1 policy_module(apache, 2.2.1)
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
16 ########################################
21 selinux_genbool(httpd_bool_t)
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
30 gen_tunable(allow_httpd_anon_write, false)
34 ## Allow Apache to use mod_auth_pam
37 gen_tunable(allow_httpd_mod_auth_pam, false)
41 ## Allow Apache to use mod_auth_ntlm_winbind
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
48 ## Allow httpd scripts and modules execmem/execstack
51 gen_tunable(httpd_execmem, false)
55 ## Allow httpd daemon to change system limits
58 gen_tunable(httpd_setrlimit, false)
62 ## Allow httpd to use built in scripting (usually php)
65 gen_tunable(httpd_builtin_scripting, false)
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
72 gen_tunable(httpd_can_network_connect, false)
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
79 gen_tunable(httpd_can_network_connect_cobbler, false)
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
86 gen_tunable(httpd_can_network_connect_db, false)
90 ## Allow httpd to connect to memcache server
93 gen_tunable(httpd_can_network_memcache, false)
97 ## Allow httpd to act as a relay
100 gen_tunable(httpd_can_network_relay, false)
104 ## Allow http daemon to send mail
107 gen_tunable(httpd_can_sendmail, false)
111 ## Allow http daemon to check spam
114 gen_tunable(httpd_can_check_spam, false)
118 ## Allow Apache to communicate with avahi service via dbus
121 gen_tunable(httpd_dbus_avahi, false)
125 ## Allow httpd to execute cgi scripts
128 gen_tunable(httpd_enable_cgi, false)
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
136 gen_tunable(httpd_enable_ftp_server, false)
140 ## Allow httpd to act as a FTP client
141 ## connecting to the ftp port and ephemeral ports
144 gen_tunable(httpd_can_connect_ftp, false)
148 ## Allow httpd to read home directories
151 gen_tunable(httpd_enable_homedirs, false)
155 ## Allow httpd to read user content
158 gen_tunable(httpd_read_user_content, false)
162 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
165 gen_tunable(httpd_ssi_exec, false)
169 ## Allow Apache to execute tmp content.
172 gen_tunable(httpd_tmp_exec, false)
176 ## Unify HTTPD to communicate with the terminal.
177 ## Needed for entering the passphrase for certificates at
181 gen_tunable(httpd_tty_comm, false)
185 ## Unify HTTPD handling of all content files.
188 gen_tunable(httpd_unified, false)
192 ## Allow httpd to access cifs file systems
195 gen_tunable(httpd_use_cifs, false)
199 ## Allow httpd to run gpg in gpg-web domain
202 gen_tunable(httpd_use_gpg, false)
206 ## Allow httpd to access nfs file systems
209 gen_tunable(httpd_use_nfs, false)
213 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
216 gen_tunable(allow_httpd_sys_script_anon_write, false)
218 attribute httpdcontent;
219 attribute httpd_user_content_type;
220 attribute httpd_content_type;
222 # domains that can exec all users scripts
223 attribute httpd_exec_scripts;
225 attribute httpd_script_type;
226 attribute httpd_script_exec_type;
227 attribute httpd_user_script_exec_type;
229 # user script domains
230 attribute httpd_script_domains;
234 init_daemon_domain(httpd_t, httpd_exec_t)
235 role system_r types httpd_t;
237 # httpd_cache_t is the type given to the /var/cache/httpd
238 # directory and the files under that directory
240 files_type(httpd_cache_t)
242 # httpd_config_t is the type given to the configuration files
244 files_config_file(httpd_config_t)
247 type httpd_helper_exec_t;
248 domain_type(httpd_helper_t)
249 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
250 role system_r types httpd_helper_t;
252 type httpd_initrc_exec_t;
253 init_script_file(httpd_initrc_exec_t)
255 type httpd_unit_file_t;
256 systemd_unit_file(httpd_unit_file_t)
259 files_lock_file(httpd_lock_t)
262 logging_log_file(httpd_log_t)
264 # httpd_modules_t is the type given to module files (libraries)
265 # that come with Apache /etc/httpd/modules and /usr/lib/apache
266 type httpd_modules_t;
267 files_type(httpd_modules_t)
270 type httpd_php_exec_t;
271 domain_type(httpd_php_t)
272 domain_entry_file(httpd_php_t, httpd_php_exec_t)
273 role system_r types httpd_php_t;
275 type httpd_php_tmp_t;
276 files_tmp_file(httpd_php_tmp_t)
278 type httpd_rotatelogs_t;
279 type httpd_rotatelogs_exec_t;
280 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
282 type httpd_squirrelmail_t;
283 files_type(httpd_squirrelmail_t)
285 # SUEXEC runs user scripts as their own user ID
286 type httpd_suexec_t; #, daemon;
287 type httpd_suexec_exec_t;
288 domain_type(httpd_suexec_t)
289 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
290 role system_r types httpd_suexec_t;
292 type httpd_suexec_tmp_t;
293 files_tmp_file(httpd_suexec_tmp_t)
295 # setup the system domain for system CGI scripts
296 apache_content_template(sys)
299 postgresql_unpriv_client(httpd_sys_script_t)
302 typeattribute httpd_sys_content_t httpdcontent; # customizable
