]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/apache.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
[people/stevee/selinux-policy.git] / policy / modules / services / apache.te
1 policy_module(apache, 2.2.1)
2
3 #
4 # NOTES:
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
8 #
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
14 #
15
16 ########################################
17 #
18 # Declarations
19 #
20
21 selinux_genbool(httpd_bool_t)
22
23 ## <desc>
24 ## <p>
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
28 ## </p>
29 ## </desc>
30 gen_tunable(allow_httpd_anon_write, false)
31
32 ## <desc>
33 ## <p>
34 ## Allow Apache to use mod_auth_pam
35 ## </p>
36 ## </desc>
37 gen_tunable(allow_httpd_mod_auth_pam, false)
38
39 ## <desc>
40 ## <p>
41 ## Allow Apache to use mod_auth_ntlm_winbind
42 ## </p>
43 ## </desc>
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
45
46 ## <desc>
47 ## <p>
48 ## Allow httpd scripts and modules execmem/execstack
49 ## </p>
50 ## </desc>
51 gen_tunable(httpd_execmem, false)
52
53 ## <desc>
54 ## <p>
55 ## Allow httpd daemon to change system limits
56 ## </p>
57 ## </desc>
58 gen_tunable(httpd_setrlimit, false)
59
60 ## <desc>
61 ## <p>
62 ## Allow httpd to use built in scripting (usually php)
63 ## </p>
64 ## </desc>
65 gen_tunable(httpd_builtin_scripting, false)
66
67 ## <desc>
68 ## <p>
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
70 ## </p>
71 ## </desc>
72 gen_tunable(httpd_can_network_connect, false)
73
74 ## <desc>
75 ## <p>
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
77 ## </p>
78 ## </desc>
79 gen_tunable(httpd_can_network_connect_cobbler, false)
80
81 ## <desc>
82 ## <p>
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
84 ## </p>
85 ## </desc>
86 gen_tunable(httpd_can_network_connect_db, false)
87
88 ## <desc>
89 ## <p>
90 ## Allow httpd to connect to memcache server
91 ## </p>
92 ## </desc>
93 gen_tunable(httpd_can_network_memcache, false)
94
95 ## <desc>
96 ## <p>
97 ## Allow httpd to act as a relay
98 ## </p>
99 ## </desc>
100 gen_tunable(httpd_can_network_relay, false)
101
102 ## <desc>
103 ## <p>
104 ## Allow http daemon to send mail
105 ## </p>
106 ## </desc>
107 gen_tunable(httpd_can_sendmail, false)
108
109 ## <desc>
110 ## <p>
111 ## Allow http daemon to check spam
112 ## </p>
113 ## </desc>
114 gen_tunable(httpd_can_check_spam, false)
115
116 ## <desc>
117 ## <p>
118 ## Allow Apache to communicate with avahi service via dbus
119 ## </p>
120 ## </desc>
121 gen_tunable(httpd_dbus_avahi, false)
122
123 ## <desc>
124 ## <p>
125 ## Allow httpd to execute cgi scripts
126 ## </p>
127 ## </desc>
128 gen_tunable(httpd_enable_cgi, false)
129
130 ## <desc>
131 ## <p>
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
134 ## </p>
135 ## </desc>
136 gen_tunable(httpd_enable_ftp_server, false)
137
138 ## <desc>
139 ## <p>
140 ## Allow httpd to act as a FTP client
141 ## connecting to the ftp port and ephemeral ports
142 ## </p>
143 ## </desc>
144 gen_tunable(httpd_can_connect_ftp, false)
145
146 ## <desc>
147 ## <p>
148 ## Allow httpd to read home directories
149 ## </p>
150 ## </desc>
151 gen_tunable(httpd_enable_homedirs, false)
152
153 ## <desc>
154 ## <p>
155 ## Allow httpd to read user content
156 ## </p>
157 ## </desc>
158 gen_tunable(httpd_read_user_content, false)
159
160 ## <desc>
161 ## <p>
162 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
163 ## </p>
164 ## </desc>
165 gen_tunable(httpd_ssi_exec, false)
166
167 ## <desc>
168 ## <p>
169 ## Allow Apache to execute tmp content.
