]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/apache.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Switch from using all_nodes to generic_node and from all_if to generic_if
[people/stevee/selinux-policy.git] / policy / modules / services / apache.te
1 policy_module(apache, 2.2.1)
2
3 #
4 # NOTES:
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
8 #
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
14 #
15
16 ########################################
17 #
18 # Declarations
19 #
20
21 selinux_genbool(httpd_bool_t)
22
23 ## <desc>
24 ## <p>
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
28 ## </p>
29 ## </desc>
30 gen_tunable(allow_httpd_anon_write, false)
31
32 ## <desc>
33 ## <p>
34 ## Allow Apache to use mod_auth_pam
35 ## </p>
36 ## </desc>
37 gen_tunable(allow_httpd_mod_auth_pam, false)
38
39 ## <desc>
40 ## <p>
41 ## Allow Apache to use mod_auth_ntlm_winbind
42 ## </p>
43 ## </desc>
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
45
46 ## <desc>
47 ## <p>
48 ## Allow httpd scripts and modules execmem/execstack
49 ## </p>
50 ## </desc>
51 gen_tunable(httpd_execmem, false)
52
53 ## <desc>
54 ## <p>
55 ## Allow httpd daemon to change system limits
56 ## </p>
57 ## </desc>
58 gen_tunable(httpd_setrlimit, false)
59
60 ## <desc>
61 ## <p>
62 ## Allow httpd to use built in scripting (usually php)
63 ## </p>
64 ## </desc>
65 gen_tunable(httpd_builtin_scripting, false)
66
67 ## <desc>
68 ## <p>
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
70 ## </p>
71 ## </desc>
72 gen_tunable(httpd_can_network_connect, false)
73
74 ## <desc>
75 ## <p>
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
77 ## </p>
78 ## </desc>
79 gen_tunable(httpd_can_network_connect_cobbler, false)
80
81 ## <desc>
82 ## <p>
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
84 ## </p>
85 ## </desc>
86 gen_tunable(httpd_can_network_connect_db, false)
87
88 ## <desc>
89 ## <p>
90 ## Allow httpd to connect to memcache server
91 ## </p>
92 ## </desc>
93 gen_tunable(httpd_can_network_memcache, false)
94
95 ## <desc>
96 ## <p>
97 ## Allow httpd to act as a relay
98 ## </p>
99 ## </desc>
100 gen_tunable(httpd_can_network_relay, false)
101
102 ## <desc>
103 ## <p>
104 ## Allow http daemon to send mail
105 ## </p>
106 ## </desc>
107 gen_tunable(httpd_can_sendmail, false)
108
109 ## <desc>
110 ## <p>
111 ## Allow http daemon to check spam
112 ## </p>
113 ## </desc>
114 gen_tunable(httpd_can_check_spam, false)
115
116 ## <desc>
117 ## <p>
118 ## Allow Apache to communicate with avahi service via dbus
119 ## </p>
120 ## </desc>
121 gen_tunable(httpd_dbus_avahi, false)
122
123 ## <desc>
124 ## <p>
125 ## Allow httpd to execute cgi scripts
126 ## </p>
127 ## </desc>
128 gen_tunable(httpd_enable_cgi, false)
129
130 ## <desc>
131 ## <p>
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
134 ## </p>
135 ## </desc>
136 gen_tunable(httpd_enable_ftp_server, false)
137
138 ## <desc>
139 ## <p>
140 ## Allow httpd to read home directories
141 ## </p>
142 ## </desc>
143 gen_tunable(httpd_enable_homedirs, false)
144
145 ## <desc>
146 ## <p>
147 ## Allow httpd to read user content
148 ## </p>
149 ## </desc>
150 gen_tunable(httpd_read_user_content, false)
151
152 ## <desc>
153 ## <p>
154 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
155 ## </p>
156 ## </desc>
157 gen_tunable(httpd_ssi_exec, false)
158
159 ## <desc>
160 ## <p>
161 ## Allow Apache to execute tmp content.
162 ## </p>
163 ## </desc>
164 gen_tunable(httpd_tmp_exec, false)
165
166 ## <desc>
167 ## <p>
168 ## Unify HTTPD to communicate with the terminal.
169 ## Needed for entering the passphrase for certificates at
170 ## the terminal.
171 ## </p>
172 ## </desc>
173 gen_tunable(httpd_tty_comm, false)
174
175 ## <desc>
176 ## <p>
177 ## Unify HTTPD handling of all content files.