303 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
304 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
306 # Removal of fastcgi, will cause problems without the following
307 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
308 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
309 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
310 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
311 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
314 files_tmp_file(httpd_tmp_t)
317 files_tmpfs_file(httpd_tmpfs_t)
319 apache_content_template(user)
320 ubac_constrained(httpd_user_script_t)
321 typeattribute httpd_user_content_t httpdcontent;
322 typeattribute httpd_user_rw_content_t httpdcontent;
323 typeattribute httpd_user_ra_content_t httpdcontent;
325 userdom_user_home_content(httpd_user_content_t)
326 userdom_user_home_content(httpd_user_htaccess_t)
327 userdom_user_home_content(httpd_user_script_exec_t)
328 userdom_user_home_content(httpd_user_ra_content_t)
329 userdom_user_home_content(httpd_user_rw_content_t)
330 typeattribute httpd_user_script_t httpd_script_domains;
331 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
332 typealias httpd_user_content_t alias httpd_unconfined_content_t;
333 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
334 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
335 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
336 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
337 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
338 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
339 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
340 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
341 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
342 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
343 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
344 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
345 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
347 # for apache2 memory mapped files
348 type httpd_var_lib_t;
349 files_type(httpd_var_lib_t)
351 type httpd_var_run_t;
352 files_pid_file(httpd_var_run_t)
354 # Removal of fastcgi, will cause problems without the following
355 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
357 # File Type of squirrelmail attachments
358 type squirrelmail_spool_t;
359 files_tmp_file(squirrelmail_spool_t)
360 files_spool_file(squirrelmail_spool_t)
363 prelink_object_file(httpd_modules_t)
367 type httpd_passwd_exec_t;
368 application_domain(httpd_passwd_t, httpd_passwd_exec_t)
369 role system_r types httpd_passwd_t;
371 ########################################
373 # Apache server local policy
376 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
377 dontaudit httpd_t self:capability { net_admin sys_tty_config };
378 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
379 allow httpd_t self:fd use;
380 allow httpd_t self:sock_file read_sock_file_perms;
381 allow httpd_t self:fifo_file rw_fifo_file_perms;
382 allow httpd_t self:shm create_shm_perms;
383 allow httpd_t self:sem create_sem_perms;
384 allow httpd_t self:msgq create_msgq_perms;
385 allow httpd_t self:msg { send receive };
386 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
387 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
388 allow httpd_t self:tcp_socket create_stream_socket_perms;
389 allow httpd_t self:udp_socket create_socket_perms;
390 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
392 # Allow httpd_t to put files in /var/cache/httpd etc
393 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
394 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
395 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
396 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
398 # Allow the httpd_t to read the web servers config files
399 allow httpd_t httpd_config_t:dir list_dir_perms;
400 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
401 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
403 can_exec(httpd_t, httpd_exec_t)
405 allow httpd_t httpd_lock_t:file manage_file_perms;
406 files_lock_filetrans(httpd_t, httpd_lock_t, file)
408 allow httpd_t httpd_log_t:dir setattr;
409 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
410 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
411 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
412 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
413 # cjp: need to refine create interfaces to
414 # cut this back to add_name only
415 logging_log_filetrans(httpd_t, httpd_log_t, file)
417 allow httpd_t httpd_modules_t:dir list_dir_perms;
418 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
419 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
420 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
422 apache_domtrans_rotatelogs(httpd_t)
423 # Apache-httpd needs to be able to send signals to the log rotate procs.