170 ## </p>
171 ## </desc>
172 gen_tunable(httpd_tmp_exec, false)
173
174 ## <desc>
175 ## <p>
176 ## Unify HTTPD to communicate with the terminal.
177 ## Needed for entering the passphrase for certificates at
178 ## the terminal.
179 ## </p>
180 ## </desc>
181 gen_tunable(httpd_tty_comm, false)
182
183 ## <desc>
184 ## <p>
185 ## Unify HTTPD handling of all content files.
186 ## </p>
187 ## </desc>
188 gen_tunable(httpd_unified, false)
189
190 ## <desc>
191 ## <p>
192 ## Allow httpd to access cifs file systems
193 ## </p>
194 ## </desc>
195 gen_tunable(httpd_use_cifs, false)
196
197 ## <desc>
198 ## <p>
199 ## Allow httpd to run gpg in gpg-web domain
200 ## </p>
201 ## </desc>
202 gen_tunable(httpd_use_gpg, false)
203
204 ## <desc>
205 ## <p>
206 ## Allow httpd to access nfs file systems
207 ## </p>
208 ## </desc>
209 gen_tunable(httpd_use_nfs, false)
210
211 ## <desc>
212 ## <p>
213 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
214 ## </p>
215 ## </desc>
216 gen_tunable(allow_httpd_sys_script_anon_write, false)
217
218 attribute httpdcontent;
219 attribute httpd_user_content_type;
220
221 # domains that can exec all users scripts
222 attribute httpd_exec_scripts;
223
224 attribute httpd_script_exec_type;
225 attribute httpd_user_script_exec_type;
226
227 # user script domains
228 attribute httpd_script_domains;
229
230 type httpd_t;
231 type httpd_exec_t;
232 init_daemon_domain(httpd_t, httpd_exec_t)
233 role system_r types httpd_t;
234
235 # httpd_cache_t is the type given to the /var/cache/httpd
236 # directory and the files under that directory
237 type httpd_cache_t;
238 files_type(httpd_cache_t)
239
240 # httpd_config_t is the type given to the configuration files
241 type httpd_config_t;
242 files_config_file(httpd_config_t)
243
244 type httpd_helper_t;
245 type httpd_helper_exec_t;
246 domain_type(httpd_helper_t)
247 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
248 role system_r types httpd_helper_t;
249
250 type httpd_initrc_exec_t;
251 init_script_file(httpd_initrc_exec_t)
252
253 type httpd_unit_file_t;
254 systemd_unit_file(httpd_unit_file_t)
255
256 type httpd_lock_t;
257 files_lock_file(httpd_lock_t)
258
259 type httpd_log_t;
260 logging_log_file(httpd_log_t)
261
262 # httpd_modules_t is the type given to module files (libraries)
263 # that come with Apache /etc/httpd/modules and /usr/lib/apache
264 type httpd_modules_t;
265 files_type(httpd_modules_t)
266
267 type httpd_php_t;
268 type httpd_php_exec_t;
269 domain_type(httpd_php_t)
270 domain_entry_file(httpd_php_t, httpd_php_exec_t)
271 role system_r types httpd_php_t;
272
273 type httpd_php_tmp_t;
274 files_tmp_file(httpd_php_tmp_t)
275
276 type httpd_rotatelogs_t;
277 type httpd_rotatelogs_exec_t;
278 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
279
280 type httpd_squirrelmail_t;
281 files_type(httpd_squirrelmail_t)
282
283 # SUEXEC runs user scripts as their own user ID
284 type httpd_suexec_t; #, daemon;
285 type httpd_suexec_exec_t;
286 domain_type(httpd_suexec_t)
287 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
288 role system_r types httpd_suexec_t;
289
290 type httpd_suexec_tmp_t;
291 files_tmp_file(httpd_suexec_tmp_t)
292
293 # setup the system domain for system CGI scripts
294 apache_content_template(sys)
295
296 typeattribute httpd_sys_content_t httpdcontent; # customizable
297 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
298 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
299
300 # Removal of fastcgi, will cause problems without the following
301 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
302 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
303 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
304 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
305 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
306
307 type httpd_tmp_t;
308 files_tmp_file(httpd_tmp_t)
309
310 type httpd_tmpfs_t;
311 files_tmpfs_file(httpd_tmpfs_t)
312
313 apache_content_template(user)
314 ubac_constrained(httpd_user_script_t)
315 typeattribute httpd_user_content_t httpdcontent;
316 typeattribute httpd_user_rw_content_t httpdcontent;
317 typeattribute httpd_user_ra_content_t httpdcontent;
318
