]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/apache.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / apache.if
1 ## <summary>Apache web server</summary>
2
3 ########################################
4 ## <summary>
5 ## Create a set of derived types for apache
6 ## web content.
7 ## </summary>
8 ## <param name="prefix">
9 ## <summary>
10 ## The prefix to be used for deriving type names.
11 ## </summary>
12 ## </param>
13 #
14 template(`apache_content_template',`
15 gen_require(`
16 attribute httpd_exec_scripts;
17 attribute httpd_script_exec_type;
18 type httpd_t, httpd_suexec_t, httpd_log_t;
19 type httpd_sys_content_t;
20 ')
21
22 #This type is for webpages
23 type httpd_$1_content_t; # customizable;
24 typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
25 files_type(httpd_$1_content_t)
26
27 # This type is used for .htaccess files
28 type httpd_$1_htaccess_t; # customizable;
29 files_type(httpd_$1_htaccess_t)
30
31 # Type that CGI scripts run as
32 type httpd_$1_script_t;
33 domain_type(httpd_$1_script_t)
34 role system_r types httpd_$1_script_t;
35
36 search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
37
38 # This type is used for executable scripts files
39 type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
40 corecmd_shell_entry_type(httpd_$1_script_t)
41 domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
42
43 type httpd_$1_rw_content_t; # customizable
44 typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
45 files_type(httpd_$1_rw_content_t)
46
47 type httpd_$1_ra_content_t; # customizable
48 typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
49 files_type(httpd_$1_ra_content_t)
50
51 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
52
53 domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
54
55 allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
56 allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
57
58 allow httpd_$1_script_t self:fifo_file rw_file_perms;
59 allow httpd_$1_script_t self:unix_stream_socket connectto;
60
61 allow httpd_$1_script_t httpd_t:fifo_file write;
62 # apache should set close-on-exec
63 dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
64
65 # Allow the script process to search the cgi directory, and users directory
66 allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
67
68 append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
69 logging_search_logs(httpd_$1_script_t)
70
71 can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
72 allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
73
74 allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
75 read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
76 append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
77 read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
78
79 allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
80 read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
81 read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
82
83 manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
84 manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
85 manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
86 manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
87 manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
88
89 kernel_dontaudit_search_sysctl(httpd_$1_script_t)
90 kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
91
92 dev_read_rand(httpd_$1_script_t)
93 dev_read_urand(httpd_$1_script_t)
94
95 corecmd_exec_all_executables(httpd_$1_script_t)
96 application_exec_all(httpd_$1_script_t)
97
98 files_exec_etc_files(httpd_$1_script_t)
99 files_read_etc_files(httpd_$1_script_t)
100 files_search_home(httpd_$1_script_t)
101
102 libs_exec_ld_so(httpd_$1_script_t)
103 libs_exec_lib_files(httpd_$1_script_t)
104
105 miscfiles_read_fonts(httpd_$1_script_t)
106 miscfiles_read_public_files(httpd_$1_script_t)
107
108 seutil_dontaudit_search_config(httpd_$1_script_t)
109
110 # Allow the web server to run scripts and serve pages
111 tunable_policy(`httpd_builtin_scripting',`
112 manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
113 manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
114 manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
115 rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
116
117 allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
118 read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
119 append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
120 read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
121
122 allow httpd_t httpd_$1_content_t:dir list_dir_perms;
123 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
124 read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
125
126 allow httpd_t httpd_$1_content_t:dir list_dir_perms;
127 read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
128 read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
129 allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
130 ')
131
132 tunable_policy(`httpd_enable_cgi',`
133 allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
134
135 # privileged users run the script:
136 domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
137
138 allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
139
140 # apache runs the script:
141 domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
142
143 allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
144
145 allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
146 allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
147
148 allow httpd_$1_script_t self:process { setsched signal_perms };
149 allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
150 allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
151
152 allow httpd_$1_script_t httpd_t:fd use;
153 allow httpd_$1_script_t httpd_t:process sigchld;
154
155 kernel_read_system_state(httpd_$1_script_t)
156
157 dev_read_urand(httpd_$1_script_t)
158
