policy/modules/services/apache.te

   1 policy_module(apache, 2.2.1)
   2
   3 #
   4 # NOTES:
   5 #  This policy will work with SUEXEC enabled as part of the Apache
   6 #  configuration. However, the user CGI scripts will run under the
   7 #  system_u:system_r:httpd_user_script_t.
   8 #
   9 #  The user CGI scripts must be labeled with the httpd_user_script_exec_t
  10 #  type, and the directory containing the scripts should also be labeled
  11 #  with these types. This policy allows the user role to perform that
  12 #  relabeling. If it is desired that only admin role should be able to relabel
  13 #  the user CGI scripts, then relabel rule for user roles should be removed.
  14 #
  15
  16 ########################################
  17 #
  18 # Declarations
  19 #
  20
  21 selinux_genbool(httpd_bool_t)
  22
  23 ## <desc>
  24 ##      <p>
  25 ##      Allow Apache to modify public files
  26 ##      used for public file transfer services. Directories/Files must
  27 ##      be labeled public_content_rw_t.
  28 ##      </p>
  29 ## </desc>
  30 gen_tunable(allow_httpd_anon_write, false)
  31
  32 ## <desc>
  33 ##      <p>
  34 ##      Allow Apache to use mod_auth_pam
  35 ##      </p>
  36 ## </desc>
  37 gen_tunable(allow_httpd_mod_auth_pam, false)
  38
  39 ## <desc>
  40 ##      <p>
  41 ##      Allow Apache to use mod_auth_ntlm_winbind
  42 ##      </p>
  43 ## </desc>
  44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
  45
  46 ## <desc>
  47 ##      <p>
  48 ##      Allow httpd scripts and modules execmem/execstack
  49 ##      </p>
  50 ## </desc>
  51 gen_tunable(httpd_execmem, false)
  52
  53 ## <desc>
  54 ##      <p>
  55 ##      Allow httpd daemon to change system limits
  56 ##      </p>
  57 ## </desc>
  58 gen_tunable(httpd_setrlimit, false)
  59
  60 ## <desc>
  61 ##      <p>
  62 ##      Allow httpd to use built in scripting (usually php)
  63 ##      </p>
  64 ## </desc>
  65 gen_tunable(httpd_builtin_scripting, false)
  66
  67 ## <desc>
  68 ##      <p>
  69 ##      Allow HTTPD scripts and modules to connect to the network using any TCP port.
  70 ##      </p>
  71 ## </desc>
  72 gen_tunable(httpd_can_network_connect, false)
  73
  74 ## <desc>
  75 ##      <p>
  76 ##      Allow HTTPD scripts and modules to connect to cobbler over the network.
  77 ##      </p>
  78 ## </desc>
  79 gen_tunable(httpd_can_network_connect_cobbler, false)
  80
  81 ## <desc>
  82 ##      <p>
  83 ##      Allow HTTPD scripts and modules to connect to databases over the network.
  84 ##      </p>
  85 ## </desc>
  86 gen_tunable(httpd_can_network_connect_db, false)
  87
  88 ## <desc>
  89 ##      <p>
  90 ##      Allow httpd to connect to memcache server
  91 ##      </p>
  92 ## </desc>
  93 gen_tunable(httpd_can_network_memcache, false)
  94
  95 ## <desc>
  96 ##      <p>
  97 ##      Allow httpd to act as a relay
  98 ##      </p>
  99 ## </desc>
 100 gen_tunable(httpd_can_network_relay, false)
 101
 102 ## <desc>
 103 ##      <p>
 104 ##      Allow http daemon to send mail
 105 ##      </p>
 106 ## </desc>
 107 gen_tunable(httpd_can_sendmail, false)
 108
 109 ## <desc>
 110 ##      <p>
 111 ##      Allow http daemon to check spam
 112 ##      </p>
 113 ## </desc>
 114 gen_tunable(httpd_can_check_spam, false)
 115
 116 ## <desc>
 117 ##      <p>
 118 ##      Allow Apache to communicate with avahi service via dbus
 119 ##      </p>
 120 ## </desc>
 121 gen_tunable(httpd_dbus_avahi, false)
 122
 123 ## <desc>
 124 ##      <p>
 125 ##      Allow httpd to execute cgi scripts
 126 ##      </p>
 127 ## </desc>
 128 gen_tunable(httpd_enable_cgi, false)
 129
 130 ## <desc>
 131 ##      <p>
 132 ##      Allow httpd to act as a FTP server by
 133 ##      listening on the ftp port.
 134 ##      </p>
 135 ## </desc>
 136 gen_tunable(httpd_enable_ftp_server, false)
 137
 138 ## <desc>
 139 ##      <p>
 140 ##      Allow httpd to act as a FTP client
 141 ##      connecting to the ftp port and ephemeral ports
 142 ##      </p>
 143 ## </desc>
 144 gen_tunable(httpd_can_connect_ftp, false)
 145
 146 ## <desc>
 147 ##      <p>
 148 ##      Allow httpd to read home directories
 149 ##      </p>
 150 ## </desc>
 151 gen_tunable(httpd_enable_homedirs, false)
 152
 153 ## <desc>
 154 ##      <p>
 155 ##      Allow httpd to read user content
 156 ##      </p>
 157 ## </desc>
 158 gen_tunable(httpd_read_user_content, false)
 159
 160 ## <desc>
 161 ##      <p>
 162 ##      Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 163 ##      </p>
 164 ## </desc>
 165 gen_tunable(httpd_ssi_exec, false)
 166
 167 ## <desc>
 168 ##      <p>
 169 ##      Allow Apache to execute tmp content.
 170 ##      </p>
 171 ## </desc>
 172 gen_tunable(httpd_tmp_exec, false)
 173
 174 ## <desc>
 175 ##      <p>
 176 ##      Unify HTTPD to communicate with the terminal.
 177 ##      Needed for entering the passphrase for certificates at
 178 ##      the terminal.
