1 policy_module(apache, 2.2.1)
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
16 ########################################
21 selinux_genbool(httpd_bool_t)
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
30 gen_tunable(allow_httpd_anon_write, false)
34 ## Allow Apache to use mod_auth_pam
37 gen_tunable(allow_httpd_mod_auth_pam, false)
41 ## Allow Apache to use mod_auth_ntlm_winbind
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
48 ## Allow httpd scripts and modules execmem/execstack
51 gen_tunable(httpd_execmem, false)
55 ## Allow httpd daemon to change system limits
58 gen_tunable(httpd_setrlimit, false)
62 ## Allow httpd to use built in scripting (usually php)
65 gen_tunable(httpd_builtin_scripting, false)
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
72 gen_tunable(httpd_can_network_connect, false)
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
79 gen_tunable(httpd_can_network_connect_cobbler, false)
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
86 gen_tunable(httpd_can_network_connect_db, false)
90 ## Allow httpd to connect to memcache server
93 gen_tunable(httpd_can_network_memcache, false)
97 ## Allow httpd to act as a relay
100 gen_tunable(httpd_can_network_relay, false)
104 ## Allow http daemon to send mail
107 gen_tunable(httpd_can_sendmail, false)
111 ## Allow http daemon to check spam
114 gen_tunable(httpd_can_check_spam, false)
118 ## Allow Apache to communicate with avahi service via dbus
121 gen_tunable(httpd_dbus_avahi, false)
125 ## Allow httpd to execute cgi scripts
128 gen_tunable(httpd_enable_cgi, false)
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
136 gen_tunable(httpd_enable_ftp_server, false)
140 ## Allow httpd to read home directories
143 gen_tunable(httpd_enable_homedirs, false)
147 ## Allow httpd to read user content
150 gen_tunable(httpd_read_user_content, false)
154 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
157 gen_tunable(httpd_ssi_exec, false)
161 ## Allow Apache to execute tmp content.
164 gen_tunable(httpd_tmp_exec, false)
168 ## Unify HTTPD to communicate with the terminal.
169 ## Needed for entering the passphrase for certificates at
173 gen_tunable(httpd_tty_comm, false)
177 ## Unify HTTPD handling of all content files.
180 gen_tunable(httpd_unified, false)
184 ## Allow httpd to access cifs file systems
187 gen_tunable(httpd_use_cifs, false)
191 ## Allow httpd to run gpg in gpg-web domain
194 gen_tunable(httpd_use_gpg, false)
198 ## Allow httpd to access nfs file systems
201 gen_tunable(httpd_use_nfs, false)
205 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
208 gen_tunable(allow_httpd_sys_script_anon_write, false)
210 attribute httpdcontent;
211 attribute httpd_user_content_type;
213 # domains that can exec all users scripts
214 attribute httpd_exec_scripts;
216 attribute httpd_script_exec_type;
217 attribute httpd_user_script_exec_type;
219 # user script domains
220 attribute httpd_script_domains;
224 init_daemon_domain(httpd_t, httpd_exec_t)
225 role system_r types httpd_t;
227 # httpd_cache_t is the type given to the /var/cache/httpd
228 # directory and the files under that directory
230 files_type(httpd_cache_t)
232 # httpd_config_t is the type given to the configuration files
234 files_config_file(httpd_config_t)
237 type httpd_helper_exec_t;
238 domain_type(httpd_helper_t)
239 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
240 role system_r types httpd_helper_t;
242 type httpd_initrc_exec_t;
243 init_script_file(httpd_initrc_exec_t)
246 files_lock_file(httpd_lock_t)
249 logging_log_file(httpd_log_t)
251 # httpd_modules_t is the type given to module files (libraries)
252 # that come with Apache /etc/httpd/modules and /usr/lib/apache
253 type httpd_modules_t;
254 files_type(httpd_modules_t)
257 type httpd_php_exec_t;
258 domain_type(httpd_php_t)
259 domain_entry_file(httpd_php_t, httpd_php_exec_t)
260 role system_r types httpd_php_t;
262 type httpd_php_tmp_t;
263 files_tmp_file(httpd_php_tmp_t)
265 type httpd_rotatelogs_t;
266 type httpd_rotatelogs_exec_t;
267 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
269 type httpd_squirrelmail_t;
270 files_type(httpd_squirrelmail_t)
272 # SUEXEC runs user scripts as their own user ID
273 type httpd_suexec_t; #, daemon;
274 type httpd_suexec_exec_t;
275 domain_type(httpd_suexec_t)
276 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
277 role system_r types httpd_suexec_t;
279 type httpd_suexec_tmp_t;
280 files_tmp_file(httpd_suexec_tmp_t)
282 # setup the system domain for system CGI scripts
283 apache_content_template(sys)
285 typeattribute httpd_sys_content_t httpdcontent; # customizable
286 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
