | ||
258 | # SUEXEC runs user scripts as their own user ID | |
259 | type httpd_suexec_t; #, daemon; | |
a996bdf4 | 260 | type httpd_suexec_exec_t; |
e749cd12 | 261 | domain_type(httpd_suexec_t) |
0bfccda4 | 262 | domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) |
e749cd12 | 263 | role system_r types httpd_suexec_t; |
a996bdf4 CP |
264 | |
265 | type httpd_suexec_tmp_t; | |
266 | files_tmp_file(httpd_suexec_tmp_t) | |
267 | ||
c2b18fa1 CP |
268 | # setup the system domain for system CGI scripts |
269 | apache_content_template(sys) | |
3eaa9939 DW |
270 | |
271 | typeattribute httpd_sys_content_t httpdcontent; # customizable | |
272 | typeattribute httpd_sys_rw_content_t httpdcontent; # customizable | |
273 | typeattribute httpd_sys_ra_content_t httpdcontent; # customizable | |
c2b18fa1 | 274 | |
a996bdf4 CP |
275 | type httpd_tmp_t; |
276 | files_tmp_file(httpd_tmp_t) | |
277 | ||
278 | type httpd_tmpfs_t; | |
279 | files_tmpfs_file(httpd_tmpfs_t) | |
280 | ||
296273a7 CP |
281 | apache_content_template(user) |
282 | ubac_constrained(httpd_user_script_t) | |
3eaa9939 DW |
283 | typeattribute httpd_user_content_t httpdcontent; |
284 | typeattribute httpd_user_rw_content_t httpdcontent; | |
285 | typeattribute httpd_user_ra_content_t httpdcontent; | |
286 | ||
296273a7 CP |
287 | userdom_user_home_content(httpd_user_content_t) |
288 | userdom_user_home_content(httpd_user_htaccess_t) | |
289 | userdom_user_home_content(httpd_user_script_exec_t) | |
83caba3e CP |
290 | userdom_user_home_content(httpd_user_ra_content_t) |
291 | userdom_user_home_content(httpd_user_rw_content_t) | |
296273a7 CP |
292 | typeattribute httpd_user_script_t httpd_script_domains; |
293 | typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; | |
3eaa9939 | 294 | typealias httpd_user_content_t alias httpd_unconfined_content_t; |
296273a7 | 295 | typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; |
83caba3e CP |
296 | typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; |
297 | typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; | |
296273a7 CP |
298 | typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; |
299 | typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; | |
300 | typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; | |
301 | typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; | |
302 | typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; | |
303 | typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; | |
83caba3e CP |
304 | typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; |
305 | typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; | |
306 | typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; | |
307 | typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; | |
296273a7 | 308 | |
a996bdf4 CP |
309 | # for apache2 memory mapped files |
310 | type httpd_var_lib_t; | |
311 | files_type(httpd_var_lib_t) | |
312 | ||
313 | type httpd_var_run_t; | |
314 | files_pid_file(httpd_var_run_t) | |
315 | ||
316 | # File Type of squirrelmail attachments | |
317 | type squirrelmail_spool_t; | |
318 | files_tmp_file(squirrelmail_spool_t) | |
319 | ||
bb7170f6 | 320 | optional_policy(` |
2c243586 CP |
321 | prelink_object_file(httpd_modules_t) |
322 | ') | |
323 | ||
a996bdf4 CP |
324 | ######################################## |
325 | # | |
326 | # Apache server local policy | |
327 | # | |
328 | ||
60def66b | 329 | allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; |
a996bdf4 CP |
330 | dontaudit httpd_t self:capability { net_admin sys_tty_config }; |
331 | allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
332 | allow httpd_t self:fd use; | |
c0868a7a CP |
333 | allow httpd_t self:sock_file read_sock_file_perms; |
334 | allow httpd_t self:fifo_file rw_fifo_file_perms; | |
a996bdf4 CP |
335 | allow httpd_t self:shm create_shm_perms; |
336 | allow httpd_t self:sem create_sem_perms; | |
337 | allow httpd_t self:msgq create_msgq_perms; | |
338 | allow httpd_t self:msg { send receive }; | |
e9a4084d CP |
339 | allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; |
340 | allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
33c7e6b4 | 341 | allow httpd_t self:tcp_socket create_stream_socket_perms; |
e9a4084d | 342 | allow httpd_t self:udp_socket create_socket_perms; |
a996bdf4 CP |
343 | |
344 | # Allow httpd_t to put files in /var/cache/httpd etc | |
0bfccda4 CP |
345 | manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
346 | manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) | |
347 | manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) | |
3eaa9939 | 348 | files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) |
a996bdf4 CP |
349 | |
350 | # Allow the httpd_t to read the web servers config files | |
