1 ## <summary>Apache web server</summary>
3 ########################################
5 ## Create a set of derived types for apache
8 ## <param name="prefix">
10 ## The prefix to be used for deriving type names.
14 template(`apache_content_template',`
16 attribute httpd_exec_scripts;
17 attribute httpd_script_exec_type;
18 type httpd_t, httpd_suexec_t, httpd_log_t;
19 type httpd_sys_content_t;
22 #This type is for webpages
23 type httpd_$1_content_t; # customizable;
24 typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
25 files_type(httpd_$1_content_t)
27 # This type is used for .htaccess files
28 type httpd_$1_htaccess_t; # customizable;
29 files_type(httpd_$1_htaccess_t)
31 # Type that CGI scripts run as
32 type httpd_$1_script_t;
33 domain_type(httpd_$1_script_t)
34 role system_r types httpd_$1_script_t;
36 search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
38 # This type is used for executable scripts files
39 type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
40 corecmd_shell_entry_type(httpd_$1_script_t)
41 domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
43 type httpd_$1_rw_content_t; # customizable
44 typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
45 files_type(httpd_$1_rw_content_t)
47 type httpd_$1_ra_content_t; # customizable
48 typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
49 files_type(httpd_$1_ra_content_t)
51 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
53 domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
55 allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
56 allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
58 allow httpd_$1_script_t self:fifo_file rw_file_perms;
59 allow httpd_$1_script_t self:unix_stream_socket connectto;
61 allow httpd_$1_script_t httpd_t:fifo_file write;
62 # apache should set close-on-exec
63 dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
65 # Allow the script process to search the cgi directory, and users directory
66 allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
68 append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
69 logging_search_logs(httpd_$1_script_t)
71 can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
72 allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
74 allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
75 read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
76 append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
77 read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
79 allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
80 read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
81 read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
83 manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
84 manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
85 manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
86 manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
87 manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
89 kernel_dontaudit_search_sysctl(httpd_$1_script_t)
90 kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
92 dev_read_rand(httpd_$1_script_t)
93 dev_read_urand(httpd_$1_script_t)
95 corecmd_exec_all_executables(httpd_$1_script_t)
96 application_exec_all(httpd_$1_script_t)
98 files_exec_etc_files(httpd_$1_script_t)
99 files_read_etc_files(httpd_$1_script_t)
100 files_search_home(httpd_$1_script_t)
102 libs_exec_ld_so(httpd_$1_script_t)
103 libs_exec_lib_files(httpd_$1_script_t)
105 miscfiles_read_fonts(httpd_$1_script_t)
106 miscfiles_read_public_files(httpd_$1_script_t)
108 seutil_dontaudit_search_config(httpd_$1_script_t)
110 # Allow the web server to run scripts and serve pages
111 tunable_policy(`httpd_builtin_scripting',`
112 manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
113 manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
114 manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
115 rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
117 allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
118 read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
119 append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
120 read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
122 allow httpd_t httpd_$1_content_t:dir list_dir_perms;
123 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
124 read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
126 allow httpd_t httpd_$1_content_t:dir list_dir_perms;
127 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
128 read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
129 allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
132 tunable_policy(`httpd_enable_cgi',`
133 allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
135 # privileged users run the script:
136 domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
138 allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
140 # apache runs the script:
141 domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
143 allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
145 allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
146 allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
148 allow httpd_$1_script_t self:process { setsched signal_perms };
149 allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
150 allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
152 allow httpd_$1_script_t httpd_t:fd use;
153 allow httpd_$1_script_t httpd_t:process sigchld;
155 kernel_read_system_state(httpd_$1_script_t)
157 dev_read_urand(httpd_$1_script_t)
159 fs_getattr_xattr_fs(httpd_$1_script_t)
161 files_read_etc_runtime_files(httpd_$1_script_t)
162 files_read_usr_files(httpd_$1_script_t)
164 libs_read_lib_files(httpd_$1_script_t)
166 miscfiles_read_localization(httpd_$1_script_t)
167 allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
171 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
172 nis_use_ypbind_uncond(httpd_$1_script_t)
177 postgresql_unpriv_client(httpd_$1_script_t)
181 nscd_socket_use(httpd_$1_script_t)
184 dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
187 ########################################
189 ## Role access for apache
191 ## <param name="role">
193 ## Role allowed access
196 ## <param name="domain">
198 ## User domain for the role
202 interface(`apache_role',`
204 attribute httpdcontent;
205 type httpd_user_content_t, httpd_user_htaccess_t;
206 type httpd_user_script_t, httpd_user_script_exec_t;
207 type httpd_user_ra_content_t, httpd_user_rw_content_t;
210 role $1 types httpd_user_script_t;
212 allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
214 allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
216 manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
217 manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
218 manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
219 relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
220 relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
221 relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
223 manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
224 manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
225 manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
226 relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
227 relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
228 relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
230 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
231 manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
232 manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
233 relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
234 relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
235 relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
237 manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
238 manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
239 manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
240 relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
241 relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
242 relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
244 apache_exec_modules($2)
246 tunable_policy(`httpd_enable_cgi',`
247 # If a user starts a script by hand it gets the proper context
248 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
251 tunable_policy(`httpd_enable_cgi && httpd_unified',`
252 domtrans_pattern($2, httpdcontent, httpd_user_script_t)
256 ########################################
258 ## Read httpd user scripts executables.