159 fs_getattr_xattr_fs(httpd_$1_script_t)
160
161 files_read_etc_runtime_files(httpd_$1_script_t)
162 files_read_usr_files(httpd_$1_script_t)
163
164 libs_read_lib_files(httpd_$1_script_t)
165
166 miscfiles_read_localization(httpd_$1_script_t)
167 allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
168 ')
169
170 optional_policy(`
171 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
172 nis_use_ypbind_uncond(httpd_$1_script_t)
173 ')
174 ')
175
176 optional_policy(`
177 postgresql_unpriv_client(httpd_$1_script_t)
178 ')
179
180 optional_policy(`
181 nscd_socket_use(httpd_$1_script_t)
182 ')
183
184 dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
185 ')
186
187 ########################################
188 ## <summary>
189 ## Role access for apache
190 ## </summary>
191 ## <param name="role">
192 ## <summary>
193 ## Role allowed access
194 ## </summary>
195 ## </param>
196 ## <param name="domain">
197 ## <summary>
198 ## User domain for the role
199 ## </summary>
200 ## </param>
201 #
202 interface(`apache_role',`
203 gen_require(`
204 attribute httpdcontent;
205 type httpd_user_content_t, httpd_user_htaccess_t;
206 type httpd_user_script_t, httpd_user_script_exec_t;
207 type httpd_user_ra_content_t, httpd_user_rw_content_t;
208 ')
209
210 role $1 types httpd_user_script_t;
211
212 allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
213
214 allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
215
216 manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
217 manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
218 manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
219 relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
220 relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
221 relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
222
223 manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
224 manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
225 manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
226 relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
227 relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
228 relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
229
230 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
231 manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
232 manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
233 relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
234 relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
235 relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
236
237 manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
238 manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
239 manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
240 relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
241 relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
242 relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
243
244 apache_exec_modules($2)
245
246 tunable_policy(`httpd_enable_cgi',`
247 # If a user starts a script by hand it gets the proper context
248 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
249 ')
250
251 tunable_policy(`httpd_enable_cgi && httpd_unified',`
252 domtrans_pattern($2, httpdcontent, httpd_user_script_t)
253 ')
254 ')
255
256 ########################################
257 ## <summary>
258 ## Read httpd user scripts executables.
259 ## </summary>
260 ## <param name="domain">
261 ## <summary>
262 ## Domain allowed access.
263 ## </summary>
264 ## </param>
265 #
266 interface(`apache_read_user_scripts',`
267 gen_require(`
268 type httpd_user_script_exec_t;
269 ')
270
271 allow $1 httpd_user_script_exec_t:dir list_dir_perms;
272 read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
273 read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
274 ')
275
276 ########################################
277 ## <summary>
278 ## Read user web content.
279 ## </summary>
280 ## <param name="domain">
281 ## <summary>
282 ## Domain allowed access.
283 ## </summary>
284 ## </param>
285 #
286 interface(`apache_read_user_content',`
287 gen_require(`
288 type httpd_user_content_t;
289 ')
290
291 allow $1 httpd_user_content_t:dir list_dir_perms;
292 read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
293 read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
294 ')
295
296 ########################################
297 ## <summary>
298 ## Transition to apache.
299 ## </summary>
300 ## <param name="domain">
301 ## <summary>
302 ## Domain allowed to transition.
303 ## </summary>
304 ## </param>
305 #
306 interface(`apache_domtrans',`
307 gen_require(`
308 type httpd_t, httpd_exec_t;
309 ')
310
311 corecmd_search_bin($1)
312 domtrans_pattern($1, httpd_exec_t, httpd_t)
313 ')
314
315 ######################################
316 ## <summary>
317 ## Allow the specified domain to execute apache
318 ## in the caller domain.
319 ## </summary>
320 ## <param name="domain">
321 ## <summary>
322 ## Domain allowed access.
323 ## </summary>
324 ## </param>
325 #
326 interface(`apache_exec',`
327 gen_require(`
328 type httpd_exec_t;
329 ')
330
331 can_exec($1, httpd_exec_t)
332 ')
333
334 #######################################
335 ## <summary>
336 ## Send a generic signal to apache.
337 ## </summary>
338 ## <param name="domain">
339 ## <summary>
340 ## Domain allowed access.
341 ## </summary>
342 ## </param>
343 #
344 interface(`apache_signal',`
345 gen_require(`
346 type httpd_t;
347 ')
348
349 allow $1 httpd_t:process signal;
350 ')
351
352 ########################################
353 ## <summary>
354 ## Send a null signal to apache.
355 ## </summary>
356 ## <param name="domain">
357 ## <summary>
358 ## Domain allowed access.
359 ## </summary>
360 ## </param>
361 #
362 interface(`apache_signull',`
363 gen_require(`
364 type httpd_t;
365 ')
366
367 allow $1 httpd_t:process signull;
368 ')
369
370 ########################################
371 ## <summary>
372 ## Send a SIGCHLD signal to apache.