c0868a7a | 351 | allow httpd_t httpd_config_t:dir list_dir_perms; |
0bfccda4 CP |
352 | read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
353 | read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) | |
a996bdf4 CP |
354 | |
355 | can_exec(httpd_t, httpd_exec_t) | |
356 | ||
c0868a7a | 357 | allow httpd_t httpd_lock_t:file manage_file_perms; |
0bfccda4 | 358 | files_lock_filetrans(httpd_t, httpd_lock_t, file) |
a996bdf4 | 359 | |
c0868a7a | 360 | allow httpd_t httpd_log_t:dir setattr; |
0bfccda4 CP |
361 | create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
362 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
363 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
364 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
c2b18fa1 CP |
365 | # cjp: need to refine create interfaces to |
366 | # cut this back to add_name only | |
0bfccda4 | 367 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
a996bdf4 | 368 | |
c0868a7a | 369 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
0bfccda4 CP |
370 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) |
371 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | |
60def66b | 372 | read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) |
a996bdf4 | 373 | |
d6d16b97 CP |
374 | apache_domtrans_rotatelogs(httpd_t) |
375 | # Apache-httpd needs to be able to send signals to the log rotate procs. | |
376 | allow httpd_t httpd_rotatelogs_t:process signal_perms; | |
377 | ||
0bfccda4 CP |
378 | manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
379 | manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) | |
380 | manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) | |
a996bdf4 | 381 | |
0b36a214 | 382 | allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
725926c5 | 383 | |
c0868a7a | 384 | allow httpd_t httpd_sys_content_t:dir list_dir_perms; |
0bfccda4 CP |
385 | read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) |
386 | read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) | |
3d37bca1 | 387 | |
60def66b CP |
388 | allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; |
389 | ||
0bfccda4 CP |
390 | manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
391 | manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) | |
60def66b CP |
392 | manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
393 | files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) | |
a996bdf4 | 394 | |
0bfccda4 CP |
395 | manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) |
396 | manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
397 | manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
398 | manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
399 | manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
20fa7032 | 400 | fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
a996bdf4 | 401 | |
0bfccda4 CP |
402 | manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
403 | files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) | |
a996bdf4 | 404 | |
60def66b CP |
405 | setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) |
406 | manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) | |
0bfccda4 CP |
407 | manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) |
408 | manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) | |
60def66b | 409 | files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) |
a996bdf4 | 410 | |
0bfccda4 CP |
411 | manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) |
412 | manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
413 | manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
a996bdf4 | 414 | |
445522dc | 415 | kernel_read_kernel_sysctls(httpd_t) |
a996bdf4 CP |
416 | # for modules that want to access /proc/meminfo |
417 | kernel_read_system_state(httpd_t) | |
3eaa9939 | 418 | kernel_search_network_sysctl(httpd_t) |
a996bdf4 | 419 | |
19006686 CP |
420 | corenet_all_recvfrom_unlabeled(httpd_t) |
421 | corenet_all_recvfrom_netlabel(httpd_t) | |
668b3093 CP |
422 | corenet_tcp_sendrecv_generic_if(httpd_t) |
423 | corenet_udp_sendrecv_generic_if(httpd_t) | |
c1262146 CP |
424 | corenet_tcp_sendrecv_generic_node(httpd_t) |
425 | corenet_udp_sendrecv_generic_node(httpd_t) | |
a996bdf4 CP |
426 | corenet_tcp_sendrecv_all_ports(httpd_t) |
427 | corenet_udp_sendrecv_all_ports(httpd_t) | |
c1262146 | 428 | corenet_tcp_bind_generic_node(httpd_t) |
3eaa9939 | 429 | corenet_udp_bind_generic_node(httpd_t) |
a996bdf4 CP |
430 | corenet_tcp_bind_http_port(httpd_t) |
431 | corenet_tcp_bind_http_cache_port(httpd_t) | |
3eaa9939 | 432 | corenet_tcp_bind_ntop_port(httpd_t) |
968ace93 | 433 | corenet_sendrecv_http_server_packets(httpd_t) |
d6d16b97 CP |
434 | # Signal self for shutdown |
435 | corenet_tcp_connect_http_port(httpd_t) | |
a996bdf4 CP |
436 | |
437 | dev_read_sysfs(httpd_t) | |