 179 ##      </p>
 180 ## </desc>
 181 gen_tunable(httpd_tty_comm, false)
 182
 183 ## <desc>
 184 ##      <p>
 185 ##      Unify HTTPD handling of all content files.
 186 ##      </p>
 187 ## </desc>
 188 gen_tunable(httpd_unified, false)
 189
 190 ## <desc>
 191 ##      <p>
 192 ##      Allow httpd to access cifs file systems
 193 ##      </p>
 194 ## </desc>
 195 gen_tunable(httpd_use_cifs, false)
 196
 197 ## <desc>
 198 ##      <p>
 199 ##      Allow httpd to run gpg in gpg-web domain
 200 ##      </p>
 201 ## </desc>
 202 gen_tunable(httpd_use_gpg, false)
 203
 204 ## <desc>
 205 ##      <p>
 206 ##      Allow httpd to access nfs file systems
 207 ##      </p>
 208 ## </desc>
 209 gen_tunable(httpd_use_nfs, false)
 210
 211 ## <desc>
 212 ##      <p>
 213 ##      Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
 214 ##      </p>
 215 ## </desc>
 216 gen_tunable(allow_httpd_sys_script_anon_write, false)
 217
 218 attribute httpdcontent;
 219 attribute httpd_user_content_type;
 220 attribute httpd_content_type;
 221
 222 # domains that can exec all users scripts
 223 attribute httpd_exec_scripts;
 224
 225 attribute httpd_script_type;
 226 attribute httpd_script_exec_type;
 227 attribute httpd_user_script_exec_type;
 228
 229 # user script domains
 230 attribute httpd_script_domains;
 231
 232 type httpd_t;
 233 type httpd_exec_t;
 234 init_daemon_domain(httpd_t, httpd_exec_t)
 235 role system_r types httpd_t;
 236
 237 # httpd_cache_t is the type given to the /var/cache/httpd
 238 # directory and the files under that directory
 239 type httpd_cache_t;
 240 files_type(httpd_cache_t)
 241
 242 # httpd_config_t is the type given to the configuration files
 243 type httpd_config_t;
 244 files_config_file(httpd_config_t)
 245
 246 type httpd_helper_t;
 247 type httpd_helper_exec_t;
 248 domain_type(httpd_helper_t)
 249 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
 250 role system_r types httpd_helper_t;
 251
 252 type httpd_initrc_exec_t;
 253 init_script_file(httpd_initrc_exec_t)
 254
 255 type httpd_unit_file_t;
 256 systemd_unit_file(httpd_unit_file_t)
 257
 258 type httpd_lock_t;
 259 files_lock_file(httpd_lock_t)
 260
 261 type httpd_log_t;
 262 logging_log_file(httpd_log_t)
 263
 264 # httpd_modules_t is the type given to module files (libraries)
 265 # that come with Apache /etc/httpd/modules and /usr/lib/apache
 266 type httpd_modules_t;
 267 files_type(httpd_modules_t)
 268
 269 type httpd_php_t;
 270 type httpd_php_exec_t;
 271 domain_type(httpd_php_t)
 272 domain_entry_file(httpd_php_t, httpd_php_exec_t)
 273 role system_r types httpd_php_t;
 274
 275 type httpd_php_tmp_t;
 276 files_tmp_file(httpd_php_tmp_t)
 277
 278 type httpd_rotatelogs_t;
 279 type httpd_rotatelogs_exec_t;
 280 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 281
 282 type httpd_squirrelmail_t;
 283 files_type(httpd_squirrelmail_t)
 284
 285 # SUEXEC runs user scripts as their own user ID
 286 type httpd_suexec_t; #, daemon;
 287 type httpd_suexec_exec_t;
 288 domain_type(httpd_suexec_t)
 289 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
 290 role system_r types httpd_suexec_t;
 291
 292 type httpd_suexec_tmp_t;
 293 files_tmp_file(httpd_suexec_tmp_t)
 294
 295 # setup the system domain for system CGI scripts
 296 apache_content_template(sys)
 297
 298 optional_policy(`
 299         postgresql_unpriv_client(httpd_sys_script_t)
 300 ')
 301
 302 typeattribute httpd_sys_content_t httpdcontent; # customizable
 303 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 304 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
 305
 306 # Removal of fastcgi, will cause problems without the following
 307 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
 308 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
 309 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
 310 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
 311 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
 312
 313 type httpd_tmp_t;
 314 files_tmp_file(httpd_tmp_t)
 315
 316 type httpd_tmpfs_t;
 317 files_tmpfs_file(httpd_tmpfs_t)
 318
 319 apache_content_template(user)
 320 ubac_constrained(httpd_user_script_t)
 321 typeattribute httpd_user_content_t httpdcontent;
 322 typeattribute httpd_user_rw_content_t httpdcontent;
 323 typeattribute httpd_user_ra_content_t httpdcontent;
 324
 325 userdom_user_home_content(httpd_user_content_t)
 326 userdom_user_home_content(httpd_user_htaccess_t)
 327 userdom_user_home_content(httpd_user_script_exec_t)
 328 userdom_user_home_content(httpd_user_ra_content_t)
 329 userdom_user_home_content(httpd_user_rw_content_t)
 330 typeattribute httpd_user_script_t httpd_script_domains;
 331 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
 332 typealias httpd_user_content_t alias httpd_unconfined_content_t;
 333 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 334 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 335 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
 336 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
 337 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
 338 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
 339 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
 340 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
 341 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
 342 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
 343 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
 344 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
 345 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
 346
 347 # for apache2 memory mapped files
 348 type httpd_var_lib_t;
 349 files_type(httpd_var_lib_t)
 350
 351 type httpd_var_run_t;
 352 files_pid_file(httpd_var_run_t)
 353
 354 # Removal of fastcgi, will cause problems without the following
 355 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
 356
 357 # File Type of squirrelmail attachments
 358 type squirrelmail_spool_t;
 359 files_tmp_file(squirrelmail_spool_t)
 360 files_spool_file(squirrelmail_spool_t)
 361
 362 optional_policy(`
 363         prelink_object_file(httpd_modules_t)
 364 ')
 365
 366 type httpd_passwd_t;
 367 type httpd_passwd_exec_t;
 368 application_domain(httpd_passwd_t, httpd_passwd_exec_t)
 369 role system_r types httpd_passwd_t;
 370
 371 ########################################
 372 #
 373 # Apache server local policy
 374 #
 375