424 allow httpd_t httpd_rotatelogs_t:process signal_perms;
426 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
427 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
428 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
430 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
432 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
433 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
434 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
436 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
438 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
439 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
440 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
441 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
442 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
444 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
445 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
446 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
447 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
448 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
449 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
451 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
452 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
454 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
455 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
456 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
457 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
458 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
460 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
461 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
462 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
464 kernel_read_kernel_sysctls(httpd_t)
465 # for modules that want to access /proc/meminfo
466 kernel_read_system_state(httpd_t)
467 kernel_read_network_state(httpd_t)
468 kernel_read_network_state(httpd_t)
469 kernel_search_network_sysctl(httpd_t)
471 corenet_all_recvfrom_unlabeled(httpd_t)
472 corenet_all_recvfrom_netlabel(httpd_t)
473 corenet_tcp_sendrecv_generic_if(httpd_t)
474 corenet_udp_sendrecv_generic_if(httpd_t)
475 corenet_tcp_sendrecv_generic_node(httpd_t)
476 corenet_udp_sendrecv_generic_node(httpd_t)
477 corenet_tcp_sendrecv_all_ports(httpd_t)
478 corenet_udp_sendrecv_all_ports(httpd_t)
479 corenet_tcp_bind_generic_node(httpd_t)
480 corenet_udp_bind_generic_node(httpd_t)
481 corenet_tcp_bind_http_port(httpd_t)
482 corenet_tcp_bind_http_cache_port(httpd_t)
483 corenet_tcp_bind_ntop_port(httpd_t)
484 corenet_tcp_bind_jboss_management_port(httpd_t)
485 corenet_sendrecv_http_server_packets(httpd_t)
486 corenet_tcp_bind_puppet_port(httpd_t)
487 # Signal self for shutdown
488 #corenet_tcp_connect_http_port(httpd_t)
490 dev_read_sysfs(httpd_t)
491 dev_read_rand(httpd_t)
492 dev_read_urand(httpd_t)
493 dev_rw_crypto(httpd_t)
495 fs_getattr_all_fs(httpd_t)
496 fs_search_auto_mountpoints(httpd_t)
497 fs_read_iso9660_files(httpd_t)
498 fs_read_anon_inodefs_files(httpd_t)
500 auth_use_nsswitch(httpd_t)
502 application_exec_all(httpd_t)
504 domain_use_interactive_fds(httpd_t)
506 files_dontaudit_getattr_all_pids(httpd_t)
507 files_read_usr_files(httpd_t)
508 files_list_mnt(httpd_t)
509 files_search_spool(httpd_t)
510 files_read_var_symlinks(httpd_t)
511 files_read_var_lib_files(httpd_t)
512 files_search_home(httpd_t)
513 files_getattr_home_dir(httpd_t)
514 # for modules that want to access /etc/mtab
515 files_read_etc_runtime_files(httpd_t)
516 # Allow httpd_t to have access to files such as nisswitch.conf
517 files_read_etc_files(httpd_t)
519 files_read_var_lib_symlinks(httpd_t)
521 fs_search_auto_mountpoints(httpd_sys_script_t)
522 # php uploads a file to /tmp and then execs programs to acton them
523 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
524 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
525 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
526 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
527 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
528 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
530 libs_read_lib_files(httpd_t)
532 ifdef(`hide_broken_symptoms',`
533 libs_exec_lib_files(httpd_t)
536 logging_send_syslog_msg(httpd_t)
538 miscfiles_read_localization(httpd_t)
539 miscfiles_read_fonts(httpd_t)
540 miscfiles_read_public_files(httpd_t)
541 miscfiles_read_generic_certs(httpd_t)
542 miscfiles_read_tetex_data(httpd_t)
544 seutil_dontaudit_search_config(httpd_t)
546 userdom_use_unpriv_users_fds(httpd_t)
548 tunable_policy(`httpd_setrlimit',`
549 allow httpd_t self:process setrlimit;
550 allow httpd_t self:capability sys_resource;
553 tunable_policy(`allow_httpd_anon_write',`