287 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
289 # Removal of fastcgi, will cause problems without the following
290 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
291 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
292 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
293 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
294 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
297 files_tmp_file(httpd_tmp_t)
300 files_tmpfs_file(httpd_tmpfs_t)
302 apache_content_template(user)
303 ubac_constrained(httpd_user_script_t)
304 typeattribute httpd_user_content_t httpdcontent;
305 typeattribute httpd_user_rw_content_t httpdcontent;
306 typeattribute httpd_user_ra_content_t httpdcontent;
308 userdom_user_home_content(httpd_user_content_t)
309 userdom_user_home_content(httpd_user_htaccess_t)
310 userdom_user_home_content(httpd_user_script_exec_t)
311 userdom_user_home_content(httpd_user_ra_content_t)
312 userdom_user_home_content(httpd_user_rw_content_t)
313 typeattribute httpd_user_script_t httpd_script_domains;
314 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
315 typealias httpd_user_content_t alias httpd_unconfined_content_t;
316 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
317 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
318 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
319 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
320 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
321 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
322 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
323 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
324 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
325 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
326 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
327 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
328 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
330 # for apache2 memory mapped files
331 type httpd_var_lib_t;
332 files_type(httpd_var_lib_t)
334 type httpd_var_run_t;
335 files_pid_file(httpd_var_run_t)
337 # Removal of fastcgi, will cause problems without the following
338 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
340 # File Type of squirrelmail attachments
341 type squirrelmail_spool_t;
342 files_tmp_file(squirrelmail_spool_t)
345 prelink_object_file(httpd_modules_t)
348 ########################################
350 # Apache server local policy
353 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
354 dontaudit httpd_t self:capability { net_admin sys_tty_config };
355 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
356 allow httpd_t self:fd use;
357 allow httpd_t self:sock_file read_sock_file_perms;
358 allow httpd_t self:fifo_file rw_fifo_file_perms;
359 allow httpd_t self:shm create_shm_perms;
360 allow httpd_t self:sem create_sem_perms;
361 allow httpd_t self:msgq create_msgq_perms;
362 allow httpd_t self:msg { send receive };
363 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
364 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
365 allow httpd_t self:tcp_socket create_stream_socket_perms;
366 allow httpd_t self:udp_socket create_socket_perms;
367 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
369 # Allow httpd_t to put files in /var/cache/httpd etc
370 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
371 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
372 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
373 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
375 # Allow the httpd_t to read the web servers config files
376 allow httpd_t httpd_config_t:dir list_dir_perms;
377 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
378 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
380 can_exec(httpd_t, httpd_exec_t)
382 allow httpd_t httpd_lock_t:file manage_file_perms;
383 files_lock_filetrans(httpd_t, httpd_lock_t, file)
385 allow httpd_t httpd_log_t:dir setattr;
386 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
387 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
388 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
389 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
390 # cjp: need to refine create interfaces to
391 # cut this back to add_name only
392 logging_log_filetrans(httpd_t, httpd_log_t, file)
394 allow httpd_t httpd_modules_t:dir list_dir_perms;
395 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
396 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
397 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
399 apache_domtrans_rotatelogs(httpd_t)
400 # Apache-httpd needs to be able to send signals to the log rotate procs.