178 ## </p>
179 ## </desc>
180 gen_tunable(httpd_unified, false)
181
182 ## <desc>
183 ## <p>
184 ## Allow httpd to access cifs file systems
185 ## </p>
186 ## </desc>
187 gen_tunable(httpd_use_cifs, false)
188
189 ## <desc>
190 ## <p>
191 ## Allow httpd to run gpg in gpg-web domain
192 ## </p>
193 ## </desc>
194 gen_tunable(httpd_use_gpg, false)
195
196 ## <desc>
197 ## <p>
198 ## Allow httpd to access nfs file systems
199 ## </p>
200 ## </desc>
201 gen_tunable(httpd_use_nfs, false)
202
203 ## <desc>
204 ## <p>
205 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
206 ## </p>
207 ## </desc>
208 gen_tunable(allow_httpd_sys_script_anon_write, false)
209
210 attribute httpdcontent;
211 attribute httpd_user_content_type;
212
213 # domains that can exec all users scripts
214 attribute httpd_exec_scripts;
215
216 attribute httpd_script_exec_type;
217 attribute httpd_user_script_exec_type;
218
219 # user script domains
220 attribute httpd_script_domains;
221
222 type httpd_t;
223 type httpd_exec_t;
224 init_daemon_domain(httpd_t, httpd_exec_t)
225 role system_r types httpd_t;
226
227 # httpd_cache_t is the type given to the /var/cache/httpd
228 # directory and the files under that directory
229 type httpd_cache_t;
230 files_type(httpd_cache_t)
231
232 # httpd_config_t is the type given to the configuration files
233 type httpd_config_t;
234 files_config_file(httpd_config_t)
235
236 type httpd_helper_t;
237 type httpd_helper_exec_t;
238 domain_type(httpd_helper_t)
239 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
240 role system_r types httpd_helper_t;
241
242 type httpd_initrc_exec_t;
243 init_script_file(httpd_initrc_exec_t)
244
245 type httpd_lock_t;
246 files_lock_file(httpd_lock_t)
247
248 type httpd_log_t;
249 logging_log_file(httpd_log_t)
250
251 # httpd_modules_t is the type given to module files (libraries)
252 # that come with Apache /etc/httpd/modules and /usr/lib/apache
253 type httpd_modules_t;
254 files_type(httpd_modules_t)
255
256 type httpd_php_t;
257 type httpd_php_exec_t;
258 domain_type(httpd_php_t)
259 domain_entry_file(httpd_php_t, httpd_php_exec_t)
260 role system_r types httpd_php_t;
261
262 type httpd_php_tmp_t;
263 files_tmp_file(httpd_php_tmp_t)
264
265 type httpd_rotatelogs_t;
266 type httpd_rotatelogs_exec_t;
267 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
268
269 type httpd_squirrelmail_t;
270 files_type(httpd_squirrelmail_t)
271
272 # SUEXEC runs user scripts as their own user ID
273 type httpd_suexec_t; #, daemon;
274 type httpd_suexec_exec_t;
275 domain_type(httpd_suexec_t)
276 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
277 role system_r types httpd_suexec_t;
278
279 type httpd_suexec_tmp_t;
280 files_tmp_file(httpd_suexec_tmp_t)
281
282 # setup the system domain for system CGI scripts
283 apache_content_template(sys)
284
285 typeattribute httpd_sys_content_t httpdcontent; # customizable
286 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
287 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
288
289 # Removal of fastcgi, will cause problems without the following
290 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
291 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
292 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
293 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
294 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
295
296 type httpd_tmp_t;
297 files_tmp_file(httpd_tmp_t)
298
299 type httpd_tmpfs_t;
300 files_tmpfs_file(httpd_tmpfs_t)
301
302 apache_content_template(user)
303 ubac_constrained(httpd_user_script_t)
304 typeattribute httpd_user_content_t httpdcontent;
305 typeattribute httpd_user_rw_content_t httpdcontent;
306 typeattribute httpd_user_ra_content_t httpdcontent;
307
308 userdom_user_home_content(httpd_user_content_t)
309 userdom_user_home_content(httpd_user_htaccess_t)
310 userdom_user_home_content(httpd_user_script_exec_t)
311 userdom_user_home_content(httpd_user_ra_content_t)
312 userdom_user_home_content(httpd_user_rw_content_t)
313 typeattribute httpd_user_script_t httpd_script_domains;
314 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
315 typealias httpd_user_content_t alias httpd_unconfined_content_t;
316 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
317 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
318 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
319 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
320 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
321 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
322 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
323 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
324 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
325 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
326 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
327 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
328 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
329
330 # for apache2 memory mapped files
331 type httpd_var_lib_t;
332 files_type(httpd_var_lib_t)
333
334 type httpd_var_run_t;
335 files_pid_file(httpd_var_run_t)
336
337 # Removal of fastcgi, will cause problems without the following
338 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
339
340 # File Type of squirrelmail attachments
341 type squirrelmail_spool_t;
342 files_tmp_file(squirrelmail_spool_t)
343
344 optional_policy(`
345 prelink_object_file(httpd_modules_t)
346 ')
347
348 ########################################
349 #
350 # Apache server local policy
351 #
352
353 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