373 ## </summary>
374 ## <param name="domain">
375 ## <summary>
376 ## Domain allowed access.
377 ## </summary>
378 ## </param>
379 #
380 interface(`apache_sigchld',`
381 gen_require(`
382 type httpd_t;
383 ')
384
385 allow $1 httpd_t:process sigchld;
386 ')
387
388 ########################################
389 ## <summary>
390 ## Inherit and use file descriptors from Apache.
391 ## </summary>
392 ## <param name="domain">
393 ## <summary>
394 ## Domain allowed access.
395 ## </summary>
396 ## </param>
397 #
398 interface(`apache_use_fds',`
399 gen_require(`
400 type httpd_t;
401 ')
402
403 allow $1 httpd_t:fd use;
404 ')
405
406 ########################################
407 ## <summary>
408 ## Do not audit attempts to read and write Apache
409 ## unnamed pipes.
410 ## </summary>
411 ## <param name="domain">
412 ## <summary>
413 ## Domain to not audit.
414 ## </summary>
415 ## </param>
416 #
417 interface(`apache_dontaudit_rw_fifo_file',`
418 gen_require(`
419 type httpd_t;
420 ')
421
422 dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
423 ')
424
425 ########################################
426 ## <summary>
427 ## Do not audit attempts to read and write Apache
428 ## unix domain stream sockets.
429 ## </summary>
430 ## <param name="domain">
431 ## <summary>
432 ## Domain to not audit.
433 ## </summary>
434 ## </param>
435 #
436 interface(`apache_dontaudit_rw_stream_sockets',`
437 gen_require(`
438 type httpd_t;
439 ')
440
441 dontaudit $1 httpd_t:unix_stream_socket { read write };
442 ')
443
444 ########################################
445 ## <summary>
446 ## Do not audit attempts to read and write Apache
447 ## TCP sockets.
448 ## </summary>
449 ## <param name="domain">
450 ## <summary>
451 ## Domain to not audit.
452 ## </summary>
453 ## </param>
454 #
455 interface(`apache_dontaudit_rw_tcp_sockets',`
456 gen_require(`
457 type httpd_t;
458 ')
459
460 dontaudit $1 httpd_t:tcp_socket { read write };
461 ')
462
463 ########################################
464 ## <summary>
465 ## Create, read, write, and delete all web content.
466 ## </summary>
467 ## <param name="domain">
468 ## <summary>
469 ## Domain allowed access.
470 ## </summary>
471 ## </param>
472 ## <rolecap/>
473 #
474 interface(`apache_manage_all_content',`
475 gen_require(`
476 attribute httpdcontent, httpd_script_exec_type;
477 ')
478
479 manage_dirs_pattern($1, httpdcontent, httpdcontent)
480 manage_files_pattern($1, httpdcontent, httpdcontent)
481 manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
482
483 manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
484 manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
485 manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
486 ')
487
488 ########################################
489 ## <summary>
490 ## Allow domain to set the attributes
491 ## of the APACHE cache directory.
492 ## </summary>
493 ## <param name="domain">
494 ## <summary>
495 ## Domain allowed access.
496 ## </summary>
497 ## </param>
498 #
499 interface(`apache_setattr_cache_dirs',`
500 gen_require(`
501 type httpd_cache_t;
502 ')
503
504 allow $1 httpd_cache_t:dir setattr;
505 ')
506
507 ########################################
508 ## <summary>
509 ## Allow the specified domain to list
510 ## Apache cache.
511 ## </summary>
512 ## <param name="domain">
513 ## <summary>
514 ## Domain allowed access.
515 ## </summary>
516 ## </param>
517 #
518 interface(`apache_list_cache',`
519 gen_require(`
520 type httpd_cache_t;
521 ')
522
523 list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
524 ')
525
526 ########################################
527 ## <summary>
528 ## Allow the specified domain to read
529 ## and write Apache cache files.
530 ## </summary>
531 ## <param name="domain">
532 ## <summary>
533 ## Domain allowed access.
534 ## </summary>
535 ## </param>
536 #
537 interface(`apache_rw_cache_files',`
538 gen_require(`
539 type httpd_cache_t;
540 ')
541
542 allow $1 httpd_cache_t:file rw_file_perms;
543 ')
544
545 ########################################
546 ## <summary>
547 ## Allow the specified domain to delete
548 ## Apache cache dirs.
549 ## </summary>
550 ## <param name="domain">
551 ## <summary>
552 ## Domain allowed access.