401 allow httpd_t httpd_rotatelogs_t:process signal_perms;
403 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
404 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
405 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
407 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
409 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
410 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
411 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
413 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
415 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
416 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
417 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
418 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
420 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
421 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
422 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
423 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
424 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
425 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
427 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
428 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
430 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
431 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
432 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
433 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
434 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
436 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
437 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
438 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
440 kernel_read_kernel_sysctls(httpd_t)
441 # for modules that want to access /proc/meminfo
442 kernel_read_system_state(httpd_t)
443 kernel_search_network_sysctl(httpd_t)
445 corenet_all_recvfrom_unlabeled(httpd_t)
446 corenet_all_recvfrom_netlabel(httpd_t)
447 corenet_tcp_sendrecv_generic_if(httpd_t)
448 corenet_udp_sendrecv_generic_if(httpd_t)
449 corenet_tcp_sendrecv_generic_node(httpd_t)
450 corenet_udp_sendrecv_generic_node(httpd_t)
451 corenet_tcp_sendrecv_all_ports(httpd_t)
452 corenet_udp_sendrecv_all_ports(httpd_t)
453 corenet_tcp_bind_generic_node(httpd_t)
454 corenet_udp_bind_generic_node(httpd_t)
455 corenet_tcp_bind_http_port(httpd_t)
456 corenet_tcp_bind_http_cache_port(httpd_t)
457 corenet_tcp_bind_ntop_port(httpd_t)
458 corenet_sendrecv_http_server_packets(httpd_t)
459 # Signal self for shutdown
460 corenet_tcp_connect_http_port(httpd_t)
462 dev_read_sysfs(httpd_t)
463 dev_read_rand(httpd_t)
464 dev_read_urand(httpd_t)
465 dev_rw_crypto(httpd_t)
467 fs_getattr_all_fs(httpd_t)
468 fs_search_auto_mountpoints(httpd_t)
469 fs_read_iso9660_files(httpd_t)
470 fs_read_anon_inodefs_files(httpd_t)
472 auth_use_nsswitch(httpd_t)
474 application_exec_all(httpd_t)
476 domain_use_interactive_fds(httpd_t)
478 files_dontaudit_getattr_all_pids(httpd_t)
479 files_read_usr_files(httpd_t)
480 files_list_mnt(httpd_t)
481 files_search_spool(httpd_t)
482 files_read_var_symlinks(httpd_t)
483 files_read_var_lib_files(httpd_t)
484 files_search_home(httpd_t)
485 files_getattr_home_dir(httpd_t)
486 # for modules that want to access /etc/mtab
487 files_read_etc_runtime_files(httpd_t)
488 # Allow httpd_t to have access to files such as nisswitch.conf
489 files_read_etc_files(httpd_t)
491 files_read_var_lib_symlinks(httpd_t)
493 fs_search_auto_mountpoints(httpd_sys_script_t)
494 # php uploads a file to /tmp and then execs programs to acton them
495 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
496 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
497 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
499 libs_read_lib_files(httpd_t)
501 logging_send_syslog_msg(httpd_t)
503 miscfiles_read_localization(httpd_t)
504 miscfiles_read_fonts(httpd_t)
505 miscfiles_read_public_files(httpd_t)
506 miscfiles_read_generic_certs(httpd_t)
508 seutil_dontaudit_search_config(httpd_t)
510 userdom_use_unpriv_users_fds(httpd_t)
512 tunable_policy(`httpd_setrlimit',`
513 allow httpd_t self:process setrlimit;
514 allow httpd_t self:capability sys_resource;
517 tunable_policy(`allow_httpd_anon_write',`
518 miscfiles_manage_public_files(httpd_t)
522 # We need optionals to be able to be within booleans to make this work
524 tunable_policy(`allow_httpd_mod_auth_pam',`
525 auth_domtrans_chkpwd(httpd_t)
526 logging_send_audit_msgs(httpd_t)
530 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
531 samba_domtrans_winbind_helper(httpd_t)
535 tunable_policy(`httpd_can_network_connect',`