554 miscfiles_manage_public_files(httpd_t)
558 # We need optionals to be able to be within booleans to make this work
560 tunable_policy(`allow_httpd_mod_auth_pam',`
561 auth_domtrans_chkpwd(httpd_t)
562 logging_send_audit_msgs(httpd_t)
566 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
567 samba_domtrans_winbind_helper(httpd_t)
571 tunable_policy(`httpd_can_network_connect',`
572 corenet_tcp_connect_all_ports(httpd_t)
575 tunable_policy(`httpd_can_network_connect_db',`
576 corenet_tcp_connect_firebird_port(httpd_t)
577 corenet_tcp_connect_mssql_port(httpd_t)
578 corenet_sendrecv_mssql_client_packets(httpd_t)
579 corenet_tcp_connect_oracle_port(httpd_t)
580 corenet_sendrecv_oracle_client_packets(httpd_t)
583 tunable_policy(`httpd_can_network_memcache',`
584 corenet_tcp_connect_memcache_port(httpd_t)
587 tunable_policy(`httpd_can_network_relay',`
588 # allow httpd to work as a relay
589 corenet_tcp_connect_gopher_port(httpd_t)
590 corenet_tcp_connect_ftp_port(httpd_t)
591 corenet_tcp_connect_http_port(httpd_t)
592 corenet_tcp_connect_http_cache_port(httpd_t)
593 corenet_tcp_connect_squid_port(httpd_t)
594 corenet_tcp_connect_memcache_port(httpd_t)
595 corenet_sendrecv_gopher_client_packets(httpd_t)
596 corenet_sendrecv_ftp_client_packets(httpd_t)
597 corenet_sendrecv_http_client_packets(httpd_t)
598 corenet_sendrecv_http_cache_client_packets(httpd_t)
599 corenet_sendrecv_squid_client_packets(httpd_t)
600 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
603 tunable_policy(`httpd_execmem',`
604 allow httpd_t self:process { execmem execstack };
605 allow httpd_sys_script_t self:process { execmem execstack };
606 allow httpd_suexec_t self:process { execmem execstack };
609 tunable_policy(`httpd_enable_cgi && httpd_unified',`
610 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
611 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
612 can_exec(httpd_sys_script_t, httpd_sys_content_t)
615 tunable_policy(`allow_httpd_sys_script_anon_write',`
616 miscfiles_manage_public_files(httpd_sys_script_t)
619 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
620 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
623 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
624 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
627 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
628 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
629 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
630 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
631 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
632 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
634 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
635 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
636 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
639 tunable_policy(`httpd_can_connect_ftp',`
640 corenet_tcp_connect_ftp_port(httpd_t)
641 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
644 tunable_policy(`httpd_enable_ftp_server',`
645 corenet_tcp_bind_ftp_port(httpd_t)
646 corenet_tcp_bind_all_ephemeral_ports(httpd_t)
649 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
650 can_exec(httpd_t, httpd_tmp_t)
653 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
654 can_exec(httpd_sys_script_t, httpd_tmp_t)
657 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
658 fs_list_auto_mountpoints(httpd_t)
659 fs_read_nfs_files(httpd_t)
660 fs_read_nfs_symlinks(httpd_t)
663 tunable_policy(`httpd_use_nfs',`
664 fs_list_auto_mountpoints(httpd_t)
665 fs_manage_nfs_dirs(httpd_t)
666 fs_manage_nfs_files(httpd_t)
667 fs_manage_nfs_symlinks(httpd_t)
670 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
671 fs_read_cifs_files(httpd_t)
672 fs_read_cifs_symlinks(httpd_t)
675 tunable_policy(`httpd_can_sendmail',`
676 # allow httpd to connect to mail servers
677 corenet_tcp_connect_smtp_port(httpd_t)
678 corenet_sendrecv_smtp_client_packets(httpd_t)
679 corenet_tcp_connect_pop_port(httpd_t)
680 corenet_sendrecv_pop_client_packets(httpd_t)
681 mta_send_mail(httpd_t)
682 mta_signal_system_mail(httpd_t)
685 tunable_policy(`httpd_use_cifs',`
686 fs_manage_cifs_dirs(httpd_t)
687 fs_manage_cifs_files(httpd_t)
688 fs_manage_cifs_symlinks(httpd_t)
691 tunable_policy(`httpd_ssi_exec',`
692 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
693 allow httpd_sys_script_t httpd_t:fd use;
694 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
695 allow httpd_sys_script_t httpd_t:process sigchld;
698 # When the admin starts the server, the server wants to access
699 # the TTY or PTY associated with the session. The httpd appears
700 # to run correctly without this permission, so the permission
701 # are dontaudited here.
