]>
Commit | Line | Data |
---|---|---|
a996bdf4 | 1 | |
cfcf5004 | 2 | policy_module(apache, 1.10.0) |
a996bdf4 CP |
3 | |
4 | # | |
5 | # NOTES: | |
6 | # This policy will work with SUEXEC enabled as part of the Apache | |
7 | # configuration. However, the user CGI scripts will run under the | |
8 | # system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the | |
9 | # of the creating user. | |
10 | # | |
11 | # The user CGI scripts must be labeled with the httpd_$1_script_exec_t | |
12 | # type, and the directory containing the scripts should also be labeled | |
13 | # with these types. This policy allows user_r role to perform that | |
14 | # relabeling. If it is desired that only sysadm_r should be able to relabel | |
15 | # the user CGI scripts, then relabel rule for user_r should be removed. | |
16 | # | |
17 | ||
18 | ######################################## | |
19 | # | |
20 | # Declarations | |
21 | # | |
22 | ||
56e1b3d2 CP |
23 | ## <desc> |
24 | ## <p> | |
25 | ## Allow Apache to modify public files | |
dd9e1de3 CP |
26 | ## used for public file transfer services. Directories/Files must |
27 | ## be labeled public_content_rw_t. | |
56e1b3d2 CP |
28 | ## </p> |
29 | ## </desc> | |
30 | gen_tunable(allow_httpd_anon_write,false) | |
31 | ||
32 | ## <desc> | |
33 | ## <p> | |
34 | ## Allow Apache to use mod_auth_pam | |
35 | ## </p> | |
36 | ## </desc> | |
37 | gen_tunable(allow_httpd_mod_auth_pam,false) | |
38 | ||
39 | ## <desc> | |
40 | ## <p> | |
41 | ## Allow httpd to use built in scripting (usually php) | |
42 | ## </p> | |
43 | ## </desc> | |
44 | gen_tunable(httpd_builtin_scripting,false) | |
45 | ||
46 | ## <desc> | |
47 | ## <p> | |
dd9e1de3 | 48 | ## Allow HTTPD scripts and modules to connect to the network using TCP. |
56e1b3d2 CP |
49 | ## </p> |
50 | ## </desc> | |
51 | gen_tunable(httpd_can_network_connect,false) | |
52 | ||
53 | ## <desc> | |
54 | ## <p> | |
dd9e1de3 | 55 | ## Allow HTTPD scripts and modules to connect to databases over the network. |
56e1b3d2 CP |
56 | ## </p> |
57 | ## </desc> | |
58 | gen_tunable(httpd_can_network_connect_db, false) | |
59 | ||
60 | ## <desc> | |
61 | ## <p> | |
62 | ## Allow httpd to act as a relay | |
63 | ## </p> | |
64 | ## </desc> | |
65 | gen_tunable(httpd_can_network_relay, false) | |
66 | ||
67 | ## <desc> | |
68 | ## <p> | |
69 | ## Allow httpd cgi support | |
70 | ## </p> | |
71 | ## </desc> | |
72 | gen_tunable(httpd_enable_cgi,false) | |
73 | ||
74 | ## <desc> | |
75 | ## <p> | |
76 | ## Allow httpd to act as a FTP server by | |
77 | ## listening on the ftp port. | |
78 | ## </p> | |
79 | ## </desc> | |
80 | gen_tunable(httpd_enable_ftp_server,false) | |
81 | ||
82 | ## <desc> | |
83 | ## <p> | |
84 | ## Allow httpd to read home directories | |
85 | ## </p> | |
86 | ## </desc> | |
87 | gen_tunable(httpd_enable_homedirs,false) | |
88 | ||
89 | ## <desc> | |
90 | ## <p> | |
dd9e1de3 | 91 | ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. |
56e1b3d2 CP |
92 | ## </p> |
93 | ## </desc> | |
94 | gen_tunable(httpd_ssi_exec,false) | |
95 | ||
96 | ## <desc> | |
97 | ## <p> | |
dd9e1de3 CP |
98 | ## Unify HTTPD to communicate with the terminal. |
99 | ## Needed for entering the passphrase for certificates at | |
100 | ## the terminal. | |
56e1b3d2 CP |
101 | ## </p> |
102 | ## </desc> | |
103 | gen_tunable(httpd_tty_comm,false) | |
104 | ||
105 | ## <desc> | |
106 | ## <p> | |
dd9e1de3 | 107 | ## Unify HTTPD handling of all content files. |
56e1b3d2 CP |
108 | ## </p> |
109 | ## </desc> | |
110 | gen_tunable(httpd_unified,false) | |
111 | ||
a996bdf4 | 112 | attribute httpdcontent; |
a334d291 | 113 | attribute httpd_user_content_type; |
a996bdf4 | 114 | |
e749cd12 CP |