536 corenet_tcp_connect_all_ports(httpd_t)
539 tunable_policy(`httpd_can_network_connect_db',`
540 corenet_tcp_connect_mssql_port(httpd_t)
541 corenet_sendrecv_mssql_client_packets(httpd_t)
542 corenet_tcp_connect_oracledb_port(httpd_t)
543 corenet_sendrecv_oracledb_client_packets(httpd_t)
546 tunable_policy(`httpd_can_network_memcache',`
547 corenet_tcp_connect_memcache_port(httpd_t)
550 tunable_policy(`httpd_can_network_relay',`
551 # allow httpd to work as a relay
552 corenet_tcp_connect_gopher_port(httpd_t)
553 corenet_tcp_connect_ftp_port(httpd_t)
554 corenet_tcp_connect_http_port(httpd_t)
555 corenet_tcp_connect_http_cache_port(httpd_t)
556 corenet_tcp_connect_squid_port(httpd_t)
557 corenet_tcp_connect_memcache_port(httpd_t)
558 corenet_sendrecv_gopher_client_packets(httpd_t)
559 corenet_sendrecv_ftp_client_packets(httpd_t)
560 corenet_sendrecv_http_client_packets(httpd_t)
561 corenet_sendrecv_http_cache_client_packets(httpd_t)
562 corenet_sendrecv_squid_client_packets(httpd_t)
565 tunable_policy(`httpd_execmem',`
566 allow httpd_t self:process { execmem execstack };
567 allow httpd_sys_script_t self:process { execmem execstack };
568 allow httpd_suexec_t self:process { execmem execstack };
571 tunable_policy(`httpd_enable_cgi && httpd_unified',`
572 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
573 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
574 can_exec(httpd_sys_script_t, httpd_sys_content_t)
577 tunable_policy(`allow_httpd_sys_script_anon_write',`
578 miscfiles_manage_public_files(httpd_sys_script_t)
581 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
582 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
585 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
586 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
589 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
590 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
591 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
592 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
593 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
594 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
596 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
597 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
598 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
601 tunable_policy(`httpd_enable_ftp_server',`
602 corenet_tcp_bind_ftp_port(httpd_t)
605 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
606 can_exec(httpd_t, httpd_tmp_t)
609 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
610 can_exec(httpd_sys_script_t, httpd_tmp_t)
613 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
614 fs_list_auto_mountpoints(httpd_t)
615 fs_read_nfs_files(httpd_t)
616 fs_read_nfs_symlinks(httpd_t)
619 tunable_policy(`httpd_use_nfs',`
620 fs_list_auto_mountpoints(httpd_t)
621 fs_manage_nfs_dirs(httpd_t)
622 fs_manage_nfs_files(httpd_t)
623 fs_manage_nfs_symlinks(httpd_t)
626 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
627 fs_read_cifs_files(httpd_t)
628 fs_read_cifs_symlinks(httpd_t)
631 tunable_policy(`httpd_can_sendmail',`
632 # allow httpd to connect to mail servers
633 corenet_tcp_connect_smtp_port(httpd_t)
634 corenet_sendrecv_smtp_client_packets(httpd_t)
635 corenet_tcp_connect_pop_port(httpd_t)
636 corenet_sendrecv_pop_client_packets(httpd_t)
637 mta_send_mail(httpd_t)
638 mta_signal_system_mail(httpd_t)
641 tunable_policy(`httpd_use_cifs',`
642 fs_manage_cifs_dirs(httpd_t)
643 fs_manage_cifs_files(httpd_t)
644 fs_manage_cifs_symlinks(httpd_t)
647 tunable_policy(`httpd_ssi_exec',`
648 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
649 allow httpd_sys_script_t httpd_t:fd use;
650 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
651 allow httpd_sys_script_t httpd_t:process sigchld;
654 # When the admin starts the server, the server wants to access
655 # the TTY or PTY associated with the session. The httpd appears
656 # to run correctly without this permission, so the permission
657 # are dontaudited here.
658 tunable_policy(`httpd_tty_comm',`
659 userdom_use_user_terminals(httpd_t)
660 userdom_use_user_terminals(httpd_suexec_t)
662 userdom_dontaudit_use_user_terminals(httpd_t)
663 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
667 calamaris_read_www_files(httpd_t)
671 ccs_read_config(httpd_t)
675 cobbler_list_config(httpd_t)
676 cobbler_read_config(httpd_t)
677 cobbler_read_lib_files(httpd_t)
679 tunable_policy(`httpd_can_network_connect_cobbler',`
680 corenet_tcp_connect_cobbler_port(httpd_t)
685 cron_system_entry(httpd_t, httpd_exec_t)
689 cvs_read_data(httpd_t)