702 tunable_policy(`httpd_tty_comm',`
703 userdom_use_inherited_user_terminals(httpd_t)
704 userdom_use_inherited_user_terminals(httpd_suexec_t)
706 userdom_dontaudit_use_user_terminals(httpd_t)
707 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
711 # Support for ABRT retrace server
713 abrt_manage_spool_retrace(httpd_t)
714 abrt_domtrans_retrace_worker(httpd_t)
715 abrt_read_config(httpd_t)
719 calamaris_read_www_files(httpd_t)
723 ccs_read_config(httpd_t)
727 cobbler_list_config(httpd_t)
728 cobbler_read_config(httpd_t)
729 cobbler_read_lib_files(httpd_t)
731 tunable_policy(`httpd_can_network_connect_cobbler',`
732 corenet_tcp_connect_cobbler_port(httpd_t)
737 cron_system_entry(httpd_t, httpd_exec_t)
741 cvs_read_data(httpd_t)
745 daemontools_service_domain(httpd_t, httpd_exec_t)
749 dirsrv_manage_config(httpd_t)
750 dirsrv_manage_log(httpd_t)
751 dirsrv_manage_var_run(httpd_t)
752 dirsrv_read_share(httpd_t)
753 dirsrv_signal(httpd_t)
754 dirsrv_signull(httpd_t)
755 dirsrvadmin_manage_config(httpd_t)
756 dirsrvadmin_manage_tmp(httpd_t)
757 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
761 dbus_system_bus_client(httpd_t)
763 tunable_policy(`httpd_dbus_avahi',`
764 avahi_dbus_chat(httpd_t)
769 git_read_generic_system_content_files(httpd_t)
770 gitosis_read_lib_files(httpd_t)
774 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
775 gpg_domtrans_web(httpd_t)
780 kerberos_keytab_template(httpd, httpd_t)
784 mailman_signal_cgi(httpd_t)
785 mailman_domtrans_cgi(httpd_t)
786 mailman_read_data_files(httpd_t)
787 # should have separate types for public and private archives
788 mailman_search_data(httpd_t)
789 mailman_read_archive(httpd_t)
793 mediawiki_read_tmp_files(httpd_t)
794 mediawiki_delete_tmp_files(httpd_t)
798 # Allow httpd to work with mysql
799 mysql_read_config(httpd_t)
800 mysql_stream_connect(httpd_t)
801 mysql_rw_db_sockets(httpd_t)
803 tunable_policy(`httpd_can_network_connect_db',`
804 mysql_tcp_connect(httpd_t)
809 nagios_read_config(httpd_t)
810 nagios_read_log(httpd_t)
814 openca_domtrans(httpd_t)
815 openca_signal(httpd_t)
816 openca_sigstop(httpd_t)
821 passenger_domtrans(httpd_t)
822 passenger_manage_pid_content(httpd_t)
823 passenger_read_lib_files(httpd_t)
827 puppet_read_lib(httpd_t)
831 rpc_search_nfs_state_data(httpd_t)
835 # Allow httpd to work with postgresql
836 postgresql_stream_connect(httpd_t)
837 postgresql_unpriv_client(httpd_t)
839 tunable_policy(`httpd_can_network_connect_db',`
840 postgresql_tcp_connect(httpd_t)
845 seutil_sigchld_newrole(httpd_t)
849 smokeping_read_lib_files(httpd_t)
853 files_dontaudit_rw_usr_dirs(httpd_t)
854 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
855 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
859 udev_read_db(httpd_t)
863 yam_read_content(httpd_t)
867 zarafa_manage_lib_files(httpd_t)
868 zarafa_stream_connect_server(httpd_t)
869 zarafa_search_config(httpd_t)
872 ########################################
874 # Apache helper local policy
877 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
879 allow httpd_helper_t httpd_config_t:file read_file_perms;
881 allow httpd_helper_t httpd_log_t:file append_file_perms;
883 logging_send_syslog_msg(httpd_helper_t)
885 userdom_use_inherited_user_terminals(httpd_helper_t)
887 tunable_policy(`httpd_tty_comm',`
888 userdom_use_inherited_user_terminals(httpd_helper_t)
891 ########################################
893 # Apache PHP script local policy
896 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
897 allow httpd_php_t self:fd use;
898 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
899 allow httpd_php_t self:sock_file read_sock_file_perms;
900 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
901 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
902 allow httpd_php_t self:unix_dgram_socket sendto;
903 allow httpd_php_t self:unix_stream_socket connectto;
904 allow httpd_php_t self:shm create_shm_perms;
905 allow httpd_php_t self:sem create_sem_perms;
906 allow httpd_php_t self:msgq create_msgq_perms;
907 allow httpd_php_t self:msg { send receive };
909 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
911 # allow php to read and append to apache logfiles
912 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
914 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
915 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
916 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
918 fs_search_auto_mountpoints(httpd_php_t)
920 auth_use_nsswitch(httpd_php_t)
922 libs_exec_lib_files(httpd_php_t)
924 userdom_use_unpriv_users_fds(httpd_php_t)
926 tunable_policy(`httpd_can_network_connect_db',`
927 corenet_tcp_connect_firebird_port(httpd_php_t)
928 corenet_tcp_connect_mssql_port(httpd_php_t)
929 corenet_sendrecv_mssql_client_packets(httpd_php_t)
930 corenet_tcp_connect_oracle_port(httpd_php_t)
931 corenet_sendrecv_oracle_client_packets(httpd_php_t)
935 mysql_stream_connect(httpd_php_t)
936 mysql_rw_db_sockets(httpd_php_t)
937 mysql_read_config(httpd_php_t)
939 tunable_policy(`httpd_can_network_connect_db',`
940 mysql_tcp_connect(httpd_php_t)
945 postgresql_stream_connect(httpd_php_t)
946 postgresql_unpriv_client(httpd_php_t)