438 | dev_read_rand(httpd_t) | |
439 | dev_read_urand(httpd_t) | |
c2b18fa1 | 440 | dev_rw_crypto(httpd_t) |
a996bdf4 CP |
441 | |
442 | fs_getattr_all_fs(httpd_t) | |
443 | fs_search_auto_mountpoints(httpd_t) | |
3eaa9939 DW |
444 | fs_read_iso9660_files(httpd_t) |
445 | fs_read_anon_inodefs_files(httpd_t) | |
a996bdf4 | 446 | |
77f6e2cd CP |
447 | auth_use_nsswitch(httpd_t) |
448 | ||
3eaa9939 | 449 | application_exec_all(httpd_t) |
a996bdf4 | 450 | |
15722ec9 | 451 | domain_use_interactive_fds(httpd_t) |
a996bdf4 | 452 | |
60def66b | 453 | files_dontaudit_getattr_all_pids(httpd_t) |
a996bdf4 CP |
454 | files_read_usr_files(httpd_t) |
455 | files_list_mnt(httpd_t) | |
456 | files_search_spool(httpd_t) | |
457 | files_read_var_lib_files(httpd_t) | |
458 | files_search_home(httpd_t) | |
459 | files_getattr_home_dir(httpd_t) | |
460 | # for modules that want to access /etc/mtab | |
461 | files_read_etc_runtime_files(httpd_t) | |
462 | # Allow httpd_t to have access to files such as nisswitch.conf | |
463 | files_read_etc_files(httpd_t) | |
6e99a6cf CP |
464 | # for tomcat |
465 | files_read_var_lib_symlinks(httpd_t) | |
a996bdf4 | 466 | |
d6d16b97 | 467 | fs_search_auto_mountpoints(httpd_sys_script_t) |
3eaa9939 DW |
468 | # php uploads a file to /tmp and then execs programs to acton them |
469 | manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) | |
470 | manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) | |
471 | files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) | |
d6d16b97 | 472 | |
1815bad1 | 473 | libs_read_lib_files(httpd_t) |
a996bdf4 CP |
474 | |
475 | logging_send_syslog_msg(httpd_t) | |
476 | ||
477 | miscfiles_read_localization(httpd_t) | |
478 | miscfiles_read_fonts(httpd_t) | |
6e99a6cf CP |
479 | miscfiles_read_public_files(httpd_t) |
480 | miscfiles_read_certs(httpd_t) | |
a996bdf4 CP |
481 | |
482 | seutil_dontaudit_search_config(httpd_t) | |
483 | ||
103fe280 | 484 | userdom_use_unpriv_users_fds(httpd_t) |
a996bdf4 | 485 | |
3eaa9939 DW |
486 | tunable_policy(`httpd_setrlimit',` |
487 | allow httpd_t self:process setrlimit; | |
488 | ') | |
489 | ||
6e99a6cf CP |
490 | tunable_policy(`allow_httpd_anon_write',` |
491 | miscfiles_manage_public_files(httpd_t) | |
20fa7032 | 492 | ') |
6e99a6cf | 493 | |
123a990b CP |
494 | # |
495 | # We need optionals to be able to be within booleans to make this work | |
496 | # | |
497 | tunable_policy(`allow_httpd_mod_auth_pam',` | |
3eaa9939 DW |
498 | auth_domtrans_chkpwd(httpd_t) |
499 | logging_send_audit_msgs(httpd_t) | |
500 | ') | |
501 | ||
502 | ## <desc> | |
503 | ## <p> | |
504 | ## Allow Apache to use mod_auth_pam | |
505 | ## </p> | |
506 | ## </desc> | |
507 | gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) | |
508 | optional_policy(` | |
509 | tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` | |
510 | samba_domtrans_winbind_helper(httpd_t) | |
123a990b CP |
511 | ') |
512 | ') | |
513 | ||
6e99a6cf | 514 | tunable_policy(`httpd_can_network_connect',` |
6e99a6cf | 515 | corenet_tcp_connect_all_ports(httpd_t) |
6e99a6cf CP |
516 | ') |
517 | ||
bb437244 CP |
518 | tunable_policy(`httpd_can_network_relay',` |
519 | # allow httpd to work as a relay | |
520 | corenet_tcp_connect_gopher_port(httpd_t) | |
521 | corenet_tcp_connect_ftp_port(httpd_t) | |
522 | corenet_tcp_connect_http_port(httpd_t) | |
523 | corenet_tcp_connect_http_cache_port(httpd_t) | |
3eaa9939 | 524 | corenet_tcp_connect_squid_port(httpd_t) |
60def66b | 525 | corenet_tcp_connect_memcache_port(httpd_t) |
141cffdd CP |
526 | corenet_sendrecv_gopher_client_packets(httpd_t) |
527 | corenet_sendrecv_ftp_client_packets(httpd_t) | |
528 | corenet_sendrecv_http_client_packets(httpd_t) | |
529 | corenet_sendrecv_http_cache_client_packets(httpd_t) | |
3eaa9939 DW |
530 | corenet_sendrecv_squid_client_packets(httpd_t) |
531 | ') | |
532 | ||
533 | tunable_policy(`httpd_enable_cgi && httpd_unified',` | |
534 | allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; | |
535 | filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) | |
536 | can_exec(httpd_sys_script_t, httpd_sys_content_t) | |
bb437244 CP |
537 | ') |
538 | ||
3eaa9939 DW |
539 | tunable_policy(`allow_httpd_sys_script_anon_write',` |
540 | miscfiles_manage_public_files(httpd_sys_script_t) | |
541 | ') | |
542 | ||
60def66b CP |
543 | tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` |
544 | fs_nfs_domtrans(httpd_t, httpd_sys_script_t) | |
545 | ') | |
546 | ||
547 | tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` | |
548 | fs_cifs_domtrans(httpd_t, httpd_sys_script_t) | |
549 | ') | |
550 | ||
6e99a6cf | 551 | tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
c0868a7a | 552 | domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) |
3eaa9939 DW |