319 userdom_user_home_content(httpd_user_content_t)
320 userdom_user_home_content(httpd_user_htaccess_t)
321 userdom_user_home_content(httpd_user_script_exec_t)
322 userdom_user_home_content(httpd_user_ra_content_t)
323 userdom_user_home_content(httpd_user_rw_content_t)
324 typeattribute httpd_user_script_t httpd_script_domains;
325 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
326 typealias httpd_user_content_t alias httpd_unconfined_content_t;
327 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
328 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
329 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
330 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
331 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
332 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
333 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
334 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
335 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
336 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
337 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
338 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
339 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
340
341 # for apache2 memory mapped files
342 type httpd_var_lib_t;
343 files_type(httpd_var_lib_t)
344
345 type httpd_var_run_t;
346 files_pid_file(httpd_var_run_t)
347
348 # Removal of fastcgi, will cause problems without the following
349 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
350
351 # File Type of squirrelmail attachments
352 type squirrelmail_spool_t;
353 files_tmp_file(squirrelmail_spool_t)
354 files_spool_file(squirrelmail_spool_t)
355
356 optional_policy(`
357 prelink_object_file(httpd_modules_t)
358 ')
359
360 type httpd_passwd_t;
361 type httpd_passwd_exec_t;
362 application_domain(httpd_passwd_t, httpd_passwd_exec_t)
363 role system_r types httpd_passwd_t;
364
365 ########################################
366 #
367 # Apache server local policy
368 #
369
370 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
371 dontaudit httpd_t self:capability { net_admin sys_tty_config };
372 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
373 allow httpd_t self:fd use;
374 allow httpd_t self:sock_file read_sock_file_perms;
375 allow httpd_t self:fifo_file rw_fifo_file_perms;
376 allow httpd_t self:shm create_shm_perms;
377 allow httpd_t self:sem create_sem_perms;
378 allow httpd_t self:msgq create_msgq_perms;
379 allow httpd_t self:msg { send receive };
380 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
381 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
382 allow httpd_t self:tcp_socket create_stream_socket_perms;
383 allow httpd_t self:udp_socket create_socket_perms;
384 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
385
386 # Allow httpd_t to put files in /var/cache/httpd etc
387 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
388 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
389 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
390 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
391
392 # Allow the httpd_t to read the web servers config files
393 allow httpd_t httpd_config_t:dir list_dir_perms;
394 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
395 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
396
397 can_exec(httpd_t, httpd_exec_t)
398
399 allow httpd_t httpd_lock_t:file manage_file_perms;
400 files_lock_filetrans(httpd_t, httpd_lock_t, file)
401
402 allow httpd_t httpd_log_t:dir setattr;
403 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
404 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
405 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
406 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
407 # cjp: need to refine create interfaces to
408 # cut this back to add_name only
409 logging_log_filetrans(httpd_t, httpd_log_t, file)
410
411 allow httpd_t httpd_modules_t:dir list_dir_perms;
412 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
413 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
414 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
415
416 apache_domtrans_rotatelogs(httpd_t)
417 # Apache-httpd needs to be able to send signals to the log rotate procs.