 376 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 377 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 378 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 379 allow httpd_t self:fd use;
 380 allow httpd_t self:sock_file read_sock_file_perms;
 381 allow httpd_t self:fifo_file rw_fifo_file_perms;
 382 allow httpd_t self:shm create_shm_perms;
 383 allow httpd_t self:sem create_sem_perms;
 384 allow httpd_t self:msgq create_msgq_perms;
 385 allow httpd_t self:msg { send receive };
 386 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
 387 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 388 allow httpd_t self:tcp_socket create_stream_socket_perms;
 389 allow httpd_t self:udp_socket create_socket_perms;
 390 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
 391
 392 # Allow httpd_t to put files in /var/cache/httpd etc
 393 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 394 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 395 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 396 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 397
 398 # Allow the httpd_t to read the web servers config files
 399 allow httpd_t httpd_config_t:dir list_dir_perms;
 400 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 401 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 402
 403 can_exec(httpd_t, httpd_exec_t)
 404
 405 allow httpd_t httpd_lock_t:file manage_file_perms;
 406 files_lock_filetrans(httpd_t, httpd_lock_t, file)
 407
 408 allow httpd_t httpd_log_t:dir setattr;
 409 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 410 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 411 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 412 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 413 # cjp: need to refine create interfaces to
 414 # cut this back to add_name only
 415 logging_log_filetrans(httpd_t, httpd_log_t, file)
 416
 417 allow httpd_t httpd_modules_t:dir list_dir_perms;
 418 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 419 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 420 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 421
 422 apache_domtrans_rotatelogs(httpd_t)
 423 # Apache-httpd needs to be able to send signals to the log rotate procs.
 424 allow httpd_t httpd_rotatelogs_t:process signal_perms;
 425
 426 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 427 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 428 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 429
 430 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 431
 432 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
 433 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
 434 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
 435
 436 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 437
 438 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 439 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 440 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 441 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 442 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
 443
 444 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 445 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 446 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 447 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 448 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 449 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 450
 451 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 452 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
 453
 454 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 455 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 456 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 457 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 458 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
 459
 460 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 461 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 462 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 463
 464 kernel_read_kernel_sysctls(httpd_t)
 465 # for modules that want to access /proc/meminfo
 466 kernel_read_system_state(httpd_t)
 467 kernel_read_network_state(httpd_t)
 468 kernel_read_network_state(httpd_t)
 469 kernel_search_network_sysctl(httpd_t)
 470
 471 corenet_all_recvfrom_unlabeled(httpd_t)
 472 corenet_all_recvfrom_netlabel(httpd_t)
 473 corenet_tcp_sendrecv_generic_if(httpd_t)
 474 corenet_udp_sendrecv_generic_if(httpd_t)
 475 corenet_tcp_sendrecv_generic_node(httpd_t)
 476 corenet_udp_sendrecv_generic_node(httpd_t)
 477 corenet_tcp_sendrecv_all_ports(httpd_t)
 478 corenet_udp_sendrecv_all_ports(httpd_t)
 479 corenet_tcp_bind_generic_node(httpd_t)
 480 corenet_udp_bind_generic_node(httpd_t)
 481 corenet_tcp_bind_http_port(httpd_t)
 482 corenet_tcp_bind_http_cache_port(httpd_t)
 483 corenet_tcp_bind_ntop_port(httpd_t)
 484 corenet_tcp_bind_jboss_management_port(httpd_t)
 485 corenet_sendrecv_http_server_packets(httpd_t)
 486 corenet_tcp_bind_puppet_port(httpd_t)
 487 # Signal self for shutdown
 488 #corenet_tcp_connect_http_port(httpd_t)
 489
 490 dev_read_sysfs(httpd_t)
 491 dev_read_rand(httpd_t)
 492 dev_read_urand(httpd_t)
 493 dev_rw_crypto(httpd_t)
 494
 495 fs_getattr_all_fs(httpd_t)
 496 fs_search_auto_mountpoints(httpd_t)
 497 fs_read_iso9660_files(httpd_t)
 498 fs_read_anon_inodefs_files(httpd_t)
 499
 500 auth_use_nsswitch(httpd_t)
 501
 502 application_exec_all(httpd_t)
 503
 504 domain_use_interactive_fds(httpd_t)
 505
 506 files_dontaudit_getattr_all_pids(httpd_t)
 507 files_read_usr_files(httpd_t)
 508 files_list_mnt(httpd_t)
 509 files_search_spool(httpd_t)
 510 files_read_var_symlinks(httpd_t)
 511 files_read_var_lib_files(httpd_t)
 512 files_search_home(httpd_t)
 513 files_getattr_home_dir(httpd_t)
 514 # for modules that want to access /etc/mtab
 515 files_read_etc_runtime_files(httpd_t)
 516 # Allow httpd_t to have access to files such as nisswitch.conf
 517 files_read_etc_files(httpd_t)
 518 # for tomcat
 519 files_read_var_lib_symlinks(httpd_t)
 520
 521 fs_search_auto_mountpoints(httpd_sys_script_t)
 522 # php uploads a file to /tmp and then execs programs to acton them
 523 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
 524 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
 525 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
 526 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
 527 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
 528 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