553 ## </summary>
554 ## </param>
555 #
556 interface(`apache_delete_cache_dirs',`
557 gen_require(`
558 type httpd_cache_t;
559 ')
560
561 delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
562 ')
563
564 ########################################
565 ## <summary>
566 ## Allow the specified domain to delete
567 ## Apache cache.
568 ## </summary>
569 ## <param name="domain">
570 ## <summary>
571 ## Domain allowed access.
572 ## </summary>
573 ## </param>
574 #
575 interface(`apache_delete_cache_files',`
576 gen_require(`
577 type httpd_cache_t;
578 ')
579
580 delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
581 ')
582
583 ########################################
584 ## <summary>
585 ## Allow the specified domain to read
586 ## apache configuration files.
587 ## </summary>
588 ## <param name="domain">
589 ## <summary>
590 ## Domain allowed access.
591 ## </summary>
592 ## </param>
593 ## <rolecap/>
594 #
595 interface(`apache_read_config',`
596 gen_require(`
597 type httpd_config_t;
598 ')
599
600 files_search_etc($1)
601 allow $1 httpd_config_t:dir list_dir_perms;
602 read_files_pattern($1, httpd_config_t, httpd_config_t)
603 read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
604 ')
605
606 ########################################
607 ## <summary>
608 ## Allow the specified domain to manage
609 ## apache configuration files.
610 ## </summary>
611 ## <param name="domain">
612 ## <summary>
613 ## Domain allowed access.
614 ## </summary>
615 ## </param>
616 #
617 interface(`apache_manage_config',`
618 gen_require(`
619 type httpd_config_t;
620 ')
621
622 files_search_etc($1)
623 manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
624 manage_files_pattern($1, httpd_config_t, httpd_config_t)
625 read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
626 ')
627
628 ########################################
629 ## <summary>
630 ## Execute the Apache helper program with
631 ## a domain transition.
632 ## </summary>
633 ## <param name="domain">
634 ## <summary>
635 ## Domain allowed access.
636 ## </summary>
637 ## </param>
638 #
639 interface(`apache_domtrans_helper',`
640 gen_require(`
641 type httpd_helper_t, httpd_helper_exec_t;
642 ')
643
644 corecmd_search_bin($1)
645 domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
646 ')
647
648 ########################################
649 ## <summary>
650 ## Execute the Apache helper program with
651 ## a domain transition, and allow the
652 ## specified role the Apache helper domain.
653 ## </summary>
654 ## <param name="domain">
655 ## <summary>
656 ## Domain allowed to transition.
657 ## </summary>
658 ## </param>
659 ## <param name="role">
660 ## <summary>
661 ## Role allowed access.
662 ## </summary>
663 ## </param>
664 ## <rolecap/>
665 #
666 interface(`apache_run_helper',`
667 gen_require(`
668 type httpd_helper_t;
669 ')
670
671 apache_domtrans_helper($1)
672 role $2 types httpd_helper_t;
673 ')
674
675 ########################################
676 ## <summary>
677 ## Allow the specified domain to read
678 ## apache log files.
679 ## </summary>
680 ## <param name="domain">
681 ## <summary>
682 ## Domain allowed access.
683 ## </summary>
684 ## </param>
685 ## <rolecap/>
686 #
687 interface(`apache_read_log',`
688 gen_require(`
689 type httpd_log_t;
690 ')
691
692 logging_search_logs($1)
693 allow $1 httpd_log_t:dir list_dir_perms;
694 read_files_pattern($1, httpd_log_t, httpd_log_t)
695 read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
696 ')
697
698 ########################################
699 ## <summary>
700 ## Allow the specified domain to append
701 ## to apache log files.
702 ## </summary>
703 ## <param name="domain">
704 ## <summary>
705 ## Domain allowed access.
706 ## </summary>
707 ## </param>
708 #
709 interface(`apache_append_log',`
710 gen_require(`
711 type httpd_log_t;
712 ')
713
714 logging_search_logs($1)
715 allow $1 httpd_log_t:dir list_dir_perms;
716 append_files_pattern($1, httpd_log_t, httpd_log_t)
717 ')
718
719 ########################################
720 ## <summary>
721 ## Do not audit attempts to append to the
722 ## Apache logs.
723 ## </summary>
724 ## <param name="domain">
725 ## <summary>
726 ## Domain to not audit.
727 ## </summary>
728 ## </param>
729 #
730 interface(`apache_dontaudit_append_log',`
731 gen_require(`
732 type httpd_log_t;
733 ')
734
735 dontaudit $1 httpd_log_t:file { getattr append };
736 ')
737
738 ########################################
739 ## <summary>
740 ## Allow the specified domain to manage
741 ## to apache log files.