115 | # domains that can exec all users scripts |
116 | attribute httpd_exec_scripts; | |
117 | ||
123a990b | 118 | attribute httpd_script_exec_type; |
a334d291 | 119 | attribute httpd_user_script_exec_type; |
123a990b | 120 | |
e749cd12 CP |
121 | # user script domains |
122 | attribute httpd_script_domains; | |
123 | ||
a996bdf4 CP |
124 | type httpd_t; |
125 | type httpd_exec_t; | |
126 | init_daemon_domain(httpd_t,httpd_exec_t) | |
e749cd12 | 127 | role system_r types httpd_t; |
a996bdf4 CP |
128 | |
129 | # httpd_cache_t is the type given to the /var/cache/httpd | |
130 | # directory and the files under that directory | |
131 | type httpd_cache_t; | |
132 | files_type(httpd_cache_t) | |
133 | ||
134 | # httpd_config_t is the type given to the configuration files | |
135 | type httpd_config_t; | |
136 | files_type(httpd_config_t) | |
137 | ||
138 | type httpd_helper_t; | |
a996bdf4 | 139 | type httpd_helper_exec_t; |
e749cd12 | 140 | domain_type(httpd_helper_t) |
a996bdf4 | 141 | domain_entry_file(httpd_helper_t,httpd_helper_exec_t) |
e749cd12 | 142 | role system_r types httpd_helper_t; |
a996bdf4 CP |
143 | |
144 | type httpd_lock_t; | |
145 | files_lock_file(httpd_lock_t) | |
146 | ||
147 | type httpd_log_t; | |
148 | logging_log_file(httpd_log_t) | |
149 | ||
150 | # httpd_modules_t is the type given to module files (libraries) | |
151 | # that come with Apache /etc/httpd/modules and /usr/lib/apache | |
152 | type httpd_modules_t; | |
153 | files_type(httpd_modules_t) | |
154 | ||
155 | type httpd_php_t; | |
a996bdf4 | 156 | type httpd_php_exec_t; |
e749cd12 | 157 | domain_type(httpd_php_t) |
a996bdf4 | 158 | domain_entry_file(httpd_php_t,httpd_php_exec_t) |
e749cd12 | 159 | role system_r types httpd_php_t; |
a996bdf4 CP |
160 | |
161 | type httpd_php_tmp_t; | |
162 | files_tmp_file(httpd_php_tmp_t) | |
163 | ||
123a990b CP |
164 | type httpd_rotatelogs_t; |
165 | type httpd_rotatelogs_exec_t; | |
166 | init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) | |
167 | ||
a996bdf4 CP |
168 | type httpd_squirrelmail_t; |
169 | files_type(httpd_squirrelmail_t) | |
170 | ||
171 | # SUEXEC runs user scripts as their own user ID | |
172 | type httpd_suexec_t; #, daemon; | |
a996bdf4 | 173 | type httpd_suexec_exec_t; |
e749cd12 | 174 | domain_type(httpd_suexec_t) |
a996bdf4 | 175 | domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) |
e749cd12 | 176 | role system_r types httpd_suexec_t; |
a996bdf4 CP |
177 | |
178 | type httpd_suexec_tmp_t; | |
179 | files_tmp_file(httpd_suexec_tmp_t) | |
180 | ||
c2b18fa1 CP |
181 | # setup the system domain for system CGI scripts |
182 | apache_content_template(sys) | |
183 | ||
a996bdf4 CP |
184 | type httpd_tmp_t; |
185 | files_tmp_file(httpd_tmp_t) | |
186 | ||
187 | type httpd_tmpfs_t; | |
188 | files_tmpfs_file(httpd_tmpfs_t) | |
189 | ||
a996bdf4 CP |
190 | # for apache2 memory mapped files |
191 | type httpd_var_lib_t; | |
192 | files_type(httpd_var_lib_t) | |
193 | ||
194 | type httpd_var_run_t; | |
195 | files_pid_file(httpd_var_run_t) | |
196 | ||
197 | # File Type of squirrelmail attachments | |
198 | type squirrelmail_spool_t; | |
199 | files_tmp_file(squirrelmail_spool_t) | |
200 | ||
bb7170f6 | 201 | optional_policy(` |
2c243586 CP |
202 | prelink_object_file(httpd_modules_t) |
203 | ') | |
204 | ||
a996bdf4 CP |
205 | ######################################## |
206 | # | |
207 | # Apache server local policy | |
208 | # | |
209 | ||
210 | allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; | |
211 | dontaudit httpd_t self:capability { net_admin sys_tty_config }; | |
212 | allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
213 | allow httpd_t self:fd use; | |
c0868a7a CP |