260 ## <param name="domain">
262 ## Domain allowed access.
266 interface(`apache_read_user_scripts',`
268 type httpd_user_script_exec_t;
271 allow $1 httpd_user_script_exec_t:dir list_dir_perms;
272 read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
273 read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
276 ########################################
278 ## Read user web content.
280 ## <param name="domain">
282 ## Domain allowed access.
286 interface(`apache_read_user_content',`
288 type httpd_user_content_t;
291 allow $1 httpd_user_content_t:dir list_dir_perms;
292 read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
293 read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
296 ########################################
298 ## Transition to apache.
300 ## <param name="domain">
302 ## Domain allowed to transition.
306 interface(`apache_domtrans',`
308 type httpd_t, httpd_exec_t;
311 corecmd_search_bin($1)
312 domtrans_pattern($1, httpd_exec_t, httpd_t)
315 ######################################
317 ## Allow the specified domain to execute apache
318 ## in the caller domain.
320 ## <param name="domain">
322 ## Domain allowed access.
326 interface(`apache_exec',`
331 can_exec($1, httpd_exec_t)
334 #######################################
336 ## Send a generic signal to apache.
338 ## <param name="domain">
340 ## Domain allowed access.
344 interface(`apache_signal',`
349 allow $1 httpd_t:process signal;
352 ########################################
354 ## Send a null signal to apache.
356 ## <param name="domain">
358 ## Domain allowed access.
362 interface(`apache_signull',`
367 allow $1 httpd_t:process signull;
370 ########################################
372 ## Send a SIGCHLD signal to apache.
374 ## <param name="domain">
376 ## Domain allowed access.
380 interface(`apache_sigchld',`
385 allow $1 httpd_t:process sigchld;
388 ########################################
390 ## Inherit and use file descriptors from Apache.
392 ## <param name="domain">
394 ## Domain allowed access.
398 interface(`apache_use_fds',`
403 allow $1 httpd_t:fd use;
406 ########################################
408 ## Do not audit attempts to read and write Apache
411 ## <param name="domain">
413 ## Domain to not audit.
417 interface(`apache_dontaudit_rw_fifo_file',`
422 dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
425 ########################################
427 ## Do not audit attempts to read and write Apache
428 ## unix domain stream sockets.
430 ## <param name="domain">
432 ## Domain to not audit.
436 interface(`apache_dontaudit_rw_stream_sockets',`
441 dontaudit $1 httpd_t:unix_stream_socket { read write };
444 ########################################
446 ## Do not audit attempts to read and write Apache
449 ## <param name="domain">
451 ## Domain to not audit.
455 interface(`apache_dontaudit_rw_tcp_sockets',`
460 dontaudit $1 httpd_t:tcp_socket { read write };
463 ########################################
465 ## Create, read, write, and delete all web content.
467 ## <param name="domain">
469 ## Domain allowed access.
474 interface(`apache_manage_all_content',`
476 attribute httpdcontent, httpd_script_exec_type;
479 manage_dirs_pattern($1, httpdcontent, httpdcontent)
480 manage_files_pattern($1, httpdcontent, httpdcontent)
481 manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
483 manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
484 manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
485 manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
488 ########################################
490 ## Allow domain to set the attributes
491 ## of the APACHE cache directory.
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`apache_setattr_cache_dirs',`
504 allow $1 httpd_cache_t:dir setattr;
507 ########################################
509 ## Allow the specified domain to list
512 ## <param name="domain">
514 ## Domain allowed access.
518 interface(`apache_list_cache',`
523 list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
526 ########################################
528 ## Allow the specified domain to read
529 ## and write Apache cache files.
531 ## <param name="domain">
533 ## Domain allowed access.
537 interface(`apache_rw_cache_files',`
542 allow $1 httpd_cache_t:file rw_file_perms;
545 ########################################
547 ## Allow the specified domain to delete
548 ## Apache cache dirs.