 529
 530 libs_read_lib_files(httpd_t)
 531
 532 ifdef(`hide_broken_symptoms',`
 533         libs_exec_lib_files(httpd_t)
 534 ')
 535
 536 logging_send_syslog_msg(httpd_t)
 537
 538 miscfiles_read_localization(httpd_t)
 539 miscfiles_read_fonts(httpd_t)
 540 miscfiles_read_public_files(httpd_t)
 541 miscfiles_read_generic_certs(httpd_t)
 542 miscfiles_read_tetex_data(httpd_t)
 543
 544 seutil_dontaudit_search_config(httpd_t)
 545
 546 userdom_use_unpriv_users_fds(httpd_t)
 547
 548 tunable_policy(`httpd_setrlimit',`
 549         allow httpd_t self:process setrlimit;
 550         allow httpd_t self:capability sys_resource;
 551 ')
 552
 553 tunable_policy(`allow_httpd_anon_write',`
 554         miscfiles_manage_public_files(httpd_t)
 555 ')
 556
 557 #
 558 # We need optionals to be able to be within booleans to make this work
 559 #
 560 tunable_policy(`allow_httpd_mod_auth_pam',`
 561         auth_domtrans_chkpwd(httpd_t)
 562         logging_send_audit_msgs(httpd_t)
 563 ')
 564
 565 optional_policy(`
 566         tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
 567                 samba_domtrans_winbind_helper(httpd_t)
 568         ')
 569 ')
 570
 571 tunable_policy(`httpd_can_network_connect',`
 572         corenet_tcp_connect_all_ports(httpd_t)
 573 ')
 574
 575 tunable_policy(`httpd_can_network_connect_db',`
 576         corenet_tcp_connect_firebird_port(httpd_t)
 577         corenet_tcp_connect_mssql_port(httpd_t)
 578         corenet_sendrecv_mssql_client_packets(httpd_t)
 579         corenet_tcp_connect_oracle_port(httpd_t)
 580         corenet_sendrecv_oracle_client_packets(httpd_t)
 581 ')
 582
 583 tunable_policy(`httpd_can_network_memcache',`
 584         corenet_tcp_connect_memcache_port(httpd_t)
 585 ')
 586
 587 tunable_policy(`httpd_can_network_relay',`
 588         # allow httpd to work as a relay
 589         corenet_tcp_connect_gopher_port(httpd_t)
 590         corenet_tcp_connect_ftp_port(httpd_t)
 591         corenet_tcp_connect_http_port(httpd_t)
 592         corenet_tcp_connect_http_cache_port(httpd_t)
 593         corenet_tcp_connect_squid_port(httpd_t)
 594         corenet_tcp_connect_memcache_port(httpd_t)
 595         corenet_sendrecv_gopher_client_packets(httpd_t)
 596         corenet_sendrecv_ftp_client_packets(httpd_t)
 597         corenet_sendrecv_http_client_packets(httpd_t)
 598         corenet_sendrecv_http_cache_client_packets(httpd_t)
 599         corenet_sendrecv_squid_client_packets(httpd_t)
 600         corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 601 ')
 602
 603 tunable_policy(`httpd_execmem',`
 604         allow httpd_t self:process { execmem execstack };
 605         allow httpd_sys_script_t self:process { execmem execstack };
 606         allow httpd_suexec_t self:process { execmem execstack };
 607 ')
 608
 609 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 610         allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
 611         filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
 612         can_exec(httpd_sys_script_t, httpd_sys_content_t)
 613 ')
 614
 615 tunable_policy(`allow_httpd_sys_script_anon_write',`
 616         miscfiles_manage_public_files(httpd_sys_script_t)
 617 ')
 618
 619 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
 620         fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
 621 ')
 622
 623 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 624         fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 625 ')
 626
 627 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 628         domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 629         filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
 630         manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 631         manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 632         manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 633
 634         manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 635         manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
 636         manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
 637 ')
 638
 639 tunable_policy(`httpd_can_connect_ftp',`
 640         corenet_tcp_connect_ftp_port(httpd_t)
 641         corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 642 ')
 643
 644 tunable_policy(`httpd_enable_ftp_server',`
 645         corenet_tcp_bind_ftp_port(httpd_t)
 646         corenet_tcp_bind_all_ephemeral_ports(httpd_t)
 647 ')
 648
 649 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
 650         can_exec(httpd_t, httpd_tmp_t)
 651 ')
 652
 653 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
 654         can_exec(httpd_sys_script_t, httpd_tmp_t)
 655 ')
 656
 657 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 658         fs_list_auto_mountpoints(httpd_t)
 659         fs_read_nfs_files(httpd_t)
 660         fs_read_nfs_symlinks(httpd_t)
 661 ')
 662
 663 tunable_policy(`httpd_use_nfs',`
 664         fs_list_auto_mountpoints(httpd_t)
 665         fs_manage_nfs_dirs(httpd_t)
 666         fs_manage_nfs_files(httpd_t)
 667         fs_manage_nfs_symlinks(httpd_t)
 668 ')
 669
 670 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 671         fs_read_cifs_files(httpd_t)
 672         fs_read_cifs_symlinks(httpd_t)
 673 ')
 674
 675 tunable_policy(`httpd_can_sendmail',`
 676         # allow httpd to connect to mail servers
 677         corenet_tcp_connect_smtp_port(httpd_t)
 678         corenet_sendrecv_smtp_client_packets(httpd_t)
 679         corenet_tcp_connect_pop_port(httpd_t)
 680         corenet_sendrecv_pop_client_packets(httpd_t)
 681         mta_send_mail(httpd_t)
 682         mta_signal_system_mail(httpd_t)
 683 ')
 684
 685 tunable_policy(`httpd_use_cifs',`
 686         fs_manage_cifs_dirs(httpd_t)
 687         fs_manage_cifs_files(httpd_t)
 688         fs_manage_cifs_symlinks(httpd_t)
 689 ')
 690
 691 tunable_policy(`httpd_ssi_exec',`
 692         corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 693         allow httpd_sys_script_t httpd_t:fd use;
 694         allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
 695         allow httpd_sys_script_t httpd_t:process sigchld;
 696 ')
 697
 698 # When the admin starts the server, the server wants to access
 699 # the TTY or PTY associated with the session. The httpd appears
 700 # to run correctly without this permission, so the permission
 701 # are dontaudited here.