214 | allow httpd_t self:sock_file read_sock_file_perms; |
215 | allow httpd_t self:fifo_file rw_fifo_file_perms; | |
a996bdf4 CP |
216 | allow httpd_t self:shm create_shm_perms; |
217 | allow httpd_t self:sem create_sem_perms; | |
218 | allow httpd_t self:msgq create_msgq_perms; | |
219 | allow httpd_t self:msg { send receive }; | |
e9a4084d CP |
220 | allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; |
221 | allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
33c7e6b4 | 222 | allow httpd_t self:tcp_socket create_stream_socket_perms; |
e9a4084d | 223 | allow httpd_t self:udp_socket create_socket_perms; |
a996bdf4 CP |
224 | |
225 | # Allow httpd_t to put files in /var/cache/httpd etc | |
c0868a7a CP |
226 | manage_dirs_pattern(httpd_t,httpd_cache_t,httpd_cache_t) |
227 | manage_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t) | |
228 | manage_lnk_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t) | |
a996bdf4 CP |
229 | |
230 | # Allow the httpd_t to read the web servers config files | |
c0868a7a CP |
231 | allow httpd_t httpd_config_t:dir list_dir_perms; |
232 | read_files_pattern(httpd_t,httpd_config_t,httpd_config_t) | |
233 | read_lnk_files_pattern(httpd_t,httpd_config_t,httpd_config_t) | |
a996bdf4 CP |
234 | |
235 | can_exec(httpd_t, httpd_exec_t) | |
236 | ||
c0868a7a | 237 | allow httpd_t httpd_lock_t:file manage_file_perms; |
1c1ac67f | 238 | files_lock_filetrans(httpd_t,httpd_lock_t,file) |
a996bdf4 | 239 | |
c0868a7a CP |
240 | allow httpd_t httpd_log_t:dir setattr; |
241 | create_files_pattern(httpd_t,httpd_log_t,httpd_log_t) | |
242 | append_files_pattern(httpd_t,httpd_log_t,httpd_log_t) | |
243 | read_files_pattern(httpd_t,httpd_log_t,httpd_log_t) | |
244 | read_lnk_files_pattern(httpd_t,httpd_log_t,httpd_log_t) | |
c2b18fa1 CP |
245 | # cjp: need to refine create interfaces to |
246 | # cut this back to add_name only | |
1c1ac67f | 247 | logging_log_filetrans(httpd_t,httpd_log_t,file) |
a996bdf4 | 248 | |
c0868a7a CP |
249 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
250 | mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) | |
251 | read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) | |
a996bdf4 | 252 | |
d6d16b97 CP |
253 | apache_domtrans_rotatelogs(httpd_t) |
254 | # Apache-httpd needs to be able to send signals to the log rotate procs. | |
255 | allow httpd_t httpd_rotatelogs_t:process signal_perms; | |
256 | ||
c0868a7a CP |
257 | manage_dirs_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) |
258 | manage_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) | |
259 | manage_lnk_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t) | |
a996bdf4 | 260 | |
725926c5 CP |
261 | allow httpd_t httpd_suexec_exec_t:file { getattr read }; |
262 | ||
c0868a7a CP |
263 | allow httpd_t httpd_sys_content_t:dir list_dir_perms; |
264 | read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) | |
265 | read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) | |
3d37bca1 | 266 | |
c0868a7a CP |
267 | manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) |
268 | manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) | |
103fe280 | 269 | files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) |
a996bdf4 | 270 | |
c0868a7a CP |
271 | manage_dirs_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) |
272 | manage_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) | |
273 | manage_lnk_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) | |
274 | manage_fifo_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) | |
275 | manage_sock_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t) | |
103fe280 | 276 | fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
a996bdf4 | 277 | |