742 ## </summary>
743 ## <param name="domain">
744 ## <summary>
745 ## Domain allowed access.
746 ## </summary>
747 ## </param>
748 #
749 interface(`apache_manage_log',`
750 gen_require(`
751 type httpd_log_t;
752 ')
753
754 logging_search_logs($1)
755 manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
756 manage_files_pattern($1, httpd_log_t, httpd_log_t)
757 read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
758 ')
759
760 ########################################
761 ## <summary>
762 ## Do not audit attempts to search Apache
763 ## module directories.
764 ## </summary>
765 ## <param name="domain">
766 ## <summary>
767 ## Domain to not audit.
768 ## </summary>
769 ## </param>
770 #
771 interface(`apache_dontaudit_search_modules',`
772 gen_require(`
773 type httpd_modules_t;
774 ')
775
776 dontaudit $1 httpd_modules_t:dir search_dir_perms;
777 ')
778
779 ########################################
780 ## <summary>
781 ## Allow the specified domain to read
782 ## the apache module directories.
783 ## </summary>
784 ## <param name="domain">
785 ## <summary>
786 ## Domain allowed access.
787 ## </summary>
788 ## </param>
789 #
790 interface(`apache_read_modules',`
791 gen_require(`
792 type httpd_modules_t;
793 ')
794
795 read_files_pattern($1, httpd_modules_t, httpd_modules_t)
796 ')
797
798 ########################################
799 ## <summary>
800 ## Allow the specified domain to list
801 ## the contents of the apache modules
802 ## directory.
803 ## </summary>
804 ## <param name="domain">
805 ## <summary>
806 ## Domain allowed access.
807 ## </summary>
808 ## </param>
809 #
810 interface(`apache_list_modules',`
811 gen_require(`
812 type httpd_modules_t;
813 ')
814
815 allow $1 httpd_modules_t:dir list_dir_perms;
816 read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
817 ')
818
819 ########################################
820 ## <summary>
821 ## Allow the specified domain to execute
822 ## apache modules.
823 ## </summary>
824 ## <param name="domain">
825 ## <summary>
826 ## Domain allowed access.
827 ## </summary>
828 ## </param>
829 #
830 interface(`apache_exec_modules',`
831 gen_require(`
832 type httpd_modules_t;
833 ')
834
835 allow $1 httpd_modules_t:dir list_dir_perms;
836 allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
837 can_exec($1, httpd_modules_t)
838 ')
839
840 ########################################
841 ## <summary>
842 ## Execute a domain transition to run httpd_rotatelogs.
843 ## </summary>
844 ## <param name="domain">
845 ## <summary>
846 ## Domain allowed to transition.
847 ## </summary>
848 ## </param>
849 #
850 interface(`apache_domtrans_rotatelogs',`
851 gen_require(`
852 type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
853 ')
854
855 domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
856 ')
857
858 ########################################
859 ## <summary>
860 ## Allow the specified domain to list
861 ## apache system content files.
862 ## </summary>
863 ## <param name="domain">
864 ## <summary>
865 ## Domain allowed access.
866 ## </summary>
867 ## </param>
868 #
869 interface(`apache_list_sys_content',`
870 gen_require(`
871 type httpd_sys_content_t;
872 ')
873
874 list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
875 read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
876 files_search_var($1)
877 ')
878
879 ########################################
880 ## <summary>
881 ## Allow the specified domain to manage
882 ## apache system content files.
883 ## </summary>
884 ## <param name="domain">
885 ## <summary>
886 ## Domain allowed access.
887 ## </summary>
888 ## </param>
889 ## <rolecap/>
890 #
891 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
892 interface(`apache_manage_sys_content',`
893 gen_require(`
894 type httpd_sys_content_t;
895 ')
896
897 files_search_var($1)
898 apache_search_sys_content($1)
899 manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
900 manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
901 manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
902 ')
903
904 ######################################
905 ## <summary>
906 ## Allow the specified domain to read
907 ## apache system content rw files.
908 ## </summary>
909 ## <param name="domain">
910 ## <summary>
911 ## Domain allowed access.
912 ## </summary>
913 ## </param>
914 ## <rolecap/>
915 #
916 interface(`apache_read_sys_content_rw_files',`
917 gen_require(`
918 type httpd_sys_rw_content_t;
919 ')
920
921 read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
922 ')
923
924 ######################################
925 ## <summary>
926 ## Allow the specified domain to manage
927 ## apache system content rw files.