553 | filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) |
554 | manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
555 | manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
556 | manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
6e99a6cf | 557 | |
0bfccda4 CP |
558 | manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) |
559 | manage_files_pattern(httpd_t, httpdcontent, httpdcontent) | |
560 | manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) | |
6e99a6cf CP |
561 | ') |
562 | ||
bea7b454 CP |
563 | tunable_policy(`httpd_enable_ftp_server',` |
564 | corenet_tcp_bind_ftp_port(httpd_t) | |
565 | ') | |
566 | ||
e311e23a | 567 | tunable_policy(`httpd_enable_homedirs',` |
296273a7 | 568 | userdom_read_user_home_content_files(httpd_t) |
e311e23a CP |
569 | ') |
570 | ||
3eaa9939 DW |
571 | tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` |
572 | can_exec(httpd_t, httpd_tmp_t) | |
573 | ') | |
574 | ||
575 | tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` | |
576 | can_exec(httpd_sys_script_t, httpd_tmp_t) | |
577 | ') | |
578 | ||
a996bdf4 CP |
579 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
580 | fs_read_nfs_files(httpd_t) | |
581 | fs_read_nfs_symlinks(httpd_t) | |
582 | ') | |
583 | ||
3eaa9939 DW |
584 | tunable_policy(`httpd_use_nfs',` |
585 | fs_manage_nfs_dirs(httpd_t) | |
586 | fs_manage_nfs_files(httpd_t) | |
587 | fs_manage_nfs_symlinks(httpd_t) | |
588 | ') | |
589 | ||
a996bdf4 CP |
590 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` |
591 | fs_read_cifs_files(httpd_t) | |
592 | fs_read_cifs_symlinks(httpd_t) | |
593 | ') | |
594 | ||
60def66b CP |
595 | tunable_policy(`httpd_can_sendmail',` |
596 | # allow httpd to connect to mail servers | |
597 | corenet_tcp_connect_smtp_port(httpd_t) | |
598 | corenet_sendrecv_smtp_client_packets(httpd_t) | |
3eaa9939 DW |
599 | corenet_tcp_connect_pop_port(httpd_t) |
600 | corenet_sendrecv_pop_client_packets(httpd_t) | |
60def66b | 601 | mta_send_mail(httpd_t) |
3eaa9939 DW |
602 | mta_signal_system_mail(httpd_t) |
603 | ') | |
604 | ||
605 | tunable_policy(`httpd_use_cifs',` | |
606 | fs_manage_cifs_dirs(httpd_t) | |
607 | fs_manage_cifs_files(httpd_t) | |
608 | fs_manage_cifs_symlinks(httpd_t) | |
60def66b CP |
609 | ') |
610 | ||
e749cd12 | 611 | tunable_policy(`httpd_ssi_exec',` |
3f67f722 | 612 | corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) |
e749cd12 CP |
613 | allow httpd_sys_script_t httpd_t:fd use; |
614 | allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; | |
615 | allow httpd_sys_script_t httpd_t:process sigchld; | |
616 | ') | |
617 | ||
6e99a6cf CP |
618 | # When the admin starts the server, the server wants to access |
619 | # the TTY or PTY associated with the session. The httpd appears | |
620 | # to run correctly without this permission, so the permission | |
20fa7032 | 621 | # are dontaudited here. |
6e99a6cf | 622 | tunable_policy(`httpd_tty_comm',` |
296273a7 | 623 | userdom_use_user_terminals(httpd_t) |
3eaa9939 | 624 | userdom_use_user_terminals(httpd_suexec_t) |
6e99a6cf | 625 | ',` |
296273a7 | 626 | userdom_dontaudit_use_user_terminals(httpd_t) |
3eaa9939 | 627 | userdom_dontaudit_use_user_terminals(httpd_suexec_t) |
a996bdf4 CP |
628 | ') |
629 | ||
bb7170f6 | 630 | optional_policy(` |
99c902f3 CP |
631 | calamaris_read_www_files(httpd_t) |
632 | ') | |
633 | ||
60def66b CP |
634 | optional_policy(` |
635 | ccs_read_config(httpd_t) | |
636 | ') | |
637 | ||
1031ee6f | 638 | optional_policy(` |
3eaa9939 DW |
639 | cobbler_list_config(httpd_t) |
640 | cobbler_read_config(httpd_t) | |
2968e068 | 641 | cobbler_read_lib_files(httpd_t) |
3eaa9939 DW |
642 | |
643 | tunable_policy(`httpd_can_network_connect_cobbler',` | |
644 | corenet_tcp_connect_cobbler_port(httpd_t) | |
645 | ') | |
1031ee6f DG |
646 | ') |
647 | ||
350b6ab7 CP |
648 | optional_policy(` |
649 | cron_system_entry(httpd_t, httpd_exec_t) | |
650 | ') | |
651 | ||
60def66b CP |
652 | optional_policy(` |
653 | cvs_read_data(httpd_t) | |
654 | ') | |
655 | ||
bb7170f6 | 656 | optional_policy(` |
44d5d93f CP |
657 | daemontools_service_domain(httpd_t, httpd_exec_t) |
658 | ') | |
659 | ||
3eaa9939 | 660 | optional_policy(` |
60def66b CP |
661 | dbus_system_bus_client(httpd_t) |
662 | ||
663 | tunable_policy(`httpd_dbus_avahi',` | |
664 | avahi_dbus_chat(httpd_t) | |
665 | ') | |
666 | ') | |
667 | ||
3eaa9939 DW |
668 | optional_policy(` |
669 | gitosis_read_lib_files(httpd_t) | |
670 | ') | |
671 | ||
60def66b CP |
672 | optional_policy(` |
673 | tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` | |
3eaa9939 | 674 | gpg_domtrans_web(httpd_t) |
60def66b CP |
675 | ') |
676 | ') | |
677 | ||
bb7170f6 | 678 | optional_policy(` |
83caba3e | 679 | kerberos_keytab_template(httpd, httpd_t) |
a996bdf4 CP |
680 | ') |