c0868a7a | 278 | manage_files_pattern(httpd_t,httpd_var_lib_t,httpd_var_lib_t) |
1c1ac67f | 279 | files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file) |
a996bdf4 | 280 | |
c0868a7a CP |
281 | manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) |
282 | manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) | |
103fe280 | 283 | files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file }) |
a996bdf4 | 284 | |
c0868a7a CP |
285 | manage_dirs_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) |
286 | manage_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) | |
287 | manage_lnk_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t) | |
a996bdf4 | 288 | |
445522dc | 289 | kernel_read_kernel_sysctls(httpd_t) |
a996bdf4 CP |
290 | # for modules that want to access /proc/meminfo |
291 | kernel_read_system_state(httpd_t) | |
292 | ||
19006686 CP |
293 | corenet_all_recvfrom_unlabeled(httpd_t) |
294 | corenet_all_recvfrom_netlabel(httpd_t) | |
a996bdf4 CP |
295 | corenet_tcp_sendrecv_all_if(httpd_t) |
296 | corenet_udp_sendrecv_all_if(httpd_t) | |
a996bdf4 CP |
297 | corenet_tcp_sendrecv_all_nodes(httpd_t) |
298 | corenet_udp_sendrecv_all_nodes(httpd_t) | |
a996bdf4 CP |
299 | corenet_tcp_sendrecv_all_ports(httpd_t) |
300 | corenet_udp_sendrecv_all_ports(httpd_t) | |
301 | corenet_tcp_bind_all_nodes(httpd_t) | |
a996bdf4 CP |
302 | corenet_tcp_bind_http_port(httpd_t) |
303 | corenet_tcp_bind_http_cache_port(httpd_t) | |
968ace93 | 304 | corenet_sendrecv_http_server_packets(httpd_t) |
d6d16b97 CP |
305 | # Signal self for shutdown |
306 | corenet_tcp_connect_http_port(httpd_t) | |
a996bdf4 CP |
307 | |
308 | dev_read_sysfs(httpd_t) | |
309 | dev_read_rand(httpd_t) | |
310 | dev_read_urand(httpd_t) | |
c2b18fa1 | 311 | dev_rw_crypto(httpd_t) |
a996bdf4 CP |
312 | |
313 | fs_getattr_all_fs(httpd_t) | |
314 | fs_search_auto_mountpoints(httpd_t) | |
315 | ||
77f6e2cd CP |
316 | auth_use_nsswitch(httpd_t) |
317 | ||
a996bdf4 CP |
318 | # execute perl |
319 | corecmd_exec_bin(httpd_t) | |
d6d16b97 | 320 | corecmd_exec_shell(httpd_t) |
a996bdf4 | 321 | |
15722ec9 | 322 | domain_use_interactive_fds(httpd_t) |
a996bdf4 CP |
323 | |
324 | files_read_usr_files(httpd_t) | |
325 | files_list_mnt(httpd_t) | |
326 | files_search_spool(httpd_t) | |
327 | files_read_var_lib_files(httpd_t) | |
328 | files_search_home(httpd_t) | |
329 | files_getattr_home_dir(httpd_t) | |
330 | # for modules that want to access /etc/mtab | |
331 | files_read_etc_runtime_files(httpd_t) | |
332 | # Allow httpd_t to have access to files such as nisswitch.conf | |
333 | files_read_etc_files(httpd_t) | |
6e99a6cf CP |
334 | # for tomcat |
335 | files_read_var_lib_symlinks(httpd_t) | |
a996bdf4 | 336 | |
d6d16b97 CP |
337 | fs_search_auto_mountpoints(httpd_sys_script_t) |
338 | ||
a996bdf4 CP |
339 | libs_use_ld_so(httpd_t) |
340 | libs_use_shared_libs(httpd_t) | |
1815bad1 | 341 | libs_read_lib_files(httpd_t) |
a996bdf4 CP |
342 | |
343 | logging_send_syslog_msg(httpd_t) | |
344 | ||
345 | miscfiles_read_localization(httpd_t) | |
346 | miscfiles_read_fonts(httpd_t) | |
6e99a6cf CP |
347 | miscfiles_read_public_files(httpd_t) |
348 | miscfiles_read_certs(httpd_t) | |
a996bdf4 CP |
349 | |
350 | seutil_dontaudit_search_config(httpd_t) | |
351 | ||
103fe280 | 352 | userdom_use_unpriv_users_fds(httpd_t) |
a996bdf4 CP |
353 | |
354 | mta_send_mail(httpd_t) | |
355 | ||
6e99a6cf CP |
356 | tunable_policy(`allow_httpd_anon_write',` |
357 | miscfiles_manage_public_files(httpd_t) | |
358 | ') | |
359 | ||
123a990b CP |
360 | ifdef(`TODO', ` |
361 | # | |
362 | # We need optionals to be able to be within booleans to make this work | |
363 | # | |