 702 tunable_policy(`httpd_tty_comm',`
 703         userdom_use_inherited_user_terminals(httpd_t)
 704         userdom_use_inherited_user_terminals(httpd_suexec_t)
 705 ',`
 706         userdom_dontaudit_use_user_terminals(httpd_t)
 707         userdom_dontaudit_use_user_terminals(httpd_suexec_t)
 708 ')
 709
 710 optional_policy(`
 711         # Support for ABRT retrace server
 712         # mod_wsgi
 713         abrt_manage_spool_retrace(httpd_t)
 714         abrt_domtrans_retrace_worker(httpd_t)
 715         abrt_read_config(httpd_t)
 716 ')
 717
 718 optional_policy(`
 719         calamaris_read_www_files(httpd_t)
 720 ')
 721
 722 optional_policy(`
 723         ccs_read_config(httpd_t)
 724 ')
 725
 726 optional_policy(`
 727         cobbler_list_config(httpd_t)
 728         cobbler_read_config(httpd_t)
 729         cobbler_read_lib_files(httpd_t)
 730
 731         tunable_policy(`httpd_can_network_connect_cobbler',`
 732                 corenet_tcp_connect_cobbler_port(httpd_t)
 733         ')
 734 ')
 735
 736 optional_policy(`
 737         cron_system_entry(httpd_t, httpd_exec_t)
 738 ')
 739
 740 optional_policy(`
 741         cvs_read_data(httpd_t)
 742 ')
 743
 744 optional_policy(`
 745         daemontools_service_domain(httpd_t, httpd_exec_t)
 746 ')
 747
 748 optional_policy(`
 749         dirsrv_manage_config(httpd_t)
 750         dirsrv_manage_log(httpd_t)
 751         dirsrv_manage_var_run(httpd_t)
 752         dirsrv_read_share(httpd_t)
 753         dirsrv_signal(httpd_t)
 754         dirsrv_signull(httpd_t)
 755         dirsrvadmin_manage_config(httpd_t)
 756         dirsrvadmin_manage_tmp(httpd_t)
 757         dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
 758 ')
 759
 760 optional_policy(`
 761         dbus_system_bus_client(httpd_t)
 762
 763         tunable_policy(`httpd_dbus_avahi',`
 764                 avahi_dbus_chat(httpd_t)
 765         ')
 766 ')
 767
 768 optional_policy(`
 769         git_read_generic_system_content_files(httpd_t)
 770         gitosis_read_lib_files(httpd_t)
 771 ')
 772
 773 optional_policy(`
 774         tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
 775                 gpg_domtrans_web(httpd_t)
 776         ')
 777 ')
 778
 779 optional_policy(`
 780         kerberos_keytab_template(httpd, httpd_t)
 781 ')
 782
 783 optional_policy(`
 784         mailman_signal_cgi(httpd_t)
 785         mailman_domtrans_cgi(httpd_t)
 786         mailman_read_data_files(httpd_t)
 787         # should have separate types for public and private archives
 788         mailman_search_data(httpd_t)
 789         mailman_read_archive(httpd_t)
 790 ')
 791
 792 optional_policy(`
 793         mediawiki_read_tmp_files(httpd_t)
 794         mediawiki_delete_tmp_files(httpd_t)
 795 ')
 796
 797 optional_policy(`
 798         # Allow httpd to work with mysql
 799         mysql_read_config(httpd_t)
 800         mysql_stream_connect(httpd_t)
 801         mysql_rw_db_sockets(httpd_t)
 802
 803         tunable_policy(`httpd_can_network_connect_db',`
 804                 mysql_tcp_connect(httpd_t)
 805         ')
 806 ')
 807
 808 optional_policy(`
 809         nagios_read_config(httpd_t)
 810         nagios_read_log(httpd_t)
 811 ')
 812
 813 optional_policy(`
 814         openca_domtrans(httpd_t)
 815         openca_signal(httpd_t)
 816         openca_sigstop(httpd_t)
 817         openca_kill(httpd_t)
 818 ')
 819
 820 optional_policy(`
 821         passenger_domtrans(httpd_t)
 822         passenger_manage_pid_content(httpd_t)
 823         passenger_read_lib_files(httpd_t)
 824 ')
 825
 826 optional_policy(`
 827         puppet_read_lib(httpd_t)
 828 ')
 829
 830 optional_policy(`
 831         rpc_search_nfs_state_data(httpd_t)
 832 ')
 833
 834 optional_policy(`
 835         # Allow httpd to work with postgresql
 836         postgresql_stream_connect(httpd_t)
 837         postgresql_unpriv_client(httpd_t)
 838
 839         tunable_policy(`httpd_can_network_connect_db',`
 840                 postgresql_tcp_connect(httpd_t)
 841         ')
 842 ')
 843
 844 optional_policy(`
 845         seutil_sigchld_newrole(httpd_t)
 846 ')
 847
 848 optional_policy(`
 849         smokeping_read_lib_files(httpd_t)
 850 ')
 851
 852 optional_policy(`
 853         files_dontaudit_rw_usr_dirs(httpd_t)
 854         snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 855         snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 856 ')
 857
 858 optional_policy(`
 859         udev_read_db(httpd_t)
 860 ')
 861
 862 optional_policy(`
 863         yam_read_content(httpd_t)
 864 ')
 865
 866 optional_policy(`
 867         zarafa_manage_lib_files(httpd_t)
 868         zarafa_stream_connect_server(httpd_t)
 869         zarafa_search_config(httpd_t)
 870 ')
 871
 872 ########################################
 873 #
 874 # Apache helper local policy
 875 #
 876
 877 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
 878
 879 allow httpd_helper_t httpd_config_t:file read_file_perms;
 880
 881 allow httpd_helper_t httpd_log_t:file append_file_perms;
 882
 883 logging_send_syslog_msg(httpd_helper_t)
 884
 885 userdom_use_inherited_user_terminals(httpd_helper_t)
 886
 887 tunable_policy(`httpd_tty_comm',`
 888         userdom_use_inherited_user_terminals(httpd_helper_t)
 889 ')
 890
 891 ########################################
 892 #
 893 # Apache PHP script local policy
 894 #
 895
 896 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 897 allow httpd_php_t self:fd use;
 898 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
 899 allow httpd_php_t self:sock_file read_sock_file_perms;
 900 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
 901 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
 902 allow httpd_php_t self:unix_dgram_socket sendto;
 903 allow httpd_php_t self:unix_stream_socket connectto;
 904 allow httpd_php_t self:shm create_shm_perms;
 905 allow httpd_php_t self:sem create_sem_perms;
 906 allow httpd_php_t self:msgq create_msgq_perms;
 907 allow httpd_php_t self:msg { send receive };
 908