928 ## </summary>
929 ## <param name="domain">
930 ## <summary>
931 ## Domain allowed access.
932 ## </summary>
933 ## </param>
934 ## <rolecap/>
935 #
936 interface(`apache_manage_sys_content_rw',`
937 gen_require(`
938 type httpd_sys_rw_content_t;
939 ')
940
941 files_search_var($1)
942 manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
943 manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
944 manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
945 ')
946
947 ########################################
948 ## <summary>
949 ## Allow the specified domain to delete
950 ## apache system content rw files.
951 ## </summary>
952 ## <param name="domain">
953 ## <summary>
954 ## Domain allowed access.
955 ## </summary>
956 ## </param>
957 ## <rolecap/>
958 #
959 interface(`apache_delete_sys_content_rw',`
960 gen_require(`
961 type httpd_sys_rw_content_t;
962 ')
963
964 files_search_tmp($1)
965 delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
966 delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
967 delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
968 delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
969 delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
970 ')
971
972 ########################################
973 ## <summary>
974 ## Execute all web scripts in the system
975 ## script domain.
976 ## </summary>
977 ## <param name="domain">
978 ## <summary>
979 ## Domain allowed to transition.
980 ## </summary>
981 ## </param>
982 #
983 # cjp: this interface specifically added to allow
984 # sysadm_t to run scripts
985 interface(`apache_domtrans_sys_script',`
986 gen_require(`
987 attribute httpdcontent;
988 type httpd_sys_script_t;
989 type httpd_sys_content_t;
990 ')
991
992 tunable_policy(`httpd_enable_cgi',`
993 domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
994 ')
995
996 tunable_policy(`httpd_enable_cgi && httpd_unified',`
997 domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
998 ')
999 ')
1000
1001 ########################################
1002 ## <summary>
1003 ## Do not audit attempts to read and write Apache
1004 ## system script unix domain stream sockets.
1005 ## </summary>
1006 ## <param name="domain">
1007 ## <summary>
1008 ## Domain to not audit.
1009 ## </summary>
1010 ## </param>
1011 #
1012 interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
1013 gen_require(`
1014 type httpd_sys_script_t;
1015 ')
1016
1017 dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
1018 ')
1019
1020 ########################################
1021 ## <summary>
1022 ## Execute all user scripts in the user
1023 ## script domain.
1024 ## </summary>
1025 ## <param name="domain">
1026 ## <summary>
1027 ## Domain allowed to transition.
1028 ## </summary>
1029 ## </param>
1030 #
1031 interface(`apache_domtrans_all_scripts',`
1032 gen_require(`
1033 attribute httpd_exec_scripts;
1034 ')
1035
1036 typeattribute $1 httpd_exec_scripts;
1037 ')
1038
1039 ########################################
1040 ## <summary>
1041 ## Execute all user scripts in the user
1042 ## script domain. Add user script domains
1043 ## to the specified role.
1044 ## </summary>
1045 ## <param name="domain">
1046 ## <summary>
1047 ## Domain allowed to transition.
1048 ## </summary>
1049 ## </param>
1050 ## <param name="role">
1051 ## <summary>
1052 ## Role allowed access..
1053 ## </summary>
1054 ## </param>
1055 #
1056 interface(`apache_run_all_scripts',`
1057 gen_require(`
1058 attribute httpd_exec_scripts, httpd_script_domains;
1059 ')
1060
1061 role $2 types httpd_script_domains;
1062 apache_domtrans_all_scripts($1)
1063 ')
1064
1065 ########################################
1066 ## <summary>
1067 ## Allow the specified domain to read
1068 ## apache squirrelmail data.
1069 ## </summary>
1070 ## <param name="domain">
1071 ## <summary>
1072 ## Domain allowed access.
1073 ## </summary>
1074 ## </param>
1075 #
1076 interface(`apache_read_squirrelmail_data',`
1077 gen_require(`
1078 type httpd_squirrelmail_t;
1079 ')
1080
1081 read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
1082 ')
1083
1084 ########################################
1085 ## <summary>
1086 ## Allow the specified domain to append
1087 ## apache squirrelmail data.
1088 ## </summary>
1089 ## <param name="domain">
1090 ## <summary>
1091 ## Domain allowed access.
1092 ## </summary>
1093 ## </param>
1094 #
1095 interface(`apache_append_squirrelmail_data',`
1096 gen_require(`
1097 type httpd_squirrelmail_t;
1098 ')
1099
1100 allow $1 httpd_squirrelmail_t:file append_file_perms;
1101 ')
1102
1103 ########################################
1104 ## <summary>
1105 ## Search apache system content.