354 dontaudit httpd_t self:capability { net_admin sys_tty_config };
355 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
356 allow httpd_t self:fd use;
357 allow httpd_t self:sock_file read_sock_file_perms;
358 allow httpd_t self:fifo_file rw_fifo_file_perms;
359 allow httpd_t self:shm create_shm_perms;
360 allow httpd_t self:sem create_sem_perms;
361 allow httpd_t self:msgq create_msgq_perms;
362 allow httpd_t self:msg { send receive };
363 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
364 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
365 allow httpd_t self:tcp_socket create_stream_socket_perms;
366 allow httpd_t self:udp_socket create_socket_perms;
367 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
368
369 # Allow httpd_t to put files in /var/cache/httpd etc
370 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
371 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
372 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
373 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
374
375 # Allow the httpd_t to read the web servers config files
376 allow httpd_t httpd_config_t:dir list_dir_perms;
377 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
378 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
379
380 can_exec(httpd_t, httpd_exec_t)
381
382 allow httpd_t httpd_lock_t:file manage_file_perms;
383 files_lock_filetrans(httpd_t, httpd_lock_t, file)
384
385 allow httpd_t httpd_log_t:dir setattr;
386 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
387 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
388 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
389 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
390 # cjp: need to refine create interfaces to
391 # cut this back to add_name only
392 logging_log_filetrans(httpd_t, httpd_log_t, file)
393
394 allow httpd_t httpd_modules_t:dir list_dir_perms;
395 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
396 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
397 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
398
399 apache_domtrans_rotatelogs(httpd_t)
400 # Apache-httpd needs to be able to send signals to the log rotate procs.
401 allow httpd_t httpd_rotatelogs_t:process signal_perms;
402
403 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
404 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
405 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
406
407 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
408
409 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
410 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
411 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
412
413 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
414
415 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
416 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
417 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
418 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
419
420 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
421 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
422 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
423 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
424 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
425 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
426
427 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
428 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
429
430 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
431 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
432 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
433 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
434 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
435
436 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
437 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
438 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
439
440 kernel_read_kernel_sysctls(httpd_t)
441 # for modules that want to access /proc/meminfo
442 kernel_read_system_state(httpd_t)
443 kernel_search_network_sysctl(httpd_t)
444
445 corenet_all_recvfrom_unlabeled(httpd_t)
446 corenet_all_recvfrom_netlabel(httpd_t)
447 corenet_tcp_sendrecv_generic_if(httpd_t)
448 corenet_udp_sendrecv_generic_if(httpd_t)
449 corenet_tcp_sendrecv_generic_node(httpd_t)
450 corenet_udp_sendrecv_generic_node(httpd_t)
451 corenet_tcp_sendrecv_all_ports(httpd_t)
452 corenet_udp_sendrecv_all_ports(httpd_t)
453 corenet_tcp_bind_generic_node(httpd_t)
454 corenet_udp_bind_generic_node(httpd_t)
455 corenet_tcp_bind_http_port(httpd_t)
456 corenet_tcp_bind_http_cache_port(httpd_t)
457 corenet_tcp_bind_ntop_port(httpd_t)
458 corenet_sendrecv_http_server_packets(httpd_t)
459 # Signal self for shutdown
460 corenet_tcp_connect_http_port(httpd_t)
461
462 dev_read_sysfs(httpd_t)
463 dev_read_rand(httpd_t)
464 dev_read_urand(httpd_t)
465 dev_rw_crypto(httpd_t)
466
467 fs_getattr_all_fs(httpd_t)
468 fs_search_auto_mountpoints(httpd_t)
469 fs_read_iso9660_files(httpd_t)
470 fs_read_anon_inodefs_files(httpd_t)
471
472 auth_use_nsswitch(httpd_t)
473
474 application_exec_all(httpd_t)
475
476 domain_use_interactive_fds(httpd_t)
477
478 files_dontaudit_getattr_all_pids(httpd_t)
479 files_read_usr_files(httpd_t)
480 files_list_mnt(httpd_t)
481 files_search_spool(httpd_t)
482 files_read_var_symlinks(httpd_t)
483 files_read_var_lib_files(httpd_t)
484 files_search_home(httpd_t)
485 files_getattr_home_dir(httpd_t)
486 # for modules that want to access /etc/mtab
487 files_read_etc_runtime_files(httpd_t)
488 # Allow httpd_t to have access to files such as nisswitch.conf