364 | tunable_policy(`allow_httpd_mod_auth_pam',` | |
365 | auth_domtrans_chk_passwd(httpd_t) | |
366 | ') | |
367 | ') | |
368 | ||
6e99a6cf | 369 | tunable_policy(`httpd_can_network_connect',` |
6e99a6cf | 370 | corenet_tcp_connect_all_ports(httpd_t) |
6e99a6cf CP |
371 | ') |
372 | ||
bb437244 CP |
373 | tunable_policy(`httpd_can_network_relay',` |
374 | # allow httpd to work as a relay | |
375 | corenet_tcp_connect_gopher_port(httpd_t) | |
376 | corenet_tcp_connect_ftp_port(httpd_t) | |
377 | corenet_tcp_connect_http_port(httpd_t) | |
378 | corenet_tcp_connect_http_cache_port(httpd_t) | |
141cffdd CP |
379 | corenet_sendrecv_gopher_client_packets(httpd_t) |
380 | corenet_sendrecv_ftp_client_packets(httpd_t) | |
381 | corenet_sendrecv_http_client_packets(httpd_t) | |
382 | corenet_sendrecv_http_cache_client_packets(httpd_t) | |
bb437244 CP |
383 | ') |
384 | ||
6e99a6cf | 385 | tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
c0868a7a | 386 | domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) |
6e99a6cf | 387 | |
c0868a7a CP |
388 | manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent) |
389 | manage_files_pattern(httpd_t,httpdcontent,httpdcontent) | |
390 | manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent) | |
6e99a6cf CP |
391 | ') |
392 | ||
bea7b454 CP |
393 | tunable_policy(`httpd_enable_ftp_server',` |
394 | corenet_tcp_bind_ftp_port(httpd_t) | |
395 | ') | |
396 | ||
e311e23a CP |
397 | tunable_policy(`httpd_enable_homedirs',` |
398 | userdom_read_unpriv_users_home_content_files(httpd_t) | |
399 | ') | |
400 | ||
a996bdf4 CP |
401 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
402 | fs_read_nfs_files(httpd_t) | |
403 | fs_read_nfs_symlinks(httpd_t) | |
404 | ') | |
405 | ||
406 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` | |
407 | fs_read_cifs_files(httpd_t) | |
408 | fs_read_cifs_symlinks(httpd_t) | |
409 | ') | |
410 | ||
e749cd12 CP |
411 | tunable_policy(`httpd_ssi_exec',` |
412 | corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) | |
e749cd12 CP |
413 | allow httpd_sys_script_t httpd_t:fd use; |
414 | allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; | |
415 | allow httpd_sys_script_t httpd_t:process sigchld; | |
416 | ') | |
417 | ||
6e99a6cf CP |
418 | # When the admin starts the server, the server wants to access |
419 | # the TTY or PTY associated with the session. The httpd appears | |
420 | # to run correctly without this permission, so the permission | |
421 | # are dontaudited here. | |
422 | tunable_policy(`httpd_tty_comm',` | |
9ca7e78a CP |
423 | # cjp: this is redundant: |
424 | term_use_controlling_term(httpd_t) | |
425 | ||
e9c6cda7 | 426 | sysadm_use_terms(httpd_t) |
6e99a6cf | 427 | ',` |
e9c6cda7 | 428 | sysadm_dontaudit_use_terms(httpd_t) |
a996bdf4 CP |
429 | ') |
430 | ||
bb7170f6 | 431 | optional_policy(` |
99c902f3 CP |
432 | calamaris_read_www_files(httpd_t) |
433 | ') | |
434 | ||
350b6ab7 CP |
435 | optional_policy(` |
436 | cron_system_entry(httpd_t, httpd_exec_t) | |
437 | ') | |
438 | ||
bb7170f6 | 439 | optional_policy(` |
44d5d93f CP |
440 | daemontools_service_domain(httpd_t, httpd_exec_t) |
441 | ') | |
442 | ||
bb7170f6 | 443 | optional_policy(` |
a996bdf4 | 444 | kerberos_use(httpd_t) |
ebc1e8be | 445 | kerberos_read_kdc_config(httpd_t) |
a996bdf4 CP |
446 | ') |
447 | ||
bb7170f6 | 448 | optional_policy(` |
799a0b43 CP |
449 | mailman_signal_cgi(httpd_t) |
450 | mailman_domtrans_cgi(httpd_t) | |
451 | # should have separate types for public and private archives | |
0500e01f | 452 | mailman_search_data(httpd_t) |
799a0b43 CP |
453 | mailman_read_archive(httpd_t) |
454 | ') | |
455 | ||
bb7170f6 | 456 | optional_policy(` |
0b6acad1 | 457 | # Allow httpd to work with mysql |