693 daemontools_service_domain(httpd_t, httpd_exec_t)
697 dirsrv_manage_config(httpd_t)
698 dirsrv_manage_log(httpd_t)
699 dirsrv_manage_var_run(httpd_t)
700 dirsrv_read_share(httpd_t)
701 dirsrv_signal(httpd_t)
702 dirsrv_signull(httpd_t)
703 dirsrvadmin_manage_config(httpd_t)
704 dirsrvadmin_manage_tmp(httpd_t)
708 dbus_system_bus_client(httpd_t)
710 tunable_policy(`httpd_dbus_avahi',`
711 avahi_dbus_chat(httpd_t)
716 git_read_generic_system_content_files(httpd_t)
717 gitosis_read_lib_files(httpd_t)
721 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
722 gpg_domtrans_web(httpd_t)
727 kerberos_keytab_template(httpd, httpd_t)
731 mailman_signal_cgi(httpd_t)
732 mailman_domtrans_cgi(httpd_t)
733 mailman_read_data_files(httpd_t)
734 # should have separate types for public and private archives
735 mailman_search_data(httpd_t)
736 mailman_read_archive(httpd_t)
740 mediawiki_read_tmp_files(httpd_t)
741 mediawiki_delete_tmp_files(httpd_t)
745 # Allow httpd to work with mysql
746 mysql_read_config(httpd_t)
747 mysql_stream_connect(httpd_t)
748 mysql_rw_db_sockets(httpd_t)
750 tunable_policy(`httpd_can_network_connect_db',`
751 mysql_tcp_connect(httpd_t)
756 nagios_read_config(httpd_t)
757 nagios_read_log(httpd_t)
761 openca_domtrans(httpd_t)
762 openca_signal(httpd_t)
763 openca_sigstop(httpd_t)
768 passenger_domtrans(httpd_t)
769 passenger_manage_pid_content(httpd_t)
770 passenger_read_lib_files(httpd_t)
774 rpc_search_nfs_state_data(httpd_t)
778 # Allow httpd to work with postgresql
779 postgresql_stream_connect(httpd_t)
780 postgresql_unpriv_client(httpd_t)
782 tunable_policy(`httpd_can_network_connect_db',`
783 postgresql_tcp_connect(httpd_t)
788 seutil_sigchld_newrole(httpd_t)
792 smokeping_read_lib_files(httpd_t)
796 files_dontaudit_rw_usr_dirs(httpd_t)
797 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
798 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
802 udev_read_db(httpd_t)
806 yam_read_content(httpd_t)
810 zarafa_stream_connect_server(httpd_t)
811 zarafa_search_config(httpd_t)
814 ########################################
816 # Apache helper local policy
819 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
821 allow httpd_helper_t httpd_config_t:file read_file_perms;
823 allow httpd_helper_t httpd_log_t:file append_file_perms;
825 logging_send_syslog_msg(httpd_helper_t)
827 userdom_use_user_terminals(httpd_helper_t)
829 tunable_policy(`httpd_tty_comm',`
830 userdom_use_user_terminals(httpd_helper_t)
833 ########################################
835 # Apache PHP script local policy
838 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
839 allow httpd_php_t self:fd use;
840 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
841 allow httpd_php_t self:sock_file read_sock_file_perms;
842 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
843 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
844 allow httpd_php_t self:unix_dgram_socket sendto;
845 allow httpd_php_t self:unix_stream_socket connectto;
846 allow httpd_php_t self:shm create_shm_perms;
847 allow httpd_php_t self:sem create_sem_perms;
848 allow httpd_php_t self:msgq create_msgq_perms;
849 allow httpd_php_t self:msg { send receive };
851 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
853 # allow php to read and append to apache logfiles
854 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
856 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
857 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
858 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
860 fs_search_auto_mountpoints(httpd_php_t)
862 auth_use_nsswitch(httpd_php_t)
864 libs_exec_lib_files(httpd_php_t)
866 userdom_use_unpriv_users_fds(httpd_php_t)
868 tunable_policy(`httpd_can_network_connect_db',`
869 corenet_tcp_connect_mssql_port(httpd_php_t)
870 corenet_sendrecv_mssql_client_packets(httpd_php_t)
871 corenet_tcp_connect_oracledb_port(httpd_php_t)
872 corenet_sendrecv_oracledb_client_packets(httpd_php_t)
876 mysql_stream_connect(httpd_php_t)
877 mysql_rw_db_sockets(httpd_php_t)
878 mysql_read_config(httpd_php_t)
880 tunable_policy(`httpd_can_network_connect_db',`
881 mysql_tcp_connect(httpd_php_t)
886 postgresql_stream_connect(httpd_php_t)
887 postgresql_unpriv_client(httpd_php_t)
889 tunable_policy(`httpd_can_network_connect_db',`
890 postgresql_tcp_connect(httpd_php_t)
894 ########################################
896 # Apache suexec local policy
899 allow httpd_suexec_t self:capability { setuid setgid };
900 allow httpd_suexec_t self:process signal_perms;
901 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
903 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