418 allow httpd_t httpd_rotatelogs_t:process signal_perms;
419
420 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
421 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
422 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
423
424 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
425
426 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
427 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
428 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
429
430 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
431
432 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
433 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
434 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
435 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
436 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
437
438 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
439 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
440 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
441 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
442 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
443 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
444
445 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
446 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
447
448 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
449 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
450 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
451 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
452 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
453
454 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
455 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
456 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
457
458 kernel_read_kernel_sysctls(httpd_t)
459 # for modules that want to access /proc/meminfo
460 kernel_read_system_state(httpd_t)
461 kernel_read_network_state(httpd_t)
462 kernel_read_network_state(httpd_t)
463 kernel_search_network_sysctl(httpd_t)
464
465 corenet_all_recvfrom_unlabeled(httpd_t)
466 corenet_all_recvfrom_netlabel(httpd_t)
467 corenet_tcp_sendrecv_generic_if(httpd_t)
468 corenet_udp_sendrecv_generic_if(httpd_t)
469 corenet_tcp_sendrecv_generic_node(httpd_t)
470 corenet_udp_sendrecv_generic_node(httpd_t)
471 corenet_tcp_sendrecv_all_ports(httpd_t)
472 corenet_udp_sendrecv_all_ports(httpd_t)
473 corenet_tcp_bind_generic_node(httpd_t)
474 corenet_udp_bind_generic_node(httpd_t)
475 corenet_tcp_bind_http_port(httpd_t)
476 corenet_tcp_bind_http_cache_port(httpd_t)
477 corenet_tcp_bind_ntop_port(httpd_t)
478 corenet_tcp_bind_jboss_management_port(httpd_t)
479 corenet_sendrecv_http_server_packets(httpd_t)
480 corenet_tcp_bind_puppet_port(httpd_t)
481 # Signal self for shutdown
482 #corenet_tcp_connect_http_port(httpd_t)
483
484 dev_read_sysfs(httpd_t)
485 dev_read_rand(httpd_t)
486 dev_read_urand(httpd_t)
487 dev_rw_crypto(httpd_t)
488
489 fs_getattr_all_fs(httpd_t)
490 fs_search_auto_mountpoints(httpd_t)
491 fs_read_iso9660_files(httpd_t)
492 fs_read_anon_inodefs_files(httpd_t)
493
494 auth_use_nsswitch(httpd_t)
495
496 application_exec_all(httpd_t)
497
498 domain_use_interactive_fds(httpd_t)
499
500 files_dontaudit_getattr_all_pids(httpd_t)
501 files_read_usr_files(httpd_t)
502 files_list_mnt(httpd_t)
503 files_search_spool(httpd_t)
504 files_read_var_symlinks(httpd_t)
505 files_read_var_lib_files(httpd_t)
506 files_search_home(httpd_t)
507 files_getattr_home_dir(httpd_t)
508 # for modules that want to access /etc/mtab
509 files_read_etc_runtime_files(httpd_t)
510 # Allow httpd_t to have access to files such as nisswitch.conf
511 files_read_etc_files(httpd_t)
512 # for tomcat
513 files_read_var_lib_symlinks(httpd_t)
514
515 fs_search_auto_mountpoints(httpd_sys_script_t)
516 # php uploads a file to /tmp and then execs programs to acton them
517 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
518 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
519 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
520 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
521 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
522 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
523
524 libs_read_lib_files(httpd_t)
525
526 ifdef(`hide_broken_symptoms',`
527 libs_exec_lib_files(httpd_t)
528 ')
529
530 logging_send_syslog_msg(httpd_t)
531
532 miscfiles_read_localization(httpd_t)
533 miscfiles_read_fonts(httpd_t)
534 miscfiles_read_public_files(httpd_t)
535 miscfiles_read_generic_certs(httpd_t)
536 miscfiles_read_tetex_data(httpd_t)
537
538 seutil_dontaudit_search_config(httpd_t)
539
540 userdom_use_unpriv_users_fds(httpd_t)
541
542 tunable_policy(`httpd_setrlimit',`
543 allow httpd_t self:process setrlimit;
544 allow httpd_t self:capability sys_resource;
545 ')
546
547 tunable_policy(`allow_httpd_anon_write',`
548 miscfiles_manage_public_files(httpd_t)
549 ')
550
551 #