a996bdf4 | 458 | mysql_stream_connect(httpd_t) |
1815bad1 | 459 | mysql_rw_db_sockets(httpd_t) |
0b6acad1 CP |
460 | |
461 | tunable_policy(`httpd_can_network_connect_db',` | |
462 | corenet_tcp_connect_mysqld_port(httpd_t) | |
463 | corenet_sendrecv_mysqld_client_packets(httpd_t) | |
464 | ') | |
a996bdf4 CP |
465 | ') |
466 | ||
f1e604bb CP |
467 | optional_policy(` |
468 | nagios_read_config(httpd_t) | |
469 | nagios_domtrans_cgi(httpd_t) | |
470 | ') | |
471 | ||
5bd9fd7b CP |
472 | optional_policy(` |
473 | openca_domtrans(httpd_t) | |
474 | openca_signal(httpd_t) | |
475 | openca_sigstop(httpd_t) | |
476 | openca_kill(httpd_t) | |
477 | ') | |
478 | ||
bb7170f6 | 479 | optional_policy(` |
725926c5 | 480 | # Allow httpd to work with postgresql |
1815bad1 | 481 | postgresql_stream_connect(httpd_t) |
e8cb08ae | 482 | postgresql_unpriv_client(httpd_t) |
0b6acad1 CP |
483 | |
484 | tunable_policy(`httpd_can_network_connect_db',` | |
485 | postgresql_tcp_connect(httpd_t) | |
486 | ') | |
725926c5 CP |
487 | ') |
488 | ||
bb7170f6 | 489 | optional_policy(` |
a996bdf4 CP |
490 | seutil_sigchld_newrole(httpd_t) |
491 | ') | |
492 | ||
6b19be33 CP |
493 | optional_policy(` |
494 | snmp_dontaudit_read_snmp_var_lib_files(httpd_t) | |
495 | snmp_dontaudit_write_snmp_var_lib_files(httpd_t) | |
496 | ') | |
497 | ||
bb7170f6 | 498 | optional_policy(` |
a996bdf4 CP |
499 | udev_read_db(httpd_t) |
500 | ') | |
501 | ||
f30e6ea8 CP |
502 | optional_policy(` |
503 | yam_read_content(httpd_t) | |
504 | ') | |
505 | ||
a996bdf4 CP |
506 | ######################################## |
507 | # | |
508 | # Apache helper local policy | |
509 | # | |
510 | ||
c0868a7a | 511 | domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) |
a996bdf4 CP |
512 | |
513 | allow httpd_helper_t httpd_config_t:file { getattr read }; | |
514 | ||
515 | allow httpd_helper_t httpd_log_t:file append; | |
516 | ||
517 | libs_use_ld_so(httpd_helper_t) | |
518 | libs_use_shared_libs(httpd_helper_t) | |
519 | ||
e749cd12 CP |
520 | logging_send_syslog_msg(httpd_helper_t) |
521 | ||
aba9c7a3 | 522 | tunable_policy(`httpd_tty_comm',` |
e9c6cda7 | 523 | sysadm_use_terms(httpd_helper_t) |
aba9c7a3 CP |
524 | ') |
525 | ||
a996bdf4 CP |
526 | ######################################## |
527 | # | |
528 | # Apache PHP script local policy | |
529 | # | |
530 | ||
531 | allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
532 | allow httpd_php_t self:fd use; | |
c0868a7a CP |
533 | allow httpd_php_t self:fifo_file rw_fifo_file_perms; |
534 | allow httpd_php_t self:sock_file read_sock_file_perms; | |
a996bdf4 CP |
535 | allow httpd_php_t self:unix_dgram_socket create_socket_perms; |
536 | allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; | |
537 | allow httpd_php_t self:unix_dgram_socket sendto; | |
538 | allow httpd_php_t self:unix_stream_socket connectto; | |
539 | allow httpd_php_t self:shm create_shm_perms; | |
540 | allow httpd_php_t self:sem create_sem_perms; | |
541 | allow httpd_php_t self:msgq create_msgq_perms; | |
542 | allow httpd_php_t self:msg { send receive }; | |
543 | ||
c0868a7a | 544 | domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) |
a996bdf4 CP |
545 | |
546 | # allow php to read and append to apache logfiles | |
c0868a7a | 547 | allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; |
a996bdf4 | 548 | |
c0868a7a CP |
549 | manage_dirs_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t) |
550 | manage_files_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t) | |
103fe280 | 551 | files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) |
a996bdf4 CP |
552 | |
553 | fs_search_auto_mountpoints(httpd_php_t) | |
554 | ||