681 | ||
bb7170f6 | 682 | optional_policy(` |
799a0b43 CP |
683 | mailman_signal_cgi(httpd_t) |
684 | mailman_domtrans_cgi(httpd_t) | |
60def66b | 685 | mailman_read_data_files(httpd_t) |
799a0b43 | 686 | # should have separate types for public and private archives |
0500e01f | 687 | mailman_search_data(httpd_t) |
799a0b43 CP |
688 | mailman_read_archive(httpd_t) |
689 | ') | |
690 | ||
bb7170f6 | 691 | optional_policy(` |
0b6acad1 | 692 | # Allow httpd to work with mysql |
3eaa9939 | 693 | mysql_read_config(httpd_t) |
a996bdf4 | 694 | mysql_stream_connect(httpd_t) |
1815bad1 | 695 | mysql_rw_db_sockets(httpd_t) |
0b6acad1 CP |
696 | |
697 | tunable_policy(`httpd_can_network_connect_db',` | |
dc1920b2 | 698 | mysql_tcp_connect(httpd_t) |
0b6acad1 | 699 | ') |
a996bdf4 CP |
700 | ') |
701 | ||
f1e604bb CP |
702 | optional_policy(` |
703 | nagios_read_config(httpd_t) | |
3eaa9939 | 704 | nagios_read_log(httpd_t) |
f1e604bb CP |
705 | ') |
706 | ||
5bd9fd7b CP |
707 | optional_policy(` |
708 | openca_domtrans(httpd_t) | |
709 | openca_signal(httpd_t) | |
710 | openca_sigstop(httpd_t) | |
711 | openca_kill(httpd_t) | |
712 | ') | |
713 | ||
3eaa9939 DW |
714 | optional_policy(` |
715 | rpc_search_nfs_state_data(httpd_t) | |
716 | ') | |
717 | ||
718 | tunable_policy(`httpd_execmem',` | |
719 | allow httpd_t self:process { execmem execstack }; | |
720 | allow httpd_sys_script_t self:process { execmem execstack }; | |
721 | allow httpd_suexec_t self:process { execmem execstack }; | |
722 | ') | |
723 | ||
bb7170f6 | 724 | optional_policy(` |
725926c5 | 725 | # Allow httpd to work with postgresql |
1815bad1 | 726 | postgresql_stream_connect(httpd_t) |
e8cb08ae | 727 | postgresql_unpriv_client(httpd_t) |
0b6acad1 CP |
728 | |
729 | tunable_policy(`httpd_can_network_connect_db',` | |
730 | postgresql_tcp_connect(httpd_t) | |
3eaa9939 | 731 | postgresql_tcp_connect(httpd_sys_script_t) |
0b6acad1 | 732 | ') |
725926c5 CP |
733 | ') |
734 | ||
bb7170f6 | 735 | optional_policy(` |
a996bdf4 CP |
736 | seutil_sigchld_newrole(httpd_t) |
737 | ') | |
738 | ||
6b19be33 | 739 | optional_policy(` |
3eaa9939 DW |
740 | smokeping_getattr_lib_files(httpd_t) |
741 | ') | |
742 | ||
743 | optional_policy(` | |
744 | files_dontaudit_rw_usr_dirs(httpd_t) | |
6b19be33 CP |
745 | snmp_dontaudit_read_snmp_var_lib_files(httpd_t) |
746 | snmp_dontaudit_write_snmp_var_lib_files(httpd_t) | |
747 | ') | |
748 | ||
bb7170f6 | 749 | optional_policy(` |
a996bdf4 CP |
750 | udev_read_db(httpd_t) |
751 | ') | |
752 | ||
f30e6ea8 CP |
753 | optional_policy(` |
754 | yam_read_content(httpd_t) | |
755 | ') | |
756 | ||
3eaa9939 DW |
757 | optional_policy(` |
758 | zarafa_stream_connect_server(httpd_t) | |
759 | ') | |
760 | ||
a996bdf4 CP |
761 | ######################################## |
762 | # | |
763 | # Apache helper local policy | |
764 | # | |
765 | ||
c0868a7a | 766 | domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) |
a996bdf4 | 767 | |
0b36a214 | 768 | allow httpd_helper_t httpd_config_t:file read_file_perms; |
a996bdf4 | 769 | |
0b36a214 | 770 | allow httpd_helper_t httpd_log_t:file append_file_perms; |
a996bdf4 | 771 | |
e749cd12 CP |
772 | logging_send_syslog_msg(httpd_helper_t) |
773 | ||
296273a7 | 774 | userdom_use_user_terminals(httpd_helper_t) |
aba9c7a3 | 775 | |
3eaa9939 DW |
776 | tunable_policy(`httpd_tty_comm',` |
777 | userdom_use_user_terminals(httpd_helper_t) | |
778 | ') | |
779 | ||
a996bdf4 CP |
780 | ######################################## |
781 | # | |
782 | # Apache PHP script local policy | |
783 | # | |
784 | ||
785 | allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
786 | allow httpd_php_t self:fd use; | |
c0868a7a CP |
787 | allow httpd_php_t self:fifo_file rw_fifo_file_perms; |
788 | allow httpd_php_t self:sock_file read_sock_file_perms; | |
a996bdf4 CP |
789 | allow httpd_php_t self:unix_dgram_socket create_socket_perms; |
790 | allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; | |
791 | allow httpd_php_t self:unix_dgram_socket sendto; | |
792 | allow httpd_php_t self:unix_stream_socket connectto; | |
793 | allow httpd_php_t self:shm create_shm_perms; | |
794 | allow httpd_php_t self:sem create_sem_perms; | |
795 | allow httpd_php_t self:msgq create_msgq_perms; | |
796 | allow httpd_php_t self:msg { send receive }; | |
797 | ||
c0868a7a | 798 | domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) |
a996bdf4 CP |
799 | |
800 | # allow php to read and append to apache logfiles | |
c0868a7a | 801 | allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; |
a996bdf4 | 802 | |
0bfccda4 CP |
803 | manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) |
804 | manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) | |
103fe280 | 805 | files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) |