550 ## <param name="domain">
552 ## Domain allowed access.
556 interface(`apache_delete_cache_dirs',`
561 delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
564 ########################################
566 ## Allow the specified domain to delete
569 ## <param name="domain">
571 ## Domain allowed access.
575 interface(`apache_delete_cache_files',`
580 delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
583 ########################################
585 ## Allow the specified domain to read
586 ## apache configuration files.
588 ## <param name="domain">
590 ## Domain allowed access.
595 interface(`apache_read_config',`
601 allow $1 httpd_config_t:dir list_dir_perms;
602 read_files_pattern($1, httpd_config_t, httpd_config_t)
603 read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
606 ########################################
608 ## Allow the specified domain to manage
609 ## apache configuration files.
611 ## <param name="domain">
613 ## Domain allowed access.
617 interface(`apache_manage_config',`
623 manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
624 manage_files_pattern($1, httpd_config_t, httpd_config_t)
625 read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
628 ########################################
630 ## Execute the Apache helper program with
631 ## a domain transition.
633 ## <param name="domain">
635 ## Domain allowed access.
639 interface(`apache_domtrans_helper',`
641 type httpd_helper_t, httpd_helper_exec_t;
644 corecmd_search_bin($1)
645 domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
648 ########################################
650 ## Execute the Apache helper program with
651 ## a domain transition, and allow the
652 ## specified role the Apache helper domain.
654 ## <param name="domain">
656 ## Domain allowed to transition.
659 ## <param name="role">
661 ## Role allowed access.
666 interface(`apache_run_helper',`
671 apache_domtrans_helper($1)
672 role $2 types httpd_helper_t;
675 ########################################
677 ## Allow the specified domain to read
680 ## <param name="domain">
682 ## Domain allowed access.
687 interface(`apache_read_log',`
692 logging_search_logs($1)
693 allow $1 httpd_log_t:dir list_dir_perms;
694 read_files_pattern($1, httpd_log_t, httpd_log_t)
695 read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
698 ########################################
700 ## Allow the specified domain to append
701 ## to apache log files.
703 ## <param name="domain">
705 ## Domain allowed access.
709 interface(`apache_append_log',`
714 logging_search_logs($1)
715 allow $1 httpd_log_t:dir list_dir_perms;
716 append_files_pattern($1, httpd_log_t, httpd_log_t)
719 ########################################
721 ## Do not audit attempts to append to the
724 ## <param name="domain">
726 ## Domain to not audit.
730 interface(`apache_dontaudit_append_log',`
735 dontaudit $1 httpd_log_t:file { getattr append };
738 ########################################
740 ## Allow the specified domain to manage
741 ## to apache log files.
743 ## <param name="domain">
745 ## Domain allowed access.
749 interface(`apache_manage_log',`
754 logging_search_logs($1)
755 manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
756 manage_files_pattern($1, httpd_log_t, httpd_log_t)
757 read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
760 ########################################
762 ## Do not audit attempts to search Apache
763 ## module directories.
765 ## <param name="domain">
767 ## Domain to not audit.
771 interface(`apache_dontaudit_search_modules',`
773 type httpd_modules_t;
776 dontaudit $1 httpd_modules_t:dir search_dir_perms;
779 ########################################
781 ## Allow the specified domain to read
782 ## the apache module directories.
784 ## <param name="domain">
786 ## Domain allowed access.
790 interface(`apache_read_modules',`
792 type httpd_modules_t;
795 read_files_pattern($1, httpd_modules_t, httpd_modules_t)
798 ########################################
800 ## Allow the specified domain to list
801 ## the contents of the apache modules
804 ## <param name="domain">
806 ## Domain allowed access.
810 interface(`apache_list_modules',`
812 type httpd_modules_t;
815 allow $1 httpd_modules_t:dir list_dir_perms;
816 read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
819 ########################################
821 ## Allow the specified domain to execute
824 ## <param name="domain">
826 ## Domain allowed access.
830 interface(`apache_exec_modules',`
832 type httpd_modules_t;
835 allow $1 httpd_modules_t:dir list_dir_perms;
836 allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
837 can_exec($1, httpd_modules_t)
840 ########################################
842 ## Execute a domain transition to run httpd_rotatelogs.
844 ## <param name="domain">
846 ## Domain allowed to transition.
850 interface(`apache_domtrans_rotatelogs',`
852 type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
855 domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
858 ########################################
860 ## Allow the specified domain to list
861 ## apache system content files.
863 ## <param name="domain">
865 ## Domain allowed access.
869 interface(`apache_list_sys_content',`
871 type httpd_sys_content_t;
874 list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
875 read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
879 ########################################
881 ## Allow the specified domain to manage
882 ## apache system content files.