948 tunable_policy(`httpd_can_network_connect_db',`
949 postgresql_tcp_connect(httpd_php_t)
953 ########################################
955 # Apache suexec local policy
958 allow httpd_suexec_t self:capability { setuid setgid };
959 allow httpd_suexec_t self:process signal_perms;
961 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
962 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
964 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
966 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
967 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
968 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
970 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
972 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
973 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
974 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
976 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
978 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
979 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
980 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
982 kernel_read_kernel_sysctls(httpd_suexec_t)
983 kernel_list_proc(httpd_suexec_t)
984 kernel_read_proc_symlinks(httpd_suexec_t)
986 dev_read_urand(httpd_suexec_t)
988 fs_read_iso9660_files(httpd_suexec_t)
989 fs_search_auto_mountpoints(httpd_suexec_t)
991 application_exec_all(httpd_suexec_t)
993 files_read_etc_files(httpd_suexec_t)
994 files_read_usr_files(httpd_suexec_t)
995 files_dontaudit_search_pids(httpd_suexec_t)
996 files_search_home(httpd_suexec_t)
998 auth_use_nsswitch(httpd_suexec_t)
1000 logging_search_logs(httpd_suexec_t)
1001 logging_send_syslog_msg(httpd_suexec_t)
1003 miscfiles_read_localization(httpd_suexec_t)
1004 miscfiles_read_public_files(httpd_suexec_t)
1006 tunable_policy(`httpd_can_network_connect',`
1007 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1008 allow httpd_suexec_t self:udp_socket create_socket_perms;
1010 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1011 corenet_all_recvfrom_netlabel(httpd_suexec_t)
1012 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1013 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
1014 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1015 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
1016 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1017 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
1018 corenet_tcp_connect_all_ports(httpd_suexec_t)
1019 corenet_sendrecv_all_client_packets(httpd_suexec_t)
1022 tunable_policy(`httpd_can_network_connect_db',`
1023 corenet_tcp_connect_firebird_port(httpd_suexec_t)
1024 corenet_tcp_connect_mssql_port(httpd_suexec_t)
1025 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
1026 corenet_tcp_connect_oracle_port(httpd_suexec_t)
1027 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
1030 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
1032 tunable_policy(`httpd_can_sendmail',`
1033 mta_send_mail(httpd_suexec_t)
1036 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1037 allow httpd_sys_script_t httpdcontent:file entrypoint;
1038 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1039 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1040 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1041 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1042 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1045 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1046 fs_list_auto_mountpoints(httpd_suexec_t)
1047 fs_read_nfs_files(httpd_suexec_t)
1048 fs_read_nfs_symlinks(httpd_suexec_t)
1049 fs_exec_nfs_files(httpd_suexec_t)
1052 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1053 fs_read_cifs_files(httpd_suexec_t)
1054 fs_read_cifs_symlinks(httpd_suexec_t)
1055 fs_exec_cifs_files(httpd_suexec_t)
1059 mailman_domtrans_cgi(httpd_suexec_t)
1063 mta_stub(httpd_suexec_t)
1065 # apache should set close-on-exec
1066 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1070 mysql_stream_connect(httpd_suexec_t)
1071 mysql_rw_db_sockets(httpd_suexec_t)
1072 mysql_read_config(httpd_suexec_t)
1074 tunable_policy(`httpd_can_network_connect_db',`
1075 mysql_tcp_connect(httpd_suexec_t)
1080 postgresql_stream_connect(httpd_suexec_t)
1081 postgresql_unpriv_client(httpd_suexec_t)
1083 tunable_policy(`httpd_can_network_connect_db',`
1084 postgresql_tcp_connect(httpd_suexec_t)
1088 ########################################
1090 # Apache system script local policy
1093 allow httpd_sys_script_t self:process getsched;
1095 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1096 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1098 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1100 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1102 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1103 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1104 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1106 kernel_read_kernel_sysctls(httpd_sys_script_t)
1108 files_read_var_symlinks(httpd_sys_script_t)
1109 files_search_var_lib(httpd_sys_script_t)
1110 files_search_spool(httpd_sys_script_t)
1112 logging_inherit_append_all_logs(httpd_sys_script_t)
1114 # Should we add a boolean?