489 files_read_etc_files(httpd_t)
490 # for tomcat
491 files_read_var_lib_symlinks(httpd_t)
492
493 fs_search_auto_mountpoints(httpd_sys_script_t)
494 # php uploads a file to /tmp and then execs programs to acton them
495 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
496 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
497 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
498
499 libs_read_lib_files(httpd_t)
500
501 logging_send_syslog_msg(httpd_t)
502
503 miscfiles_read_localization(httpd_t)
504 miscfiles_read_fonts(httpd_t)
505 miscfiles_read_public_files(httpd_t)
506 miscfiles_read_generic_certs(httpd_t)
507
508 seutil_dontaudit_search_config(httpd_t)
509
510 userdom_use_unpriv_users_fds(httpd_t)
511
512 tunable_policy(`httpd_setrlimit',`
513 allow httpd_t self:process setrlimit;
514 allow httpd_t self:capability sys_resource;
515 ')
516
517 tunable_policy(`allow_httpd_anon_write',`
518 miscfiles_manage_public_files(httpd_t)
519 ')
520
521 #
522 # We need optionals to be able to be within booleans to make this work
523 #
524 tunable_policy(`allow_httpd_mod_auth_pam',`
525 auth_domtrans_chkpwd(httpd_t)
526 logging_send_audit_msgs(httpd_t)
527 ')
528
529 optional_policy(`
530 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
531 samba_domtrans_winbind_helper(httpd_t)
532 ')
533 ')
534
535 tunable_policy(`httpd_can_network_connect',`
536 corenet_tcp_connect_all_ports(httpd_t)
537 ')
538
539 tunable_policy(`httpd_can_network_connect_db',`
540 corenet_tcp_connect_mssql_port(httpd_t)
541 corenet_sendrecv_mssql_client_packets(httpd_t)
542 corenet_tcp_connect_oracledb_port(httpd_t)
543 corenet_sendrecv_oracledb_client_packets(httpd_t)
544 ')
545
546 tunable_policy(`httpd_can_network_memcache',`
547 corenet_tcp_connect_memcache_port(httpd_t)
548 ')
549
550 tunable_policy(`httpd_can_network_relay',`
551 # allow httpd to work as a relay
552 corenet_tcp_connect_gopher_port(httpd_t)
553 corenet_tcp_connect_ftp_port(httpd_t)
554 corenet_tcp_connect_http_port(httpd_t)
555 corenet_tcp_connect_http_cache_port(httpd_t)
556 corenet_tcp_connect_squid_port(httpd_t)
557 corenet_tcp_connect_memcache_port(httpd_t)
558 corenet_sendrecv_gopher_client_packets(httpd_t)
559 corenet_sendrecv_ftp_client_packets(httpd_t)
560 corenet_sendrecv_http_client_packets(httpd_t)
561 corenet_sendrecv_http_cache_client_packets(httpd_t)
562 corenet_sendrecv_squid_client_packets(httpd_t)
563 ')
564
565 tunable_policy(`httpd_execmem',`
566 allow httpd_t self:process { execmem execstack };
567 allow httpd_sys_script_t self:process { execmem execstack };
568 allow httpd_suexec_t self:process { execmem execstack };
569 ')
570
571 tunable_policy(`httpd_enable_cgi && httpd_unified',`
572 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
573 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
574 can_exec(httpd_sys_script_t, httpd_sys_content_t)
575 ')
576
577 tunable_policy(`allow_httpd_sys_script_anon_write',`
578 miscfiles_manage_public_files(httpd_sys_script_t)
579 ')
580
581 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
582 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
583 ')
584
585 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
586 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
587 ')
588
589 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
590 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
591 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
592 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
593 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
594 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
595
596 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
597 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
598 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
599 ')
600
601 tunable_policy(`httpd_enable_ftp_server',`
602 corenet_tcp_bind_ftp_port(httpd_t)
603 ')
604
605 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
606 can_exec(httpd_t, httpd_tmp_t)
607 ')
608
609 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
610 can_exec(httpd_sys_script_t, httpd_tmp_t)
611 ')
612
613 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
614 fs_list_auto_mountpoints(httpd_t)
615 fs_read_nfs_files(httpd_t)
616 fs_read_nfs_symlinks(httpd_t)
617 ')
618
619 tunable_policy(`httpd_use_nfs',`
620 fs_list_auto_mountpoints(httpd_t)
621 fs_manage_nfs_dirs(httpd_t)
622 fs_manage_nfs_files(httpd_t)
623 fs_manage_nfs_symlinks(httpd_t)
624 ')
625
626 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
627 fs_read_cifs_files(httpd_t)
628 fs_read_cifs_symlinks(httpd_t)
629 ')
630
631 tunable_policy(`httpd_can_sendmail',`
632 # allow httpd to connect to mail servers
633 corenet_tcp_connect_smtp_port(httpd_t)
634 corenet_sendrecv_smtp_client_packets(httpd_t)
635 corenet_tcp_connect_pop_port(httpd_t)
636 corenet_sendrecv_pop_client_packets(httpd_t)
637 mta_send_mail(httpd_t)
638 mta_signal_system_mail(httpd_t)
639 ')
640
641 tunable_policy(`httpd_use_cifs',`
642 fs_manage_cifs_dirs(httpd_t)
643 fs_manage_cifs_files(httpd_t)
644 fs_manage_cifs_symlinks(httpd_t)
645 ')
646
647 tunable_policy(`httpd_ssi_exec',`
648 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
649 allow httpd_sys_script_t httpd_t:fd use;
650 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
651 allow httpd_sys_script_t httpd_t:process sigchld;
652 ')
653
654 # When the admin starts the server, the server wants to access
655 # the TTY or PTY associated with the session. The httpd appears
656 # to run correctly without this permission, so the permission
657 # are dontaudited here.