552 # We need optionals to be able to be within booleans to make this work
553 #
554 tunable_policy(`allow_httpd_mod_auth_pam',`
555 auth_domtrans_chkpwd(httpd_t)
556 logging_send_audit_msgs(httpd_t)
557 ')
558
559 optional_policy(`
560 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
561 samba_domtrans_winbind_helper(httpd_t)
562 ')
563 ')
564
565 tunable_policy(`httpd_can_network_connect',`
566 corenet_tcp_connect_all_ports(httpd_t)
567 ')
568
569 tunable_policy(`httpd_can_network_connect_db',`
570 corenet_tcp_connect_firebird_port(httpd_t)
571 corenet_tcp_connect_mssql_port(httpd_t)
572 corenet_sendrecv_mssql_client_packets(httpd_t)
573 corenet_tcp_connect_oracle_port(httpd_t)
574 corenet_sendrecv_oracle_client_packets(httpd_t)
575 ')
576
577 tunable_policy(`httpd_can_network_memcache',`
578 corenet_tcp_connect_memcache_port(httpd_t)
579 ')
580
581 tunable_policy(`httpd_can_network_relay',`
582 # allow httpd to work as a relay
583 corenet_tcp_connect_gopher_port(httpd_t)
584 corenet_tcp_connect_ftp_port(httpd_t)
585 corenet_tcp_connect_http_port(httpd_t)
586 corenet_tcp_connect_http_cache_port(httpd_t)
587 corenet_tcp_connect_squid_port(httpd_t)
588 corenet_tcp_connect_memcache_port(httpd_t)
589 corenet_sendrecv_gopher_client_packets(httpd_t)
590 corenet_sendrecv_ftp_client_packets(httpd_t)
591 corenet_sendrecv_http_client_packets(httpd_t)
592 corenet_sendrecv_http_cache_client_packets(httpd_t)
593 corenet_sendrecv_squid_client_packets(httpd_t)
594 corenet_tcp_connect_ephermeral_ports(httpd_t)
595 ')
596
597 tunable_policy(`httpd_execmem',`
598 allow httpd_t self:process { execmem execstack };
599 allow httpd_sys_script_t self:process { execmem execstack };
600 allow httpd_suexec_t self:process { execmem execstack };
601 ')
602
603 tunable_policy(`httpd_enable_cgi && httpd_unified',`
604 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
605 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
606 can_exec(httpd_sys_script_t, httpd_sys_content_t)
607 ')
608
609 tunable_policy(`allow_httpd_sys_script_anon_write',`
610 miscfiles_manage_public_files(httpd_sys_script_t)
611 ')
612
613 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
614 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
615 ')
616
617 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
618 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
619 ')
620
621 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
622 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
623 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
624 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
625 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
626 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
627
628 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
629 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
630 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
631 ')
632
633 tunable_policy(`httpd_can_network_connect_ftp',`
634 corenet_tcp_connect_ftp_port(httpd_t)
635 corenet_tcp_connect_ephemeral_ports(httpd_t)
636 ')
637
638 tunable_policy(`httpd_enable_ftp_server',`
639 corenet_tcp_bind_ftp_port(httpd_t)
640 corenet_tcp_bind_ephemeral_ports(httpd_t)
641 ')
642
643 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
644 can_exec(httpd_t, httpd_tmp_t)
645 ')
646
647 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
648 can_exec(httpd_sys_script_t, httpd_tmp_t)
649 ')
650
651 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
652 fs_list_auto_mountpoints(httpd_t)
653 fs_read_nfs_files(httpd_t)
654 fs_read_nfs_symlinks(httpd_t)
655 ')
656
657 tunable_policy(`httpd_use_nfs',`
658 fs_list_auto_mountpoints(httpd_t)
659 fs_manage_nfs_dirs(httpd_t)
660 fs_manage_nfs_files(httpd_t)
661 fs_manage_nfs_symlinks(httpd_t)
662 ')
663
664 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
665 fs_read_cifs_files(httpd_t)
666 fs_read_cifs_symlinks(httpd_t)
667 ')
668
669 tunable_policy(`httpd_can_sendmail',`
670 # allow httpd to connect to mail servers
671 corenet_tcp_connect_smtp_port(httpd_t)
672 corenet_sendrecv_smtp_client_packets(httpd_t)
673 corenet_tcp_connect_pop_port(httpd_t)
674 corenet_sendrecv_pop_client_packets(httpd_t)
675 mta_send_mail(httpd_t)
676 mta_signal_system_mail(httpd_t)
677 ')
678
679 tunable_policy(`httpd_use_cifs',`
680 fs_manage_cifs_dirs(httpd_t)
681 fs_manage_cifs_files(httpd_t)
682 fs_manage_cifs_symlinks(httpd_t)
683 ')
684
685 tunable_policy(`httpd_ssi_exec',`
686 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
687 allow httpd_sys_script_t httpd_t:fd use;
688 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
689 allow httpd_sys_script_t httpd_t:process sigchld;
690 ')
691
692 # When the admin starts the server, the server wants to access
693 # the TTY or PTY associated with the session. The httpd appears
694 # to run correctly without this permission, so the permission
695 # are dontaudited here.