 909 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
 910
 911 # allow php to read and append to apache logfiles
 912 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
 913
 914 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
 915 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
 916 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
 917
 918 fs_search_auto_mountpoints(httpd_php_t)
 919
 920 auth_use_nsswitch(httpd_php_t)
 921
 922 libs_exec_lib_files(httpd_php_t)
 923
 924 userdom_use_unpriv_users_fds(httpd_php_t)
 925
 926 tunable_policy(`httpd_can_network_connect_db',`
 927         corenet_tcp_connect_firebird_port(httpd_php_t)
 928         corenet_tcp_connect_mssql_port(httpd_php_t)
 929         corenet_sendrecv_mssql_client_packets(httpd_php_t)
 930         corenet_tcp_connect_oracle_port(httpd_php_t)
 931         corenet_sendrecv_oracle_client_packets(httpd_php_t)
 932 ')
 933
 934 optional_policy(`
 935         mysql_stream_connect(httpd_php_t)
 936         mysql_rw_db_sockets(httpd_php_t)
 937         mysql_read_config(httpd_php_t)
 938
 939         tunable_policy(`httpd_can_network_connect_db',`
 940                 mysql_tcp_connect(httpd_php_t)
 941         ')
 942 ')
 943
 944 optional_policy(`
 945         postgresql_stream_connect(httpd_php_t)
 946         postgresql_unpriv_client(httpd_php_t)
 947
 948         tunable_policy(`httpd_can_network_connect_db',`
 949                 postgresql_tcp_connect(httpd_php_t)
 950         ')
 951 ')
 952
 953 ########################################
 954 #
 955 # Apache suexec local policy
 956 #
 957
 958 allow httpd_suexec_t self:capability { setuid setgid };
 959 allow httpd_suexec_t self:process signal_perms;
 960
 961 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
 962 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 963
 964 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 965
 966 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 967 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 968 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 969
 970 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
 971
 972 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 973 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 974 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 975
 976 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
 977
 978 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
 979 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
 980 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
 981
 982 kernel_read_kernel_sysctls(httpd_suexec_t)
 983 kernel_list_proc(httpd_suexec_t)
 984 kernel_read_proc_symlinks(httpd_suexec_t)
 985
 986 dev_read_urand(httpd_suexec_t)
 987
 988 fs_read_iso9660_files(httpd_suexec_t)
 989 fs_search_auto_mountpoints(httpd_suexec_t)
 990
 991 application_exec_all(httpd_suexec_t)
 992
 993 files_read_etc_files(httpd_suexec_t)
 994 files_read_usr_files(httpd_suexec_t)
 995 files_dontaudit_search_pids(httpd_suexec_t)
 996 files_search_home(httpd_suexec_t)
 997
 998 auth_use_nsswitch(httpd_suexec_t)
 999
1000 logging_search_logs(httpd_suexec_t)
1001 logging_send_syslog_msg(httpd_suexec_t)
1002
1003 miscfiles_read_localization(httpd_suexec_t)
1004 miscfiles_read_public_files(httpd_suexec_t)
1005
1006 tunable_policy(`httpd_can_network_connect',`
1007         allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1008         allow httpd_suexec_t self:udp_socket create_socket_perms;
1009
1010         corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1011         corenet_all_recvfrom_netlabel(httpd_suexec_t)
1012         corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1013         corenet_udp_sendrecv_generic_if(httpd_suexec_t)
1014         corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1015         corenet_udp_sendrecv_generic_node(httpd_suexec_t)
1016         corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1017         corenet_udp_sendrecv_all_ports(httpd_suexec_t)
1018         corenet_tcp_connect_all_ports(httpd_suexec_t)
1019         corenet_sendrecv_all_client_packets(httpd_suexec_t)
1020 ')
1021
1022 tunable_policy(`httpd_can_network_connect_db',`
1023         corenet_tcp_connect_firebird_port(httpd_suexec_t)
1024         corenet_tcp_connect_mssql_port(httpd_suexec_t)
1025         corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
1026         corenet_tcp_connect_oracle_port(httpd_suexec_t)
1027         corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
1028 ')
1029
1030 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
1031
1032 tunable_policy(`httpd_can_sendmail',`
1033         mta_send_mail(httpd_suexec_t)
1034 ')
1035
1036 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1037         allow httpd_sys_script_t httpdcontent:file entrypoint;
1038         domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1039         manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1040         manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1041         manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1042         manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1043 ')
1044
1045 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1046         fs_list_auto_mountpoints(httpd_suexec_t)
1047         fs_read_nfs_files(httpd_suexec_t)
1048         fs_read_nfs_symlinks(httpd_suexec_t)
1049         fs_exec_nfs_files(httpd_suexec_t)
1050 ')
1051
1052 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1053         fs_read_cifs_files(httpd_suexec_t)
1054         fs_read_cifs_symlinks(httpd_suexec_t)
1055         fs_exec_cifs_files(httpd_suexec_t)
1056 ')
1057
1058 optional_policy(`
1059         mailman_domtrans_cgi(httpd_suexec_t)
1060 ')
1061
1062 optional_policy(`
1063         mta_stub(httpd_suexec_t)
1064
1065         # apache should set close-on-exec
1066         dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1067 ')
1068
1069 optional_policy(`
1070         mysql_stream_connect(httpd_suexec_t)
1071         mysql_rw_db_sockets(httpd_suexec_t)