658 tunable_policy(`httpd_tty_comm',`
659 userdom_use_user_terminals(httpd_t)
660 userdom_use_user_terminals(httpd_suexec_t)
661 ',`
662 userdom_dontaudit_use_user_terminals(httpd_t)
663 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
664 ')
665
666 optional_policy(`
667 calamaris_read_www_files(httpd_t)
668 ')
669
670 optional_policy(`
671 ccs_read_config(httpd_t)
672 ')
673
674 optional_policy(`
675 cobbler_list_config(httpd_t)
676 cobbler_read_config(httpd_t)
677 cobbler_read_lib_files(httpd_t)
678
679 tunable_policy(`httpd_can_network_connect_cobbler',`
680 corenet_tcp_connect_cobbler_port(httpd_t)
681 ')
682 ')
683
684 optional_policy(`
685 cron_system_entry(httpd_t, httpd_exec_t)
686 ')
687
688 optional_policy(`
689 cvs_read_data(httpd_t)
690 ')
691
692 optional_policy(`
693 daemontools_service_domain(httpd_t, httpd_exec_t)
694 ')
695
696 optional_policy(`
697 dirsrv_manage_config(httpd_t)
698 dirsrv_manage_log(httpd_t)
699 dirsrv_manage_var_run(httpd_t)
700 dirsrv_read_share(httpd_t)
701 dirsrv_signal(httpd_t)
702 dirsrv_signull(httpd_t)
703 dirsrvadmin_manage_config(httpd_t)
704 dirsrvadmin_manage_tmp(httpd_t)
705 ')
706
707 optional_policy(`
708 dbus_system_bus_client(httpd_t)
709
710 tunable_policy(`httpd_dbus_avahi',`
711 avahi_dbus_chat(httpd_t)
712 ')
713 ')
714
715 optional_policy(`
716 git_read_generic_system_content_files(httpd_t)
717 gitosis_read_lib_files(httpd_t)
718 ')
719
720 optional_policy(`
721 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
722 gpg_domtrans_web(httpd_t)
723 ')
724 ')
725
726 optional_policy(`
727 kerberos_keytab_template(httpd, httpd_t)
728 ')
729
730 optional_policy(`
731 mailman_signal_cgi(httpd_t)
732 mailman_domtrans_cgi(httpd_t)
733 mailman_read_data_files(httpd_t)
734 # should have separate types for public and private archives
735 mailman_search_data(httpd_t)
736 mailman_read_archive(httpd_t)
737 ')
738
739 optional_policy(`
740 mediawiki_read_tmp_files(httpd_t)
741 mediawiki_delete_tmp_files(httpd_t)
742 ')
743
744 optional_policy(`
745 # Allow httpd to work with mysql
746 mysql_read_config(httpd_t)
747 mysql_stream_connect(httpd_t)
748 mysql_rw_db_sockets(httpd_t)
749
750 tunable_policy(`httpd_can_network_connect_db',`
751 mysql_tcp_connect(httpd_t)
752 ')
753 ')
754
755 optional_policy(`
756 nagios_read_config(httpd_t)
757 nagios_read_log(httpd_t)
758 ')
759
760 optional_policy(`
761 openca_domtrans(httpd_t)
762 openca_signal(httpd_t)
763 openca_sigstop(httpd_t)
764 openca_kill(httpd_t)
765 ')
766
767 optional_policy(`
768 passenger_domtrans(httpd_t)
769 passenger_manage_pid_content(httpd_t)
770 passenger_read_lib_files(httpd_t)
771 ')
772
773 optional_policy(`
774 rpc_search_nfs_state_data(httpd_t)
775 ')
776
777 optional_policy(`
778 # Allow httpd to work with postgresql
779 postgresql_stream_connect(httpd_t)
780 postgresql_unpriv_client(httpd_t)
781
782 tunable_policy(`httpd_can_network_connect_db',`
783 postgresql_tcp_connect(httpd_t)
784 ')
785 ')
786
787 optional_policy(`
788 seutil_sigchld_newrole(httpd_t)
789 ')
790
791 optional_policy(`
792 smokeping_read_lib_files(httpd_t)
793 ')
794
795 optional_policy(`
796 files_dontaudit_rw_usr_dirs(httpd_t)
797 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
798 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
799 ')
800
801 optional_policy(`
802 udev_read_db(httpd_t)
803 ')
804
805 optional_policy(`
806 yam_read_content(httpd_t)
807 ')
808
809 optional_policy(`
810 zarafa_stream_connect_server(httpd_t)
811 zarafa_search_config(httpd_t)
812 ')
813
814 ########################################
815 #
816 # Apache helper local policy
817 #
818
819 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
820
821 allow httpd_helper_t httpd_config_t:file read_file_perms;
822