555 | libs_exec_lib_files(httpd_php_t) | |
556 | libs_use_ld_so(httpd_php_t) | |
557 | libs_use_shared_libs(httpd_php_t) | |
558 | ||
103fe280 | 559 | userdom_use_unpriv_users_fds(httpd_php_t) |
a996bdf4 | 560 | |
bb7170f6 | 561 | optional_policy(` |
a996bdf4 CP |
562 | mysql_stream_connect(httpd_php_t) |
563 | ') | |
564 | ||
bb7170f6 | 565 | optional_policy(` |
a996bdf4 CP |
566 | nis_use_ypbind(httpd_php_t) |
567 | ') | |
568 | ||
5fe7de9e CP |
569 | optional_policy(` |
570 | postgresql_stream_connect(httpd_php_t) | |
571 | ') | |
572 | ||
a996bdf4 CP |
573 | ######################################## |
574 | # | |
575 | # Apache suexec local policy | |
576 | # | |
577 | ||
578 | allow httpd_suexec_t self:capability { setuid setgid }; | |
579 | allow httpd_suexec_t self:process signal_perms; | |
580 | allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; | |
581 | ||
56e1b3d2 | 582 | domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
a996bdf4 | 583 | |
c0868a7a CP |
584 | create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) |
585 | append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) | |
586 | read_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) | |
587 | ||
a996bdf4 CP |
588 | allow httpd_suexec_t httpd_t:fifo_file getattr; |
589 | ||
c0868a7a CP |
590 | manage_dirs_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) |
591 | manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) | |
103fe280 | 592 | files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) |
a996bdf4 | 593 | |
445522dc | 594 | kernel_read_kernel_sysctls(httpd_suexec_t) |
a996bdf4 CP |
595 | kernel_list_proc(httpd_suexec_t) |
596 | kernel_read_proc_symlinks(httpd_suexec_t) | |
597 | ||
598 | dev_read_urand(httpd_suexec_t) | |
599 | ||
600 | fs_search_auto_mountpoints(httpd_suexec_t) | |
601 | ||
602 | # for shell scripts | |
603 | corecmd_exec_bin(httpd_suexec_t) | |
604 | corecmd_exec_shell(httpd_suexec_t) | |
605 | ||
606 | files_read_etc_files(httpd_suexec_t) | |
607 | files_read_usr_files(httpd_suexec_t) | |
6e99a6cf | 608 | files_dontaudit_search_pids(httpd_suexec_t) |
725926c5 | 609 | files_search_home(httpd_suexec_t) |
a996bdf4 | 610 | |
c0cf6e0a CP |
611 | auth_use_nsswitch(httpd_suexec_t) |
612 | ||
a996bdf4 CP |
613 | libs_use_ld_so(httpd_suexec_t) |
614 | libs_use_shared_libs(httpd_suexec_t) | |
615 | ||
616 | logging_search_logs(httpd_suexec_t) | |
617 | logging_send_syslog_msg(httpd_suexec_t) | |
618 | ||
619 | miscfiles_read_localization(httpd_suexec_t) | |
620 | ||
621 | tunable_policy(`httpd_can_network_connect',` | |
622 | allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; | |
623 | allow httpd_suexec_t self:udp_socket create_socket_perms; | |
624 | ||
19006686 CP |
625 | corenet_all_recvfrom_unlabeled(httpd_suexec_t) |
626 | corenet_all_recvfrom_netlabel(httpd_suexec_t) | |
a996bdf4 CP |
627 | corenet_tcp_sendrecv_all_if(httpd_suexec_t) |
628 | corenet_udp_sendrecv_all_if(httpd_suexec_t) | |
a996bdf4 CP |
629 | corenet_tcp_sendrecv_all_nodes(httpd_suexec_t) |
630 | corenet_udp_sendrecv_all_nodes(httpd_suexec_t) | |
a996bdf4 CP |
631 | corenet_tcp_sendrecv_all_ports(httpd_suexec_t) |
632 | corenet_udp_sendrecv_all_ports(httpd_suexec_t) | |
a996bdf4 | 633 | corenet_tcp_connect_all_ports(httpd_suexec_t) |
141cffdd | 634 | corenet_sendrecv_all_client_packets(httpd_suexec_t) |
a996bdf4 CP |
635 | ') |
636 | ||
6e99a6cf | 637 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
c0868a7a | 638 | domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) |
6e99a6cf CP |
639 | ') |
640 | ||
e311e23a CP |
641 | tunable_policy(`httpd_enable_homedirs',` |
642 | userdom_read_unpriv_users_home_content_files(httpd_suexec_t) | |
643 | ') | |
644 | ||