884 ## <param name="domain">
886 ## Domain allowed access.
891 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
892 interface(`apache_manage_sys_content',`
894 type httpd_sys_content_t;
898 apache_search_sys_content($1)
899 manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
900 manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
901 manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
904 ######################################
906 ## Allow the specified domain to read
907 ## apache system content rw files.
909 ## <param name="domain">
911 ## Domain allowed access.
916 interface(`apache_read_sys_content_rw_files',`
918 type httpd_sys_rw_content_t;
921 read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
924 ######################################
926 ## Allow the specified domain to manage
927 ## apache system content rw files.
929 ## <param name="domain">
931 ## Domain allowed access.
936 interface(`apache_manage_sys_content_rw',`
938 type httpd_sys_rw_content_t;
942 manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
943 manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
944 manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
947 ########################################
949 ## Allow the specified domain to delete
950 ## apache system content rw files.
952 ## <param name="domain">
954 ## Domain allowed access.
959 interface(`apache_delete_sys_content_rw',`
961 type httpd_sys_rw_content_t;
965 delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
966 delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
967 delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
968 delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
969 delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
972 ########################################
974 ## Execute all web scripts in the system
977 ## <param name="domain">
979 ## Domain allowed to transition.
983 # cjp: this interface specifically added to allow
984 # sysadm_t to run scripts
985 interface(`apache_domtrans_sys_script',`
987 attribute httpdcontent;
988 type httpd_sys_script_t;
989 type httpd_sys_content_t;
992 tunable_policy(`httpd_enable_cgi',`
993 domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
996 tunable_policy(`httpd_enable_cgi && httpd_unified',`
997 domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
1001 ########################################
1003 ## Do not audit attempts to read and write Apache
1004 ## system script unix domain stream sockets.
1006 ## <param name="domain">
1008 ## Domain to not audit.
1012 interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
1014 type httpd_sys_script_t;
1017 dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
1020 ########################################
1022 ## Execute all user scripts in the user
1025 ## <param name="domain">
1027 ## Domain allowed to transition.
1031 interface(`apache_domtrans_all_scripts',`
1033 attribute httpd_exec_scripts;
1036 typeattribute $1 httpd_exec_scripts;
1039 ########################################
1041 ## Execute all user scripts in the user
1042 ## script domain. Add user script domains
1043 ## to the specified role.
1045 ## <param name="domain">
1047 ## Domain allowed to transition.
1050 ## <param name="role">
1052 ## Role allowed access..
1056 interface(`apache_run_all_scripts',`
1058 attribute httpd_exec_scripts, httpd_script_domains;
1061 role $2 types httpd_script_domains;
1062 apache_domtrans_all_scripts($1)
1065 ########################################
1067 ## Allow the specified domain to read
1068 ## apache squirrelmail data.
1070 ## <param name="domain">
1072 ## Domain allowed access.
1076 interface(`apache_read_squirrelmail_data',`
1078 type httpd_squirrelmail_t;
1081 read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
1084 ########################################
1086 ## Allow the specified domain to append
1087 ## apache squirrelmail data.
1089 ## <param name="domain">
1091 ## Domain allowed access.
1095 interface(`apache_append_squirrelmail_data',`
1097 type httpd_squirrelmail_t;
1100 allow $1 httpd_squirrelmail_t:file append_file_perms;
1103 ########################################
1105 ## Search apache system content.
1107 ## <param name="domain">
1109 ## Domain allowed access.
1113 interface(`apache_search_sys_content',`
1115 type httpd_sys_content_t;
1118 allow $1 httpd_sys_content_t:dir search_dir_perms;
1121 ########################################
1123 ## Read apache system content.
1125 ## <param name="domain">
1127 ## Domain allowed access.
1131 interface(`apache_read_sys_content',`
1133 type httpd_sys_content_t;
1136 allow $1 httpd_sys_content_t:dir list_dir_perms;
1137 read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
1138 read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
1141 ########################################
1143 ## Search apache system CGI directories.
1145 ## <param name="domain">
1147 ## Domain allowed access.
1151 interface(`apache_search_sys_scripts',`
1153 type httpd_sys_content_t, httpd_sys_script_exec_t;
1156 search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
1159 ########################################
1161 ## Create, read, write, and delete all user web content.
1163 ## <param name="domain">
1165 ## Domain allowed access.
1170 interface(`apache_manage_all_user_content',`
1172 attribute httpd_user_content_type, httpd_user_script_exec_type;
1175 manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
1176 manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
1177 manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
1179 manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1180 manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1181 manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1184 ########################################
1186 ## Search system script state directory.