1072         mysql_read_config(httpd_suexec_t)
1073
1074         tunable_policy(`httpd_can_network_connect_db',`
1075                 mysql_tcp_connect(httpd_suexec_t)
1076         ')
1077 ')
1078
1079 optional_policy(`
1080         postgresql_stream_connect(httpd_suexec_t)
1081         postgresql_unpriv_client(httpd_suexec_t)
1082
1083         tunable_policy(`httpd_can_network_connect_db',`
1084                 postgresql_tcp_connect(httpd_suexec_t)
1085         ')
1086 ')
1087
1088 ########################################
1089 #
1090 # Apache system script local policy
1091 #
1092
1093 allow httpd_sys_script_t self:process getsched;
1094
1095 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1096 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1097
1098 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1099
1100 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1101
1102 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1103 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1104 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1105
1106 kernel_read_kernel_sysctls(httpd_sys_script_t)
1107
1108 files_read_var_symlinks(httpd_sys_script_t)
1109 files_search_var_lib(httpd_sys_script_t)
1110 files_search_spool(httpd_sys_script_t)
1111
1112 logging_inherit_append_all_logs(httpd_sys_script_t)
1113
1114 # Should we add a boolean?
1115 apache_domtrans_rotatelogs(httpd_sys_script_t)
1116
1117 auth_use_nsswitch(httpd_sys_script_t)
1118
1119 ifdef(`distro_redhat',`
1120         allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1121 ')
1122
1123 tunable_policy(`httpd_can_sendmail',`
1124         mta_send_mail(httpd_sys_script_t)
1125 ')
1126
1127 optional_policy(`
1128         tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1129                 spamassassin_domtrans_client(httpd_t)
1130         ')
1131 ')
1132
1133 tunable_policy(`httpd_can_network_connect_db',`
1134         corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1135         corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1136         corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1137         corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1138         corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1139 ')
1140
1141 fs_cifs_entry_type(httpd_sys_script_t)
1142 fs_read_iso9660_files(httpd_sys_script_t)
1143 fs_nfs_entry_type(httpd_sys_script_t)
1144
1145 tunable_policy(`httpd_use_nfs',`
1146         fs_list_auto_mountpoints(httpd_sys_script_t)
1147         fs_manage_nfs_dirs(httpd_sys_script_t)
1148         fs_manage_nfs_files(httpd_sys_script_t)
1149         fs_manage_nfs_symlinks(httpd_sys_script_t)
1150         fs_exec_nfs_files(httpd_sys_script_t)
1151
1152         fs_list_auto_mountpoints(httpd_suexec_t)
1153         fs_manage_nfs_dirs(httpd_suexec_t)
1154         fs_manage_nfs_files(httpd_suexec_t)
1155         fs_manage_nfs_symlinks(httpd_suexec_t)
1156         fs_exec_nfs_files(httpd_suexec_t)
1157 ')
1158
1159 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1160         allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1161         allow httpd_sys_script_t self:udp_socket create_socket_perms;
1162
1163         corenet_tcp_bind_generic_node(httpd_sys_script_t)
1164         corenet_udp_bind_generic_node(httpd_sys_script_t)
1165         corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1166         corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1167         corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1168         corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1169         corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1170         corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1171         corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1172         corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1173         corenet_tcp_connect_all_ports(httpd_sys_script_t)
1174         corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1175 ')
1176
1177 tunable_policy(`httpd_enable_homedirs',`
1178         userdom_search_user_home_dirs(httpd_sys_script_t)
1179 ')
1180
1181 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1182         fs_list_auto_mountpoints(httpd_sys_script_t)
1183         fs_read_nfs_files(httpd_sys_script_t)
1184         fs_read_nfs_symlinks(httpd_sys_script_t)
1185 ')
1186
1187 tunable_policy(`httpd_read_user_content',`
1188         userdom_read_user_home_content_files(httpd_sys_script_t)
1189 ')
1190
1191 tunable_policy(`httpd_use_cifs',`
1192         fs_manage_cifs_dirs(httpd_sys_script_t)
1193         fs_manage_cifs_files(httpd_sys_script_t)
1194         fs_manage_cifs_symlinks(httpd_sys_script_t)
1195         fs_manage_cifs_dirs(httpd_suexec_t)
1196         fs_manage_cifs_files(httpd_suexec_t)
1197         fs_manage_cifs_symlinks(httpd_suexec_t)
1198         fs_exec_cifs_files(httpd_suexec_t)
1199 ')
1200
1201 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1202         fs_read_cifs_files(httpd_sys_script_t)
1203         fs_read_cifs_symlinks(httpd_sys_script_t)
1204 ')
1205
1206 optional_policy(`
1207         clamav_domtrans_clamscan(httpd_sys_script_t)
1208 ')
1209
1210 optional_policy(`
1211         mysql_stream_connect(httpd_sys_script_t)
1212         mysql_rw_db_sockets(httpd_sys_script_t)
1213         mysql_read_config(httpd_sys_script_t)
1214
1215         tunable_policy(`httpd_can_network_connect_db',`
1216                 mysql_tcp_connect(httpd_sys_script_t)
1217         ')
1218 ')
1219
1220 optional_policy(`
1221         postgresql_stream_connect(httpd_sys_script_t)
1222         postgresql_unpriv_client(httpd_sys_script_t)
1223
1224         tunable_policy(`httpd_can_network_connect_db',`
1225                 postgresql_tcp_connect(httpd_sys_script_t)
1226         ')
1227 ')
1228
1229 ########################################
1230 #
1231 # httpd_rotatelogs local policy
1232 #
1233
1234 allow httpd_rotatelogs_t self:capability dac_override;
1235
1236 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1237