a996bdf4 CP |
645 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
646 | fs_read_nfs_files(httpd_suexec_t) | |
647 | fs_read_nfs_symlinks(httpd_suexec_t) | |
4d851fe9 | 648 | fs_exec_nfs_files(httpd_suexec_t) |
a996bdf4 CP |
649 | ') |
650 | ||
651 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` | |
652 | fs_read_cifs_files(httpd_suexec_t) | |
653 | fs_read_cifs_symlinks(httpd_suexec_t) | |
4d851fe9 | 654 | fs_exec_cifs_files(httpd_suexec_t) |
a996bdf4 CP |
655 | ') |
656 | ||
bb7170f6 | 657 | optional_policy(` |
799a0b43 CP |
658 | mailman_domtrans_cgi(httpd_suexec_t) |
659 | ') | |
660 | ||
bb7170f6 | 661 | optional_policy(` |
725926c5 CP |
662 | mta_stub(httpd_suexec_t) |
663 | ||
664 | # apache should set close-on-exec | |
665 | dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; | |
666 | ') | |
667 | ||
f1e604bb CP |
668 | optional_policy(` |
669 | nagios_domtrans_cgi(httpd_suexec_t) | |
670 | ') | |
671 | ||
a996bdf4 CP |
672 | ######################################## |
673 | # | |
674 | # Apache system script local policy | |
675 | # | |
676 | ||
6e99a6cf CP |
677 | allow httpd_sys_script_t httpd_t:tcp_socket { read write }; |
678 | ||
679 | dontaudit httpd_sys_script_t httpd_config_t:dir search; | |
680 | ||
681 | allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; | |
682 | ||
c0868a7a CP |
683 | allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; |
684 | read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) | |
685 | read_lnk_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) | |
6e99a6cf | 686 | |
445522dc | 687 | kernel_read_kernel_sysctls(httpd_sys_script_t) |
6e99a6cf CP |
688 | |
689 | files_search_var_lib(httpd_sys_script_t) | |
690 | files_search_spool(httpd_sys_script_t) | |
691 | ||
123a990b CP |
692 | # Should we add a boolean? |
693 | apache_domtrans_rotatelogs(httpd_sys_script_t) | |
694 | ||
6e99a6cf CP |
695 | ifdef(`distro_redhat',` |
696 | allow httpd_sys_script_t httpd_log_t:file { getattr append }; | |
697 | ') | |
698 | ||
e311e23a CP |
699 | tunable_policy(`httpd_enable_homedirs',` |
700 | userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) | |
701 | ') | |
702 | ||
d6d16b97 CP |
703 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
704 | fs_read_nfs_files(httpd_sys_script_t) | |
705 | fs_read_nfs_symlinks(httpd_sys_script_t) | |
706 | ') | |
707 | ||
708 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` | |
709 | fs_read_cifs_files(httpd_sys_script_t) | |
710 | fs_read_cifs_symlinks(httpd_sys_script_t) | |
711 | ') | |
712 | ||
165b42d2 CP |
713 | optional_policy(` |
714 | clamav_domtrans_clamscan(httpd_sys_script_t) | |
715 | ') | |
716 | ||
bb7170f6 | 717 | optional_policy(` |
6e99a6cf | 718 | mysql_stream_connect(httpd_sys_script_t) |
1815bad1 | 719 | mysql_rw_db_sockets(httpd_sys_script_t) |
6e99a6cf CP |
720 | ') |
721 | ||
5fe7de9e CP |
722 | optional_policy(` |
723 | postgresql_stream_connect(httpd_sys_script_t) | |
724 | ') | |
725 | ||
123a990b CP |
726 | ######################################## |
727 | # | |
728 | # httpd_rotatelogs local policy | |
729 | # | |
730 | ||
c0868a7a | 731 | manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t) |
123a990b CP |
732 | |
733 | kernel_read_kernel_sysctls(httpd_rotatelogs_t) | |
734 | kernel_dontaudit_list_proc(httpd_rotatelogs_t) | |
735 | kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) | |
736 | ||
737 | files_read_etc_files(httpd_rotatelogs_t) | |
738 | ||
739 | libs_use_ld_so(httpd_rotatelogs_t) | |
740 | libs_use_shared_libs(httpd_rotatelogs_t) | |
741 | ||
d6d16b97 CP |
742 | logging_search_logs(httpd_rotatelogs_t) |
743 | ||
123a990b | 744 | miscfiles_read_localization(httpd_rotatelogs_t) |