696 tunable_policy(`httpd_tty_comm',`
697 userdom_use_inherited_user_terminals(httpd_t)
698 userdom_use_inherited_user_terminals(httpd_suexec_t)
699 ',`
700 userdom_dontaudit_use_user_terminals(httpd_t)
701 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
702 ')
703
704 optional_policy(`
705 # Support for ABRT retrace server
706 # mod_wsgi
707 abrt_manage_spool_retrace(httpd_t)
708 abrt_domtrans_retrace_worker(httpd_t)
709 abrt_read_config(httpd_t)
710 ')
711
712 optional_policy(`
713 calamaris_read_www_files(httpd_t)
714 ')
715
716 optional_policy(`
717 ccs_read_config(httpd_t)
718 ')
719
720 optional_policy(`
721 cobbler_list_config(httpd_t)
722 cobbler_read_config(httpd_t)
723 cobbler_read_lib_files(httpd_t)
724
725 tunable_policy(`httpd_can_network_connect_cobbler',`
726 corenet_tcp_connect_cobbler_port(httpd_t)
727 ')
728 ')
729
730 optional_policy(`
731 cron_system_entry(httpd_t, httpd_exec_t)
732 ')
733
734 optional_policy(`
735 cvs_read_data(httpd_t)
736 ')
737
738 optional_policy(`
739 daemontools_service_domain(httpd_t, httpd_exec_t)
740 ')
741
742 optional_policy(`
743 dirsrv_manage_config(httpd_t)
744 dirsrv_manage_log(httpd_t)
745 dirsrv_manage_var_run(httpd_t)
746 dirsrv_read_share(httpd_t)
747 dirsrv_signal(httpd_t)
748 dirsrv_signull(httpd_t)
749 dirsrvadmin_manage_config(httpd_t)
750 dirsrvadmin_manage_tmp(httpd_t)
751 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
752 ')
753
754 optional_policy(`
755 dbus_system_bus_client(httpd_t)
756
757 tunable_policy(`httpd_dbus_avahi',`
758 avahi_dbus_chat(httpd_t)
759 ')
760 ')
761
762 optional_policy(`
763 git_read_generic_system_content_files(httpd_t)
764 gitosis_read_lib_files(httpd_t)
765 ')
766
767 optional_policy(`
768 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
769 gpg_domtrans_web(httpd_t)
770 ')
771 ')
772
773 optional_policy(`
774 kerberos_keytab_template(httpd, httpd_t)
775 ')
776
777 optional_policy(`
778 mailman_signal_cgi(httpd_t)
779 mailman_domtrans_cgi(httpd_t)
780 mailman_read_data_files(httpd_t)
781 # should have separate types for public and private archives
782 mailman_search_data(httpd_t)
783 mailman_read_archive(httpd_t)
784 ')
785
786 optional_policy(`
787 mediawiki_read_tmp_files(httpd_t)
788 mediawiki_delete_tmp_files(httpd_t)
789 ')
790
791 optional_policy(`
792 # Allow httpd to work with mysql
793 mysql_read_config(httpd_t)
794 mysql_stream_connect(httpd_t)
795 mysql_rw_db_sockets(httpd_t)
796
797 tunable_policy(`httpd_can_network_connect_db',`
798 mysql_tcp_connect(httpd_t)
799 ')
800 ')
801
802 optional_policy(`
803 nagios_read_config(httpd_t)
804 nagios_read_log(httpd_t)
805 ')
806
807 optional_policy(`
808 openca_domtrans(httpd_t)
809 openca_signal(httpd_t)
810 openca_sigstop(httpd_t)
811 openca_kill(httpd_t)
812 ')
813
814 optional_policy(`
815 passenger_domtrans(httpd_t)
816 passenger_manage_pid_content(httpd_t)
817 passenger_read_lib_files(httpd_t)
818 ')
819
820 optional_policy(`
821 puppet_read_lib(httpd_t)
822 ')
823
824 optional_policy(`
825 rpc_search_nfs_state_data(httpd_t)
826 ')
827
828 optional_policy(`
829 # Allow httpd to work with postgresql
830 postgresql_stream_connect(httpd_t)
831 postgresql_unpriv_client(httpd_t)
832
833 tunable_policy(`httpd_can_network_connect_db',`
834 postgresql_tcp_connect(httpd_t)
835 ')
836 ')
837
838 optional_policy(`