823 allow httpd_helper_t httpd_log_t:file append_file_perms;
824
825 logging_send_syslog_msg(httpd_helper_t)
826
827 userdom_use_user_terminals(httpd_helper_t)
828
829 tunable_policy(`httpd_tty_comm',`
830 userdom_use_user_terminals(httpd_helper_t)
831 ')
832
833 ########################################
834 #
835 # Apache PHP script local policy
836 #
837
838 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
839 allow httpd_php_t self:fd use;
840 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
841 allow httpd_php_t self:sock_file read_sock_file_perms;
842 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
843 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
844 allow httpd_php_t self:unix_dgram_socket sendto;
845 allow httpd_php_t self:unix_stream_socket connectto;
846 allow httpd_php_t self:shm create_shm_perms;
847 allow httpd_php_t self:sem create_sem_perms;
848 allow httpd_php_t self:msgq create_msgq_perms;
849 allow httpd_php_t self:msg { send receive };
850
851 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
852
853 # allow php to read and append to apache logfiles
854 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
855
856 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
857 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
858 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
859
860 fs_search_auto_mountpoints(httpd_php_t)
861
862 auth_use_nsswitch(httpd_php_t)
863
864 libs_exec_lib_files(httpd_php_t)
865
866 userdom_use_unpriv_users_fds(httpd_php_t)
867
868 tunable_policy(`httpd_can_network_connect_db',`
869 corenet_tcp_connect_mssql_port(httpd_php_t)
870 corenet_sendrecv_mssql_client_packets(httpd_php_t)
871 corenet_tcp_connect_oracledb_port(httpd_php_t)
872 corenet_sendrecv_oracledb_client_packets(httpd_php_t)
873 ')
874
875 optional_policy(`
876 mysql_stream_connect(httpd_php_t)
877 mysql_rw_db_sockets(httpd_php_t)
878 mysql_read_config(httpd_php_t)
879
880 tunable_policy(`httpd_can_network_connect_db',`
881 mysql_tcp_connect(httpd_php_t)
882 ')
883 ')
884
885 optional_policy(`
886 postgresql_stream_connect(httpd_php_t)
887 postgresql_unpriv_client(httpd_php_t)
888
889 tunable_policy(`httpd_can_network_connect_db',`
890 postgresql_tcp_connect(httpd_php_t)
891 ')
892 ')
893
894 ########################################
895 #
896 # Apache suexec local policy
897 #
898
899 allow httpd_suexec_t self:capability { setuid setgid };
900 allow httpd_suexec_t self:process signal_perms;
901 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
902
903 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
904
905 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
906 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
907 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
908
909 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
910
911 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
912 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
913 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
914
915 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
916
917 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
918 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
919 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
920
921 kernel_read_kernel_sysctls(httpd_suexec_t)
922 kernel_list_proc(httpd_suexec_t)
923 kernel_read_proc_symlinks(httpd_suexec_t)
924
925 dev_read_urand(httpd_suexec_t)
926
927 fs_read_iso9660_files(httpd_suexec_t)
928 fs_search_auto_mountpoints(httpd_suexec_t)
929
930 application_exec_all(httpd_suexec_t)
931
932 files_read_etc_files(httpd_suexec_t)
933 files_read_usr_files(httpd_suexec_t)
934 files_dontaudit_search_pids(httpd_suexec_t)
935 files_search_home(httpd_suexec_t)
936
937 auth_use_nsswitch(httpd_suexec_t)