a996bdf4 CP |
806 | |
807 | fs_search_auto_mountpoints(httpd_php_t) | |
808 | ||
60def66b CP |
809 | auth_use_nsswitch(httpd_php_t) |
810 | ||
a996bdf4 | 811 | libs_exec_lib_files(httpd_php_t) |
a996bdf4 | 812 | |
103fe280 | 813 | userdom_use_unpriv_users_fds(httpd_php_t) |
a996bdf4 | 814 | |
60def66b CP |
815 | tunable_policy(`httpd_can_network_connect_db',` |
816 | corenet_tcp_connect_mysqld_port(httpd_t) | |
817 | corenet_sendrecv_mysqld_client_packets(httpd_t) | |
818 | corenet_tcp_connect_mysqld_port(httpd_sys_script_t) | |
819 | corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) | |
820 | corenet_tcp_connect_mysqld_port(httpd_suexec_t) | |
821 | corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) | |
822 | ||
823 | corenet_tcp_connect_mssql_port(httpd_t) | |
824 | corenet_sendrecv_mssql_client_packets(httpd_t) | |
825 | corenet_tcp_connect_mssql_port(httpd_sys_script_t) | |
826 | corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) | |
827 | corenet_tcp_connect_mssql_port(httpd_suexec_t) | |
828 | corenet_sendrecv_mssql_client_packets(httpd_suexec_t) | |
a996bdf4 CP |
829 | ') |
830 | ||
bb7170f6 | 831 | optional_policy(` |
60def66b CP |
832 | mysql_stream_connect(httpd_php_t) |
833 | mysql_read_config(httpd_php_t) | |
a996bdf4 CP |
834 | ') |
835 | ||
5fe7de9e CP |
836 | optional_policy(` |
837 | postgresql_stream_connect(httpd_php_t) | |
838 | ') | |
839 | ||
a996bdf4 CP |
840 | ######################################## |
841 | # | |
842 | # Apache suexec local policy | |
843 | # | |
844 | ||
845 | allow httpd_suexec_t self:capability { setuid setgid }; | |
846 | allow httpd_suexec_t self:process signal_perms; | |
847 | allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; | |
848 | ||
56e1b3d2 | 849 | domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
a996bdf4 | 850 | |
0bfccda4 CP |
851 | create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) |
852 | append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) | |
853 | read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) | |
c0868a7a | 854 | |
60def66b | 855 | allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; |
a996bdf4 | 856 | |
0bfccda4 CP |
857 | manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) |
858 | manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) | |
103fe280 | 859 | files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) |
a996bdf4 | 860 | |
3eaa9939 DW |
861 | can_exec(httpd_suexec_t, httpd_sys_script_exec_t) |
862 | ||
445522dc | 863 | kernel_read_kernel_sysctls(httpd_suexec_t) |
a996bdf4 CP |
864 | kernel_list_proc(httpd_suexec_t) |
865 | kernel_read_proc_symlinks(httpd_suexec_t) | |
866 | ||
867 | dev_read_urand(httpd_suexec_t) | |
868 | ||
3eaa9939 | 869 | fs_read_iso9660_files(httpd_suexec_t) |
a996bdf4 CP |
870 | fs_search_auto_mountpoints(httpd_suexec_t) |
871 | ||
3eaa9939 | 872 | application_exec_all(httpd_suexec_t) |
a996bdf4 CP |
873 | |
874 | files_read_etc_files(httpd_suexec_t) | |
875 | files_read_usr_files(httpd_suexec_t) | |
6e99a6cf | 876 | files_dontaudit_search_pids(httpd_suexec_t) |
725926c5 | 877 | files_search_home(httpd_suexec_t) |
a996bdf4 | 878 | |
c0cf6e0a CP |
879 | auth_use_nsswitch(httpd_suexec_t) |
880 | ||
a996bdf4 CP |
881 | logging_search_logs(httpd_suexec_t) |
882 | logging_send_syslog_msg(httpd_suexec_t) | |
883 | ||
884 | miscfiles_read_localization(httpd_suexec_t) | |
60def66b | 885 | miscfiles_read_public_files(httpd_suexec_t) |
a996bdf4 CP |
886 | |
887 | tunable_policy(`httpd_can_network_connect',` | |
888 | allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; | |
889 | allow httpd_suexec_t self:udp_socket create_socket_perms; | |
890 | ||
19006686 CP |
891 | corenet_all_recvfrom_unlabeled(httpd_suexec_t) |
892 | corenet_all_recvfrom_netlabel(httpd_suexec_t) | |
668b3093 CP |
893 | corenet_tcp_sendrecv_generic_if(httpd_suexec_t) |
894 | corenet_udp_sendrecv_generic_if(httpd_suexec_t) | |
c1262146 CP |
895 | corenet_tcp_sendrecv_generic_node(httpd_suexec_t) |
896 | corenet_udp_sendrecv_generic_node(httpd_suexec_t) | |
a996bdf4 CP |
897 | corenet_tcp_sendrecv_all_ports(httpd_suexec_t) |
898 | corenet_udp_sendrecv_all_ports(httpd_suexec_t) | |
a996bdf4 | 899 | corenet_tcp_connect_all_ports(httpd_suexec_t) |
141cffdd | 900 | corenet_sendrecv_all_client_packets(httpd_suexec_t) |
a996bdf4 CP |
901 | ') |
902 | ||
3eaa9939 DW |
903 | read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) |
904 | read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) | |
905 | read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
906 | ||
907 | domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) | |
6e99a6cf | 908 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
60def66b | 909 | allow httpd_sys_script_t httpdcontent:file entrypoint; |