1106 ## </summary>
1107 ## <param name="domain">
1108 ## <summary>
1109 ## Domain allowed access.
1110 ## </summary>
1111 ## </param>
1112 #
1113 interface(`apache_search_sys_content',`
1114 gen_require(`
1115 type httpd_sys_content_t;
1116 ')
1117
1118 allow $1 httpd_sys_content_t:dir search_dir_perms;
1119 ')
1120
1121 ########################################
1122 ## <summary>
1123 ## Read apache system content.
1124 ## </summary>
1125 ## <param name="domain">
1126 ## <summary>
1127 ## Domain allowed access.
1128 ## </summary>
1129 ## </param>
1130 #
1131 interface(`apache_read_sys_content',`
1132 gen_require(`
1133 type httpd_sys_content_t;
1134 ')
1135
1136 allow $1 httpd_sys_content_t:dir list_dir_perms;
1137 read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
1138 read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
1139 ')
1140
1141 ########################################
1142 ## <summary>
1143 ## Search apache system CGI directories.
1144 ## </summary>
1145 ## <param name="domain">
1146 ## <summary>
1147 ## Domain allowed access.
1148 ## </summary>
1149 ## </param>
1150 #
1151 interface(`apache_search_sys_scripts',`
1152 gen_require(`
1153 type httpd_sys_content_t, httpd_sys_script_exec_t;
1154 ')
1155
1156 search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
1157 ')
1158
1159 ########################################
1160 ## <summary>
1161 ## Create, read, write, and delete all user web content.
1162 ## </summary>
1163 ## <param name="domain">
1164 ## <summary>
1165 ## Domain allowed access.
1166 ## </summary>
1167 ## </param>
1168 ## <rolecap/>
1169 #
1170 interface(`apache_manage_all_user_content',`
1171 gen_require(`
1172 attribute httpd_user_content_type, httpd_user_script_exec_type;
1173 ')
1174
1175 manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
1176 manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
1177 manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
1178
1179 manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1180 manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1181 manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
1182 ')
1183
1184 ########################################
1185 ## <summary>
1186 ## Search system script state directory.
1187 ## </summary>
1188 ## <param name="domain">
1189 ## <summary>
1190 ## Domain allowed access.
1191 ## </summary>
1192 ## </param>
1193 #
1194 interface(`apache_search_sys_script_state',`
1195 gen_require(`
1196 type httpd_sys_script_t;
1197 ')
1198
1199 allow $1 httpd_sys_script_t:dir search_dir_perms;
1200 ')
1201
1202 ########################################
1203 ## <summary>
1204 ## Allow the specified domain to read
1205 ## apache tmp files.
1206 ## </summary>
1207 ## <param name="domain">
1208 ## <summary>
1209 ## Domain allowed access.
1210 ## </summary>
1211 ## </param>
1212 #
1213 interface(`apache_read_tmp_files',`
1214 gen_require(`
1215 type httpd_tmp_t;
1216 ')
1217
1218 files_search_tmp($1)
1219 read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
1220 ')
1221
1222 ######################################
1223 ## <summary>
1224 ## Dontaudit attempts to read and write
1225 ## apache tmp files.
1226 ## </summary>
1227 ## <param name="domain">
1228 ## <summary>
1229 ## Domain allowed access.
1230 ## </summary>
1231 ## </param>
1232 #
1233 interface(`apache_dontaudit_rw_tmp_files',`
1234 gen_require(`
1235 type httpd_tmp_t;
1236 ')
1237
1238 dontaudit $1 httpd_tmp_t:file { read write };
1239 ')
1240
1241 ########################################
1242 ## <summary>
1243 ## Dontaudit attempts to write
1244 ## apache tmp files.
1245 ## </summary>
1246 ## <param name="domain">
1247 ## <summary>
1248 ## Domain to not audit.
1249 ## </summary>
1250 ## </param>
1251 #
1252 interface(`apache_dontaudit_write_tmp_files',`
1253 gen_require(`
1254 type httpd_tmp_t;
1255 ')
1256
1257 dontaudit $1 httpd_tmp_t:file write;
1258 ')
1259
1260 ########################################
1261 ## <summary>
1262 ## Execute CGI in the specified domain.
1263 ## </summary>
1264 ## <desc>
1265 ## <p>
1266 ## Execute CGI in the specified domain.