938
939 logging_search_logs(httpd_suexec_t)
940 logging_send_syslog_msg(httpd_suexec_t)
941
942 miscfiles_read_localization(httpd_suexec_t)
943 miscfiles_read_public_files(httpd_suexec_t)
944
945 tunable_policy(`httpd_can_network_connect',`
946 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
947 allow httpd_suexec_t self:udp_socket create_socket_perms;
948
949 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
950 corenet_all_recvfrom_netlabel(httpd_suexec_t)
951 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
952 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
953 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
954 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
955 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
956 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
957 corenet_tcp_connect_all_ports(httpd_suexec_t)
958 corenet_sendrecv_all_client_packets(httpd_suexec_t)
959 ')
960
961 tunable_policy(`httpd_can_network_connect_db',`
962 corenet_tcp_connect_mssql_port(httpd_suexec_t)
963 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
964 corenet_tcp_connect_oracledb_port(httpd_suexec_t)
965 corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
966 ')
967
968 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
969
970 tunable_policy(`httpd_enable_cgi && httpd_unified',`
971 allow httpd_sys_script_t httpdcontent:file entrypoint;
972 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
973 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
974 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
975 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
976 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
977 ')
978
979 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
980 fs_list_auto_mountpoints(httpd_suexec_t)
981 fs_read_nfs_files(httpd_suexec_t)
982 fs_read_nfs_symlinks(httpd_suexec_t)
983 fs_exec_nfs_files(httpd_suexec_t)
984 ')
985
986 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
987 fs_read_cifs_files(httpd_suexec_t)
988 fs_read_cifs_symlinks(httpd_suexec_t)
989 fs_exec_cifs_files(httpd_suexec_t)
990 ')
991
992 optional_policy(`
993 mailman_domtrans_cgi(httpd_suexec_t)
994 ')
995
996 optional_policy(`
997 mta_stub(httpd_suexec_t)
998
999 # apache should set close-on-exec
1000 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1001 ')
1002
1003 optional_policy(`
1004 mysql_stream_connect(httpd_suexec_t)
1005 mysql_rw_db_sockets(httpd_suexec_t)
1006 mysql_read_config(httpd_suexec_t)
1007
1008 tunable_policy(`httpd_can_network_connect_db',`
1009 mysql_tcp_connect(httpd_suexec_t)
1010 ')
1011 ')
1012
1013 optional_policy(`
1014 postgresql_stream_connect(httpd_suexec_t)
1015 postgresql_unpriv_client(httpd_suexec_t)
1016
1017 tunable_policy(`httpd_can_network_connect_db',`
1018 postgresql_tcp_connect(httpd_suexec_t)
1019 ')
1020 ')
1021
1022 ########################################
1023 #
1024 # Apache system script local policy
1025 #
1026
1027 allow httpd_sys_script_t self:process getsched;
1028
1029 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1030 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1031
1032 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1033
1034 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1035
1036 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1037 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1038 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1039
1040 kernel_read_kernel_sysctls(httpd_sys_script_t)
1041
1042 files_read_var_symlinks(httpd_sys_script_t)
1043 files_search_var_lib(httpd_sys_script_t)
1044 files_search_spool(httpd_sys_script_t)
1045
1046 logging_inherit_append_all_logs(httpd_sys_script_t)
1047
1048 # Should we add a boolean?