1188 ## <param name="domain">
1190 ## Domain allowed access.
1194 interface(`apache_search_sys_script_state',`
1196 type httpd_sys_script_t;
1199 allow $1 httpd_sys_script_t:dir search_dir_perms;
1202 ########################################
1204 ## Allow the specified domain to read
1205 ## apache tmp files.
1207 ## <param name="domain">
1209 ## Domain allowed access.
1213 interface(`apache_read_tmp_files',`
1218 files_search_tmp($1)
1219 read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
1222 ######################################
1224 ## Dontaudit attempts to read and write
1225 ## apache tmp files.
1227 ## <param name="domain">
1229 ## Domain allowed access.
1233 interface(`apache_dontaudit_rw_tmp_files',`
1238 dontaudit $1 httpd_tmp_t:file { read write };
1241 ########################################
1243 ## Dontaudit attempts to write
1244 ## apache tmp files.
1246 ## <param name="domain">
1248 ## Domain to not audit.
1252 interface(`apache_dontaudit_write_tmp_files',`
1257 dontaudit $1 httpd_tmp_t:file write;
1260 ########################################
1262 ## Execute CGI in the specified domain.
1266 ## Execute CGI in the specified domain.
1269 ## This is an interface to support third party modules
1270 ## and its use is not allowed in upstream reference
1274 ## <param name="domain">
1276 ## Domain run the cgi script in.
1279 ## <param name="entrypoint">
1281 ## Type of the executable to enter the cgi domain.
1285 interface(`apache_cgi_domain',`
1287 type httpd_t, httpd_sys_script_exec_t;
1290 domtrans_pattern(httpd_t, $2, $1)
1291 apache_search_sys_scripts($1)
1293 allow httpd_t $1:process signal;
1296 ########################################
1298 ## All of the rules required to administrate an apache environment
1300 ## <param name="prefix">
1302 ## Prefix of the domain. Example, user would be
1303 ## the prefix for the uder_t domain.
1306 ## <param name="domain">
1308 ## Domain allowed access.
1311 ## <param name="role">
1313 ## Role allowed access.
1318 interface(`apache_admin',`
1320 attribute httpdcontent;
1321 attribute httpd_script_exec_type;
1323 type httpd_t, httpd_config_t, httpd_log_t;
1324 type httpd_modules_t, httpd_lock_t;
1325 type httpd_var_run_t, httpd_php_tmp_t;
1326 type httpd_suexec_tmp_t, httpd_tmp_t;
1327 type httpd_initrc_exec_t, httpd_bool_t;
1330 allow $1 httpd_t:process { getattr ptrace signal_perms };
1331 ps_process_pattern($1, httpd_t)
1333 init_labeled_script_domtrans($1, httpd_initrc_exec_t)
1334 domain_system_change_exemption($1)
1335 role_transition $2 httpd_initrc_exec_t system_r;
1338 apache_manage_all_content($1)
1339 miscfiles_manage_public_files($1)
1341 files_search_etc($1)
1342 admin_pattern($1, httpd_config_t)
1344 logging_search_logs($1)
1345 admin_pattern($1, httpd_log_t)
1347 admin_pattern($1, httpd_modules_t)
1349 admin_pattern($1, httpd_lock_t)
1350 files_lock_filetrans($1, httpd_lock_t, file)
1352 admin_pattern($1, httpd_var_run_t)
1353 files_pid_filetrans($1, httpd_var_run_t, file)
1355 kernel_search_proc($1)
1356 allow $1 httpd_t:dir list_dir_perms;
1357 ps_process_pattern($1, httpd_t)
1358 read_lnk_files_pattern($1, httpd_t, httpd_t)
1360 admin_pattern($1, httpdcontent)
1361 admin_pattern($1, httpd_script_exec_type)
1363 seutil_domtrans_setfiles($1)
1365 admin_pattern($1, httpd_tmp_t)
1366 admin_pattern($1, httpd_php_tmp_t)
1367 admin_pattern($1, httpd_suexec_tmp_t)
1370 apache_set_booleans($1, $2, $3, httpd_bool_t )
1371 seutil_setsebool_role_template($1, $3, $2)
1372 allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
1373 allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
1377 ########################################
1379 ## dontaudit read and write an leaked file descriptors
1381 ## <param name="domain">
1383 ## Domain allowed access.
1387 interface(`apache_dontaudit_leaks',`
1392 dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
1393 dontaudit $1 httpd_t:tcp_socket { read write };
1394 dontaudit $1 httpd_t:unix_dgram_socket { read write };
1395 dontaudit $1 httpd_t:unix_stream_socket { read write };