c0868a7a | 910 | domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) |
3eaa9939 DW |
911 | manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) |
912 | manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
913 | manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
914 | manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
915 | ') | |
916 | tunable_policy(`httpd_enable_cgi',` | |
917 | domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) | |
e311e23a CP |
918 | ') |
919 | ||
a996bdf4 CP |
920 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
921 | fs_read_nfs_files(httpd_suexec_t) | |
922 | fs_read_nfs_symlinks(httpd_suexec_t) | |
4d851fe9 | 923 | fs_exec_nfs_files(httpd_suexec_t) |
a996bdf4 CP |
924 | ') |
925 | ||
926 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` | |
927 | fs_read_cifs_files(httpd_suexec_t) | |
928 | fs_read_cifs_symlinks(httpd_suexec_t) | |
4d851fe9 | 929 | fs_exec_cifs_files(httpd_suexec_t) |
a996bdf4 CP |
930 | ') |
931 | ||
bb7170f6 | 932 | optional_policy(` |
799a0b43 CP |
933 | mailman_domtrans_cgi(httpd_suexec_t) |
934 | ') | |
935 | ||
bb7170f6 | 936 | optional_policy(` |
725926c5 CP |
937 | mta_stub(httpd_suexec_t) |
938 | ||
939 | # apache should set close-on-exec | |
940 | dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; | |
941 | ') | |
942 | ||
3eaa9939 DW |
943 | optional_policy(` |
944 | mysql_stream_connect(httpd_suexec_t) | |
945 | mysql_rw_db_sockets(httpd_suexec_t) | |
946 | mysql_read_config(httpd_suexec_t) | |
947 | ') | |
948 | ||
a996bdf4 CP |
949 | ######################################## |
950 | # | |
951 | # Apache system script local policy | |
952 | # | |
953 | ||
60def66b CP |
954 | allow httpd_sys_script_t self:process getsched; |
955 | ||
956 | allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; | |
6e99a6cf CP |
957 | allow httpd_sys_script_t httpd_t:tcp_socket { read write }; |
958 | ||
959 | dontaudit httpd_sys_script_t httpd_config_t:dir search; | |
960 | ||
0b36a214 | 961 | allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; |
6e99a6cf | 962 | |
c0868a7a | 963 | allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; |
0bfccda4 CP |
964 | read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) |
965 | read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
6e99a6cf | 966 | |
445522dc | 967 | kernel_read_kernel_sysctls(httpd_sys_script_t) |
6e99a6cf CP |
968 | |
969 | files_search_var_lib(httpd_sys_script_t) | |
970 | files_search_spool(httpd_sys_script_t) | |
971 | ||
3eaa9939 DW |
972 | logging_inherit_append_all_logs(httpd_sys_script_t) |
973 | ||
123a990b CP |
974 | # Should we add a boolean? |
975 | apache_domtrans_rotatelogs(httpd_sys_script_t) | |
976 | ||
3eaa9939 DW |
977 | auth_use_nsswitch(httpd_sys_script_t) |
978 | ||
6e99a6cf | 979 | ifdef(`distro_redhat',` |
0b36a214 | 980 | allow httpd_sys_script_t httpd_log_t:file append_file_perms; |
6e99a6cf CP |
981 | ') |
982 | ||
60def66b CP |
983 | tunable_policy(`httpd_can_sendmail',` |
984 | mta_send_mail(httpd_sys_script_t) | |
985 | ') | |
986 | ||
3eaa9939 DW |
987 | optional_policy(` |
988 | tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` | |
989 | spamassassin_domtrans_client(httpd_t) | |
990 | ') | |
991 | ') | |
992 | ||
993 | fs_cifs_entry_type(httpd_sys_script_t) | |
994 | fs_read_iso9660_files(httpd_sys_script_t) | |
995 | fs_nfs_entry_type(httpd_sys_script_t) | |
996 | ||
997 | tunable_policy(`httpd_use_nfs',` | |
998 | fs_manage_nfs_dirs(httpd_sys_script_t) | |
999 | fs_manage_nfs_files(httpd_sys_script_t) | |
1000 | fs_manage_nfs_symlinks(httpd_sys_script_t) | |
1001 | fs_exec_nfs_files(httpd_sys_script_t) | |
1002 | ||
1003 | fs_manage_nfs_dirs(httpd_suexec_t) | |
1004 | fs_manage_nfs_files(httpd_suexec_t) | |
1005 | fs_manage_nfs_symlinks(httpd_suexec_t) | |
1006 | fs_exec_nfs_files(httpd_suexec_t) | |
1007 | ') | |
1008 | ||
60def66b CP |
1009 | tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` |
1010 | allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; | |
1011 | allow httpd_sys_script_t self:udp_socket create_socket_perms; | |
1012 | ||
1013 | corenet_tcp_bind_all_nodes(httpd_sys_script_t) | |
1014 | corenet_udp_bind_all_nodes(httpd_sys_script_t) | |
1015 | corenet_all_recvfrom_unlabeled(httpd_sys_script_t) | |
1016 | corenet_all_recvfrom_netlabel(httpd_sys_script_t) | |
1017 | corenet_tcp_sendrecv_all_if(httpd_sys_script_t) | |
1018 | corenet_udp_sendrecv_all_if(httpd_sys_script_t) | |
1019 | corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) | |
1020 | corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) | |
1021 | corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) | |
1022 | corenet_udp_sendrecv_all_ports(httpd_sys_script_t) | |
1023 | corenet_tcp_connect_all_ports(httpd_sys_script_t) | |