1115 apache_domtrans_rotatelogs(httpd_sys_script_t)
1117 auth_use_nsswitch(httpd_sys_script_t)
1119 ifdef(`distro_redhat',`
1120 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1123 tunable_policy(`httpd_can_sendmail',`
1124 mta_send_mail(httpd_sys_script_t)
1128 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1129 spamassassin_domtrans_client(httpd_t)
1133 tunable_policy(`httpd_can_network_connect_db',`
1134 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1135 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1136 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1137 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1138 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1141 fs_cifs_entry_type(httpd_sys_script_t)
1142 fs_read_iso9660_files(httpd_sys_script_t)
1143 fs_nfs_entry_type(httpd_sys_script_t)
1145 tunable_policy(`httpd_use_nfs',`
1146 fs_list_auto_mountpoints(httpd_sys_script_t)
1147 fs_manage_nfs_dirs(httpd_sys_script_t)
1148 fs_manage_nfs_files(httpd_sys_script_t)
1149 fs_manage_nfs_symlinks(httpd_sys_script_t)
1150 fs_exec_nfs_files(httpd_sys_script_t)
1152 fs_list_auto_mountpoints(httpd_suexec_t)
1153 fs_manage_nfs_dirs(httpd_suexec_t)
1154 fs_manage_nfs_files(httpd_suexec_t)
1155 fs_manage_nfs_symlinks(httpd_suexec_t)
1156 fs_exec_nfs_files(httpd_suexec_t)
1159 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1160 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1161 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1163 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1164 corenet_udp_bind_generic_node(httpd_sys_script_t)
1165 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1166 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1167 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1168 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1169 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1170 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1171 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1172 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1173 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1174 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1177 tunable_policy(`httpd_enable_homedirs',`
1178 userdom_search_user_home_dirs(httpd_sys_script_t)
1181 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1182 fs_list_auto_mountpoints(httpd_sys_script_t)
1183 fs_read_nfs_files(httpd_sys_script_t)
1184 fs_read_nfs_symlinks(httpd_sys_script_t)
1187 tunable_policy(`httpd_read_user_content',`
1188 userdom_read_user_home_content_files(httpd_sys_script_t)
1191 tunable_policy(`httpd_use_cifs',`
1192 fs_manage_cifs_dirs(httpd_sys_script_t)
1193 fs_manage_cifs_files(httpd_sys_script_t)
1194 fs_manage_cifs_symlinks(httpd_sys_script_t)
1195 fs_manage_cifs_dirs(httpd_suexec_t)
1196 fs_manage_cifs_files(httpd_suexec_t)
1197 fs_manage_cifs_symlinks(httpd_suexec_t)
1198 fs_exec_cifs_files(httpd_suexec_t)
1201 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1202 fs_read_cifs_files(httpd_sys_script_t)
1203 fs_read_cifs_symlinks(httpd_sys_script_t)
1207 clamav_domtrans_clamscan(httpd_sys_script_t)
1211 mysql_stream_connect(httpd_sys_script_t)
1212 mysql_rw_db_sockets(httpd_sys_script_t)
1213 mysql_read_config(httpd_sys_script_t)
1215 tunable_policy(`httpd_can_network_connect_db',`
1216 mysql_tcp_connect(httpd_sys_script_t)
1221 postgresql_stream_connect(httpd_sys_script_t)
1222 postgresql_unpriv_client(httpd_sys_script_t)
1224 tunable_policy(`httpd_can_network_connect_db',`
1225 postgresql_tcp_connect(httpd_sys_script_t)
1229 ########################################
1231 # httpd_rotatelogs local policy
1234 allow httpd_rotatelogs_t self:capability dac_override;
1236 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1238 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1239 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1240 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1242 files_read_etc_files(httpd_rotatelogs_t)
1244 logging_search_logs(httpd_rotatelogs_t)
1246 miscfiles_read_localization(httpd_rotatelogs_t)
1248 ########################################
1250 # Unconfined script local policy
1254 type httpd_unconfined_script_t;
1255 type httpd_unconfined_script_exec_t;
1256 domain_type(httpd_unconfined_script_t)
1257 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1258 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1259 unconfined_domain(httpd_unconfined_script_t)
1261 role system_r types httpd_unconfined_script_t;
1262 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1265 ########################################