905 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
906 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
907 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
909 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
911 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
912 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
913 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
915 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
917 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
918 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
919 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
921 kernel_read_kernel_sysctls(httpd_suexec_t)
922 kernel_list_proc(httpd_suexec_t)
923 kernel_read_proc_symlinks(httpd_suexec_t)
925 dev_read_urand(httpd_suexec_t)
927 fs_read_iso9660_files(httpd_suexec_t)
928 fs_search_auto_mountpoints(httpd_suexec_t)
930 application_exec_all(httpd_suexec_t)
932 files_read_etc_files(httpd_suexec_t)
933 files_read_usr_files(httpd_suexec_t)
934 files_dontaudit_search_pids(httpd_suexec_t)
935 files_search_home(httpd_suexec_t)
937 auth_use_nsswitch(httpd_suexec_t)
939 logging_search_logs(httpd_suexec_t)
940 logging_send_syslog_msg(httpd_suexec_t)
942 miscfiles_read_localization(httpd_suexec_t)
943 miscfiles_read_public_files(httpd_suexec_t)
945 tunable_policy(`httpd_can_network_connect',`
946 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
947 allow httpd_suexec_t self:udp_socket create_socket_perms;
949 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
950 corenet_all_recvfrom_netlabel(httpd_suexec_t)
951 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
952 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
953 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
954 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
955 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
956 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
957 corenet_tcp_connect_all_ports(httpd_suexec_t)
958 corenet_sendrecv_all_client_packets(httpd_suexec_t)
961 tunable_policy(`httpd_can_network_connect_db',`
962 corenet_tcp_connect_mssql_port(httpd_suexec_t)
963 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
964 corenet_tcp_connect_oracledb_port(httpd_suexec_t)
965 corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
968 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
970 tunable_policy(`httpd_enable_cgi && httpd_unified',`
971 allow httpd_sys_script_t httpdcontent:file entrypoint;
972 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
973 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
974 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
975 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
976 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
979 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
980 fs_list_auto_mountpoints(httpd_suexec_t)
981 fs_read_nfs_files(httpd_suexec_t)
982 fs_read_nfs_symlinks(httpd_suexec_t)
983 fs_exec_nfs_files(httpd_suexec_t)
986 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
987 fs_read_cifs_files(httpd_suexec_t)
988 fs_read_cifs_symlinks(httpd_suexec_t)
989 fs_exec_cifs_files(httpd_suexec_t)
993 mailman_domtrans_cgi(httpd_suexec_t)
997 mta_stub(httpd_suexec_t)
999 # apache should set close-on-exec
1000 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1004 mysql_stream_connect(httpd_suexec_t)
1005 mysql_rw_db_sockets(httpd_suexec_t)
1006 mysql_read_config(httpd_suexec_t)
1008 tunable_policy(`httpd_can_network_connect_db',`
1009 mysql_tcp_connect(httpd_suexec_t)
1014 postgresql_stream_connect(httpd_suexec_t)
1015 postgresql_unpriv_client(httpd_suexec_t)
1017 tunable_policy(`httpd_can_network_connect_db',`
1018 postgresql_tcp_connect(httpd_suexec_t)
1022 ########################################
1024 # Apache system script local policy
1027 allow httpd_sys_script_t self:process getsched;
1029 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1030 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1032 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1034 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1036 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1037 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1038 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1040 kernel_read_kernel_sysctls(httpd_sys_script_t)
1042 files_read_var_symlinks(httpd_sys_script_t)
1043 files_search_var_lib(httpd_sys_script_t)
1044 files_search_spool(httpd_sys_script_t)
1046 logging_inherit_append_all_logs(httpd_sys_script_t)
1048 # Should we add a boolean?