1024 | corenet_sendrecv_all_client_packets(httpd_sys_script_t) | |
1025 | ') | |
1026 | ||
e311e23a | 1027 | tunable_policy(`httpd_enable_homedirs',` |
296273a7 | 1028 | userdom_read_user_home_content_files(httpd_sys_script_t) |
e311e23a CP |
1029 | ') |
1030 | ||
d6d16b97 CP |
1031 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
1032 | fs_read_nfs_files(httpd_sys_script_t) | |
1033 | fs_read_nfs_symlinks(httpd_sys_script_t) | |
1034 | ') | |
1035 | ||
3eaa9939 DW |
1036 | tunable_policy(`httpd_use_cifs',` |
1037 | fs_manage_cifs_dirs(httpd_sys_script_t) | |
1038 | fs_manage_cifs_files(httpd_sys_script_t) | |
1039 | fs_manage_cifs_symlinks(httpd_sys_script_t) | |
1040 | fs_manage_cifs_dirs(httpd_suexec_t) | |
1041 | fs_manage_cifs_files(httpd_suexec_t) | |
1042 | fs_manage_cifs_symlinks(httpd_suexec_t) | |
1043 | fs_exec_cifs_files(httpd_suexec_t) | |
1044 | ') | |
1045 | ||
d6d16b97 CP |
1046 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` |
1047 | fs_read_cifs_files(httpd_sys_script_t) | |
1048 | fs_read_cifs_symlinks(httpd_sys_script_t) | |
1049 | ') | |
1050 | ||
165b42d2 CP |
1051 | optional_policy(` |
1052 | clamav_domtrans_clamscan(httpd_sys_script_t) | |
1053 | ') | |
1054 | ||
bb7170f6 | 1055 | optional_policy(` |
6e99a6cf | 1056 | mysql_stream_connect(httpd_sys_script_t) |
1815bad1 | 1057 | mysql_rw_db_sockets(httpd_sys_script_t) |
3eaa9939 | 1058 | mysql_read_config(httpd_sys_script_t) |
6e99a6cf CP |
1059 | ') |
1060 | ||
5fe7de9e CP |
1061 | optional_policy(` |
1062 | postgresql_stream_connect(httpd_sys_script_t) | |
1063 | ') | |
1064 | ||
123a990b CP |
1065 | ######################################## |
1066 | # | |
1067 | # httpd_rotatelogs local policy | |
1068 | # | |
1069 | ||
60def66b CP |
1070 | allow httpd_rotatelogs_t self:capability dac_override; |
1071 | ||
0bfccda4 | 1072 | manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) |
123a990b CP |
1073 | |
1074 | kernel_read_kernel_sysctls(httpd_rotatelogs_t) | |
1075 | kernel_dontaudit_list_proc(httpd_rotatelogs_t) | |
1076 | kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) | |
1077 | ||
1078 | files_read_etc_files(httpd_rotatelogs_t) | |
1079 | ||
d6d16b97 CP |
1080 | logging_search_logs(httpd_rotatelogs_t) |
1081 | ||
123a990b | 1082 | miscfiles_read_localization(httpd_rotatelogs_t) |
296273a7 | 1083 | |
60def66b CP |
1084 | ######################################## |
1085 | # | |
1086 | # Unconfined script local policy | |
1087 | # | |
1088 | ||
1089 | optional_policy(` | |
1090 | type httpd_unconfined_script_t; | |
1091 | type httpd_unconfined_script_exec_t; | |
1092 | domain_type(httpd_unconfined_script_t) | |
1093 | domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) | |
1094 | domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) | |
1095 | unconfined_domain(httpd_unconfined_script_t) | |
1096 | ||
1097 | role system_r types httpd_unconfined_script_t; | |
1098 | allow httpd_t httpd_unconfined_script_t:process signal_perms; | |
1099 | ') | |
1100 | ||
296273a7 CP |
1101 | ######################################## |
1102 | # | |
1103 | # User content local policy | |
1104 | # | |
1105 | ||
1106 | tunable_policy(`httpd_enable_cgi && httpd_unified',` | |
1107 | allow httpd_user_script_t httpdcontent:file entrypoint; | |
3eaa9939 DW |
1108 | manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) |
1109 | manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) | |
1110 | manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
1111 | manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
296273a7 CP |
1112 | ') |
1113 | ||
1114 | # allow accessing files/dirs below the users home dir | |
1115 | tunable_policy(`httpd_enable_homedirs',` | |
3eaa9939 DW |
1116 | userdom_search_user_home_content(httpd_t) |
1117 | userdom_search_user_home_content(httpd_suexec_t) | |
1118 | userdom_search_user_home_content(httpd_user_script_t) | |
296273a7 | 1119 | ') |
3eaa9939 DW |
1120 | |
1121 | tunable_policy(`httpd_read_user_content',` | |
1122 | userdom_read_user_home_content_files(httpd_user_script_t) | |
1123 | userdom_read_user_home_content_files(httpd_suexec_t) | |
1124 | ') | |
1125 | ||
1126 | tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` | |
1127 | userdom_read_user_home_content_files(httpd_t) | |
1128 | ') | |
1129 | ||
1130 | # Removal of fastcgi, will cause problems without the following | |
1131 | typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; | |
1132 | typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; | |
1133 | typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; | |
1134 | typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; | |
1135 | typealias httpd_sys_script_t alias httpd_fastcgi_script_t; | |
1136 | typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; | |
1137 |