1267 # User content local policy
1270 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1271 allow httpd_user_script_t httpdcontent:file entrypoint;
1272 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1273 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1274 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1275 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1278 # allow accessing files/dirs below the users home dir
1279 tunable_policy(`httpd_enable_homedirs',`
1280 userdom_search_user_home_content(httpd_t)
1281 userdom_search_user_home_content(httpd_suexec_t)
1282 userdom_search_user_home_content(httpd_user_script_t)
1285 tunable_policy(`httpd_read_user_content',`
1286 userdom_read_user_home_content_files(httpd_t)
1287 userdom_read_user_home_content_files(httpd_suexec_t)
1288 userdom_read_user_home_content_files(httpd_user_script_t)
1291 ########################################
1293 # httpd_passwd local policy
1296 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1297 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1298 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1300 domain_use_interactive_fds(httpd_passwd_t)
1302 files_read_etc_files(httpd_passwd_t)
1304 miscfiles_read_localization(httpd_passwd_t)
1306 corecmd_exec_bin(httpd_passwd_t)
1308 kernel_read_system_state(httpd_passwd_t)
1310 dev_read_urand(httpd_passwd_t)
1312 systemd_manage_passwd_run(httpd_t)
1313 #systemd_passwd_agent_dev_template(httpd)
1315 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1316 dontaudit httpd_passwd_t httpd_config_t:file read;
1319 search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
1320 corecmd_shell_entry_type(httpd_script_type)
1322 allow httpd_script_type self:fifo_file rw_file_perms;
1323 allow httpd_script_type self:unix_stream_socket connectto;
1325 allow httpd_script_type httpd_t:fifo_file write;
1326 # apache should set close-on-exec
1327 apache_dontaudit_leaks(httpd_script_type)
1329 append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
1330 logging_search_logs(httpd_script_type)
1332 kernel_dontaudit_search_sysctl(httpd_script_type)
1333 kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
1335 dev_read_rand(httpd_script_type)
1336 dev_read_urand(httpd_script_type)
1338 corecmd_exec_all_executables(httpd_script_type)
1339 application_exec_all(httpd_script_type)
1341 files_exec_etc_files(httpd_script_type)
1342 files_read_etc_files(httpd_script_type)
1343 files_search_home(httpd_script_type)
1345 libs_exec_ld_so(httpd_script_type)
1346 libs_exec_lib_files(httpd_script_type)
1348 miscfiles_read_fonts(httpd_script_type)
1349 miscfiles_read_public_files(httpd_script_type)
1351 seutil_dontaudit_search_config(httpd_script_type)
1352 allow httpd_t httpd_script_type:unix_stream_socket connectto;
1354 allow httpd_t httpd_script_exec_type:file read_file_perms;
1355 allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
1356 allow httpd_t httpd_script_type:process { signal sigkill sigstop };
1357 allow httpd_t httpd_script_exec_type:dir list_dir_perms;
1359 allow httpd_script_type self:process { setsched signal_perms };
1360 allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
1361 allow httpd_script_type self:unix_dgram_socket create_socket_perms;
1363 allow httpd_script_type httpd_t:fd use;
1364 allow httpd_script_type httpd_t:process sigchld;
1366 dontaudit httpd_script_type httpd_t:tcp_socket { read write };
1368 kernel_read_system_state(httpd_script_type)
1370 dev_read_urand(httpd_script_type)
1372 fs_getattr_xattr_fs(httpd_script_type)
1374 files_read_etc_runtime_files(httpd_script_type)
1375 files_read_usr_files(httpd_script_type)
1377 libs_read_lib_files(httpd_script_type)
1379 miscfiles_read_localization(httpd_script_type)
1380 allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
1382 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
1383 nis_use_ypbind_uncond(httpd_script_type)
1387 nscd_socket_use(httpd_script_type)
1390 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1392 tunable_policy(`httpd_builtin_scripting',`
1393 allow httpd_t httpd_content_type:dir search_dir_perms;
1394 allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
1396 allow httpd_t httpd_content_type:dir list_dir_perms;
1397 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1398 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1400 allow httpd_t httpd_content_type:dir list_dir_perms;
1401 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1402 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)