1049 apache_domtrans_rotatelogs(httpd_sys_script_t)
1050
1051 auth_use_nsswitch(httpd_sys_script_t)
1052
1053 ifdef(`distro_redhat',`
1054 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1055 ')
1056
1057 tunable_policy(`httpd_can_sendmail',`
1058 mta_send_mail(httpd_sys_script_t)
1059 ')
1060
1061 optional_policy(`
1062 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1063 spamassassin_domtrans_client(httpd_t)
1064 ')
1065 ')
1066
1067 tunable_policy(`httpd_can_network_connect_db',`
1068 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1069 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1070 corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
1071 corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
1072 ')
1073
1074 fs_cifs_entry_type(httpd_sys_script_t)
1075 fs_read_iso9660_files(httpd_sys_script_t)
1076 fs_nfs_entry_type(httpd_sys_script_t)
1077
1078 tunable_policy(`httpd_use_nfs',`
1079 fs_list_auto_mountpoints(httpd_sys_script_t)
1080 fs_manage_nfs_dirs(httpd_sys_script_t)
1081 fs_manage_nfs_files(httpd_sys_script_t)
1082 fs_manage_nfs_symlinks(httpd_sys_script_t)
1083 fs_exec_nfs_files(httpd_sys_script_t)
1084
1085 fs_list_auto_mountpoints(httpd_suexec_t)
1086 fs_manage_nfs_dirs(httpd_suexec_t)
1087 fs_manage_nfs_files(httpd_suexec_t)
1088 fs_manage_nfs_symlinks(httpd_suexec_t)
1089 fs_exec_nfs_files(httpd_suexec_t)
1090 ')
1091
1092 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1093 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1094 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1095
1096 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1097 corenet_udp_bind_generice_node(httpd_sys_script_t)
1098 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1099 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1100 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1101 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1102 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1103 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1104 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1105 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1106 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1107 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1108 ')
1109
1110 tunable_policy(`httpd_enable_homedirs',`
1111 userdom_search_user_home_dirs(httpd_sys_script_t)
1112 ')
1113
1114 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1115 fs_list_auto_mountpoints(httpd_sys_script_t)
1116 fs_read_nfs_files(httpd_sys_script_t)
1117 fs_read_nfs_symlinks(httpd_sys_script_t)
1118 ')
1119
1120 tunable_policy(`httpd_read_user_content',`
1121 userdom_read_user_home_content_files(httpd_sys_script_t)
1122 ')
1123
1124 tunable_policy(`httpd_use_cifs',`
1125 fs_manage_cifs_dirs(httpd_sys_script_t)
1126 fs_manage_cifs_files(httpd_sys_script_t)
1127 fs_manage_cifs_symlinks(httpd_sys_script_t)
1128 fs_manage_cifs_dirs(httpd_suexec_t)
1129 fs_manage_cifs_files(httpd_suexec_t)
1130 fs_manage_cifs_symlinks(httpd_suexec_t)
1131 fs_exec_cifs_files(httpd_suexec_t)
1132 ')
1133
1134 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1135 fs_read_cifs_files(httpd_sys_script_t)
1136 fs_read_cifs_symlinks(httpd_sys_script_t)
1137 ')
1138
1139 optional_policy(`
1140 clamav_domtrans_clamscan(httpd_sys_script_t)
1141 ')
1142
1143 optional_policy(`
1144 mysql_stream_connect(httpd_sys_script_t)
1145 mysql_rw_db_sockets(httpd_sys_script_t)
1146 mysql_read_config(httpd_sys_script_t)
1147
1148 tunable_policy(`httpd_can_network_connect_db',`
1149 mysql_tcp_connect(httpd_sys_script_t)
1150 ')
1151 ')
1152
1153 optional_policy(`
1154 postgresql_stream_connect(httpd_sys_script_t)
1155 postgresql_unpriv_client(httpd_sys_script_t)
1156
1157 tunable_policy(`httpd_can_network_connect_db',`
1158 postgresql_tcp_connect(httpd_sys_script_t)
1159 ')
1160 ')
1161
1162 ########################################
1163 #
1164 # httpd_rotatelogs local policy
1165 #
1166
1167 allow httpd_rotatelogs_t self:capability dac_override;
1168
1169 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1170
1171 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1172 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1173 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1174
1175 files_read_etc_files(httpd_rotatelogs_t)
1176
1177 logging_search_logs(httpd_rotatelogs_t)
1178
1179 miscfiles_read_localization(httpd_rotatelogs_t)
1180
1181 ########################################
1182 #
1183 # Unconfined script local policy
1184 #
1185
1186 optional_policy(`
1187 type httpd_unconfined_script_t;
1188 type httpd_unconfined_script_exec_t;
1189 domain_type(httpd_unconfined_script_t)
1190 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1191 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1192 unconfined_domain(httpd_unconfined_script_t)
1193
1194 role system_r types httpd_unconfined_script_t;
1195 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1196 ')
1197
1198 ########################################
1199 #
1200 # User content local policy
1201 #
1202
1203 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1204 allow httpd_user_script_t httpdcontent:file entrypoint;
1205 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1206 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1207 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1208 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1209 ')
1210
1211 # allow accessing files/dirs below the users home dir
1212 tunable_policy(`httpd_enable_homedirs',`
1213 userdom_search_user_home_content(httpd_t)
1214 userdom_search_user_home_content(httpd_suexec_t)
1215 userdom_search_user_home_content(httpd_user_script_t)
1216 ')
1217
1218 tunable_policy(`httpd_read_user_content',`
1219 userdom_read_user_home_content_files(httpd_t)
1220 userdom_read_user_home_content_files(httpd_suexec_t)
1221 userdom_read_user_home_content_files(httpd_user_script_t)
1222 ')
The IPFire selinux policy.