1238 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1239 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1240 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1241
1242 files_read_etc_files(httpd_rotatelogs_t)
1243
1244 logging_search_logs(httpd_rotatelogs_t)
1245
1246 miscfiles_read_localization(httpd_rotatelogs_t)
1247
1248 ########################################
1249 #
1250 # Unconfined script local policy
1251 #
1252
1253 optional_policy(`
1254         type httpd_unconfined_script_t;
1255         type httpd_unconfined_script_exec_t;
1256         domain_type(httpd_unconfined_script_t)
1257         domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1258         domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1259         unconfined_domain(httpd_unconfined_script_t)
1260
1261         role system_r types httpd_unconfined_script_t;
1262         allow httpd_t httpd_unconfined_script_t:process signal_perms;
1263 ')
1264
1265 ########################################
1266 #
1267 # User content local policy
1268 #
1269
1270 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1271         allow httpd_user_script_t httpdcontent:file entrypoint;
1272         manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1273         manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1274         manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1275         manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1276 ')
1277
1278 # allow accessing files/dirs below the users home dir
1279 tunable_policy(`httpd_enable_homedirs',`
1280         userdom_search_user_home_content(httpd_t)
1281         userdom_search_user_home_content(httpd_suexec_t)
1282         userdom_search_user_home_content(httpd_user_script_t)
1283 ')
1284
1285 tunable_policy(`httpd_read_user_content',`
1286         userdom_read_user_home_content_files(httpd_t)
1287         userdom_read_user_home_content_files(httpd_suexec_t)
1288         userdom_read_user_home_content_files(httpd_user_script_t)
1289 ')
1290
1291 ########################################
1292 #
1293 # httpd_passwd local policy
1294 #
1295
1296 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1297 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1298 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1299
1300 domain_use_interactive_fds(httpd_passwd_t)
1301
1302 files_read_etc_files(httpd_passwd_t)
1303
1304 miscfiles_read_localization(httpd_passwd_t)
1305
1306 corecmd_exec_bin(httpd_passwd_t)
1307
1308 kernel_read_system_state(httpd_passwd_t)
1309
1310 dev_read_urand(httpd_passwd_t)
1311
1312 systemd_manage_passwd_run(httpd_t)
1313 #systemd_passwd_agent_dev_template(httpd)
1314
1315 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1316 dontaudit httpd_passwd_t httpd_config_t:file read;
1317
1318
1319 search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
1320 corecmd_shell_entry_type(httpd_script_type)
1321
1322 allow httpd_script_type self:fifo_file rw_file_perms;
1323 allow httpd_script_type self:unix_stream_socket connectto;
1324
1325 allow httpd_script_type httpd_t:fifo_file write;
1326 # apache should set close-on-exec
1327 apache_dontaudit_leaks(httpd_script_type)
1328
1329 append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
1330 logging_search_logs(httpd_script_type)
1331
1332 kernel_dontaudit_search_sysctl(httpd_script_type)
1333 kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
1334
1335 dev_read_rand(httpd_script_type)
1336 dev_read_urand(httpd_script_type)
1337
1338 corecmd_exec_all_executables(httpd_script_type)
1339 application_exec_all(httpd_script_type)
1340
1341 files_exec_etc_files(httpd_script_type)
1342 files_read_etc_files(httpd_script_type)
1343 files_search_home(httpd_script_type)
1344
1345 libs_exec_ld_so(httpd_script_type)
1346 libs_exec_lib_files(httpd_script_type)
1347
1348 miscfiles_read_fonts(httpd_script_type)
1349 miscfiles_read_public_files(httpd_script_type)
1350
1351 seutil_dontaudit_search_config(httpd_script_type)
1352 allow httpd_t httpd_script_type:unix_stream_socket connectto;
1353
1354 allow httpd_t httpd_script_exec_type:file read_file_perms;
1355 allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
1356 allow httpd_t httpd_script_type:process { signal sigkill sigstop };
1357 allow httpd_t httpd_script_exec_type:dir list_dir_perms;
1358
1359 allow httpd_script_type self:process { setsched signal_perms };
1360 allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
1361 allow httpd_script_type self:unix_dgram_socket create_socket_perms;
1362
1363 allow httpd_script_type httpd_t:fd use;
1364 allow httpd_script_type httpd_t:process sigchld;
1365
1366 dontaudit httpd_script_type httpd_t:tcp_socket { read write };
1367
1368 kernel_read_system_state(httpd_script_type)
1369
1370 dev_read_urand(httpd_script_type)
1371
1372 fs_getattr_xattr_fs(httpd_script_type)
1373
1374 files_read_etc_runtime_files(httpd_script_type)
1375 files_read_usr_files(httpd_script_type)
1376
1377 libs_read_lib_files(httpd_script_type)
1378
1379 miscfiles_read_localization(httpd_script_type)
1380 allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
1381
1382 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
1383         nis_use_ypbind_uncond(httpd_script_type)
1384 ')
1385
1386 optional_policy(`
1387         nscd_socket_use(httpd_script_type)
1388 ')
1389
1390 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1391
1392 tunable_policy(`httpd_builtin_scripting',`
1393         allow httpd_t httpd_content_type:dir search_dir_perms;
1394         allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
1395
1396         allow httpd_t httpd_content_type:dir list_dir_perms;
1397         read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1398         read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1399
1400         allow httpd_t httpd_content_type:dir list_dir_perms;
1401         read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1402         read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1403 ')