1267 ## </p>
1268 ## <p>
1269 ## This is an interface to support third party modules
1270 ## and its use is not allowed in upstream reference
1271 ## policy.
1272 ## </p>
1273 ## </desc>
1274 ## <param name="domain">
1275 ## <summary>
1276 ## Domain run the cgi script in.
1277 ## </summary>
1278 ## </param>
1279 ## <param name="entrypoint">
1280 ## <summary>
1281 ## Type of the executable to enter the cgi domain.
1282 ## </summary>
1283 ## </param>
1284 #
1285 interface(`apache_cgi_domain',`
1286 gen_require(`
1287 type httpd_t, httpd_sys_script_exec_t;
1288 ')
1289
1290 domtrans_pattern(httpd_t, $2, $1)
1291 apache_search_sys_scripts($1)
1292
1293 allow httpd_t $1:process signal;
1294 ')
1295
1296 ########################################
1297 ## <summary>
1298 ## All of the rules required to administrate an apache environment
1299 ## </summary>
1300 ## <param name="prefix">
1301 ## <summary>
1302 ## Prefix of the domain. Example, user would be
1303 ## the prefix for the uder_t domain.
1304 ## </summary>
1305 ## </param>
1306 ## <param name="domain">
1307 ## <summary>
1308 ## Domain allowed access.
1309 ## </summary>
1310 ## </param>
1311 ## <param name="role">
1312 ## <summary>
1313 ## Role allowed access.
1314 ## </summary>
1315 ## </param>
1316 ## <rolecap/>
1317 #
1318 interface(`apache_admin',`
1319 gen_require(`
1320 attribute httpdcontent;
1321 attribute httpd_script_exec_type;
1322
1323 type httpd_t, httpd_config_t, httpd_log_t;
1324 type httpd_modules_t, httpd_lock_t;
1325 type httpd_var_run_t, httpd_php_tmp_t;
1326 type httpd_suexec_tmp_t, httpd_tmp_t;
1327 type httpd_initrc_exec_t, httpd_bool_t;
1328 ')
1329
1330 allow $1 httpd_t:process { getattr ptrace signal_perms };
1331 ps_process_pattern($1, httpd_t)
1332
1333 init_labeled_script_domtrans($1, httpd_initrc_exec_t)
1334 domain_system_change_exemption($1)
1335 role_transition $2 httpd_initrc_exec_t system_r;
1336 allow $2 system_r;
1337
1338 apache_manage_all_content($1)
1339 miscfiles_manage_public_files($1)
1340
1341 files_search_etc($1)
1342 admin_pattern($1, httpd_config_t)
1343
1344 logging_search_logs($1)
1345 admin_pattern($1, httpd_log_t)
1346
1347 admin_pattern($1, httpd_modules_t)
1348
1349 admin_pattern($1, httpd_lock_t)
1350 files_lock_filetrans($1, httpd_lock_t, file)
1351
1352 admin_pattern($1, httpd_var_run_t)
1353 files_pid_filetrans($1, httpd_var_run_t, file)
1354
1355 kernel_search_proc($1)
1356 allow $1 httpd_t:dir list_dir_perms;
1357 ps_process_pattern($1, httpd_t)
1358 read_lnk_files_pattern($1, httpd_t, httpd_t)
1359
1360 admin_pattern($1, httpdcontent)
1361 admin_pattern($1, httpd_script_exec_type)
1362
1363 seutil_domtrans_setfiles($1)
1364
1365 admin_pattern($1, httpd_tmp_t)
1366 admin_pattern($1, httpd_php_tmp_t)
1367 admin_pattern($1, httpd_suexec_tmp_t)
1368
1369 ifdef(`TODO',`
1370 apache_set_booleans($1, $2, $3, httpd_bool_t )
1371 seutil_setsebool_role_template($1, $3, $2)
1372 allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
1373 allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
1374 ')
1375 ')
1376
1377 ########################################
1378 ## <summary>
1379 ## dontaudit read and write an leaked file descriptors
1380 ## </summary>
1381 ## <param name="domain">
1382 ## <summary>
1383 ## Domain allowed access.
1384 ## </summary>
1385 ## </param>
1386 #
1387 interface(`apache_dontaudit_leaks',`
1388 gen_require(`
1389 type httpd_t;
1390 ')
1391
1392 dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
1393 dontaudit $1 httpd_t:tcp_socket { read write };
1394 dontaudit $1 httpd_t:unix_dgram_socket { read write };
1395 dontaudit $1 httpd_t:unix_stream_socket { read write };
1396 ')
The IPFire selinux policy.