1049 apache_domtrans_rotatelogs(httpd_sys_script_t)
1051 auth_use_nsswitch(httpd_sys_script_t)
1053 ifdef(`distro_redhat',`
1054 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1057 tunable_policy(`httpd_can_sendmail',`
1058 mta_send_mail(httpd_sys_script_t)
1062 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1063 spamassassin_domtrans_client(httpd_t)
1067 tunable_policy(`httpd_can_network_connect_db',`
1068 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1069 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1070 corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
1071 corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
1074 fs_cifs_entry_type(httpd_sys_script_t)
1075 fs_read_iso9660_files(httpd_sys_script_t)
1076 fs_nfs_entry_type(httpd_sys_script_t)
1078 tunable_policy(`httpd_use_nfs',`
1079 fs_list_auto_mountpoints(httpd_sys_script_t)
1080 fs_manage_nfs_dirs(httpd_sys_script_t)
1081 fs_manage_nfs_files(httpd_sys_script_t)
1082 fs_manage_nfs_symlinks(httpd_sys_script_t)
1083 fs_exec_nfs_files(httpd_sys_script_t)
1085 fs_list_auto_mountpoints(httpd_suexec_t)
1086 fs_manage_nfs_dirs(httpd_suexec_t)
1087 fs_manage_nfs_files(httpd_suexec_t)
1088 fs_manage_nfs_symlinks(httpd_suexec_t)
1089 fs_exec_nfs_files(httpd_suexec_t)
1092 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1093 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1094 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1096 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1097 corenet_udp_bind_generice_node(httpd_sys_script_t)
1098 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1099 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1100 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1101 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1102 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1103 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1104 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1105 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1106 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1107 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1110 tunable_policy(`httpd_enable_homedirs',`
1111 userdom_search_user_home_dirs(httpd_sys_script_t)
1114 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1115 fs_list_auto_mountpoints(httpd_sys_script_t)
1116 fs_read_nfs_files(httpd_sys_script_t)
1117 fs_read_nfs_symlinks(httpd_sys_script_t)
1120 tunable_policy(`httpd_read_user_content',`
1121 userdom_read_user_home_content_files(httpd_sys_script_t)
1124 tunable_policy(`httpd_use_cifs',`
1125 fs_manage_cifs_dirs(httpd_sys_script_t)
1126 fs_manage_cifs_files(httpd_sys_script_t)
1127 fs_manage_cifs_symlinks(httpd_sys_script_t)
1128 fs_manage_cifs_dirs(httpd_suexec_t)
1129 fs_manage_cifs_files(httpd_suexec_t)
1130 fs_manage_cifs_symlinks(httpd_suexec_t)
1131 fs_exec_cifs_files(httpd_suexec_t)
1134 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1135 fs_read_cifs_files(httpd_sys_script_t)
1136 fs_read_cifs_symlinks(httpd_sys_script_t)
1140 clamav_domtrans_clamscan(httpd_sys_script_t)
1144 mysql_stream_connect(httpd_sys_script_t)
1145 mysql_rw_db_sockets(httpd_sys_script_t)
1146 mysql_read_config(httpd_sys_script_t)
1148 tunable_policy(`httpd_can_network_connect_db',`
1149 mysql_tcp_connect(httpd_sys_script_t)
1154 postgresql_stream_connect(httpd_sys_script_t)
1155 postgresql_unpriv_client(httpd_sys_script_t)
1157 tunable_policy(`httpd_can_network_connect_db',`
1158 postgresql_tcp_connect(httpd_sys_script_t)
1162 ########################################
1164 # httpd_rotatelogs local policy
1167 allow httpd_rotatelogs_t self:capability dac_override;
1169 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1171 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1172 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1173 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1175 files_read_etc_files(httpd_rotatelogs_t)
1177 logging_search_logs(httpd_rotatelogs_t)
1179 miscfiles_read_localization(httpd_rotatelogs_t)
1181 ########################################
1183 # Unconfined script local policy
1187 type httpd_unconfined_script_t;
1188 type httpd_unconfined_script_exec_t;
1189 domain_type(httpd_unconfined_script_t)
1190 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1191 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1192 unconfined_domain(httpd_unconfined_script_t)
1194 role system_r types httpd_unconfined_script_t;
1195 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1198 ########################################
1200 # User content local policy
1203 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1204 allow httpd_user_script_t httpdcontent:file entrypoint;
1205 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1206 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1207 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1208 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1211 # allow accessing files/dirs below the users home dir
1212 tunable_policy(`httpd_enable_homedirs',`
1213 userdom_search_user_home_content(httpd_t)
1214 userdom_search_user_home_content(httpd_suexec_t)
1215 userdom_search_user_home_content(httpd_user_script_t)
1218 tunable_policy(`httpd_read_user_content',`
1219 userdom_read_user_home_content_files(httpd_t)
1220 userdom_read_user_home_content_files(httpd_suexec_t)
1221 userdom_read_user_home_content_files(httpd_user_script_t)