839 seutil_sigchld_newrole(httpd_t)
840 ')
841
842 optional_policy(`
843 smokeping_read_lib_files(httpd_t)
844 ')
845
846 optional_policy(`
847 files_dontaudit_rw_usr_dirs(httpd_t)
848 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
849 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
850 ')
851
852 optional_policy(`
853 udev_read_db(httpd_t)
854 ')
855
856 optional_policy(`
857 yam_read_content(httpd_t)
858 ')
859
860 optional_policy(`
861 zarafa_manage_lib_files(httpd_t)
862 zarafa_stream_connect_server(httpd_t)
863 zarafa_search_config(httpd_t)
864 ')
865
866 ########################################
867 #
868 # Apache helper local policy
869 #
870
871 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
872
873 allow httpd_helper_t httpd_config_t:file read_file_perms;
874
875 allow httpd_helper_t httpd_log_t:file append_file_perms;
876
877 logging_send_syslog_msg(httpd_helper_t)
878
879 userdom_use_inherited_user_terminals(httpd_helper_t)
880
881 tunable_policy(`httpd_tty_comm',`
882 userdom_use_inherited_user_terminals(httpd_helper_t)
883 ')
884
885 ########################################
886 #
887 # Apache PHP script local policy
888 #
889
890 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
891 allow httpd_php_t self:fd use;
892 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
893 allow httpd_php_t self:sock_file read_sock_file_perms;
894 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
895 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
896 allow httpd_php_t self:unix_dgram_socket sendto;
897 allow httpd_php_t self:unix_stream_socket connectto;
898 allow httpd_php_t self:shm create_shm_perms;
899 allow httpd_php_t self:sem create_sem_perms;
900 allow httpd_php_t self:msgq create_msgq_perms;
901 allow httpd_php_t self:msg { send receive };
902
903 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
904
905 # allow php to read and append to apache logfiles
906 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
907
908 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
909 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
910 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
911
912 fs_search_auto_mountpoints(httpd_php_t)
913
914 auth_use_nsswitch(httpd_php_t)
915
916 libs_exec_lib_files(httpd_php_t)
917
918 userdom_use_unpriv_users_fds(httpd_php_t)
919
920 tunable_policy(`httpd_can_network_connect_db',`
921 corenet_tcp_connect_firebird_port(httpd_php_t)
922 corenet_tcp_connect_mssql_port(httpd_php_t)
923 corenet_sendrecv_mssql_client_packets(httpd_php_t)
924 corenet_tcp_connect_oracle_port(httpd_php_t)
925 corenet_sendrecv_oracle_client_packets(httpd_php_t)
926 ')
927
928 optional_policy(`
929 mysql_stream_connect(httpd_php_t)
930 mysql_rw_db_sockets(httpd_php_t)
931 mysql_read_config(httpd_php_t)
932
933 tunable_policy(`httpd_can_network_connect_db',`
934 mysql_tcp_connect(httpd_php_t)
935 ')
936 ')
937
938 optional_policy(`
939 postgresql_stream_connect(httpd_php_t)
940 postgresql_unpriv_client(httpd_php_t)
941
942 tunable_policy(`httpd_can_network_connect_db',`
943 postgresql_tcp_connect(httpd_php_t)
944 ')
945 ')
946
947 ########################################
948 #
949 # Apache suexec local policy
950 #
951
952 allow httpd_suexec_t self:capability { setuid setgid };
953 allow httpd_suexec_t self:process signal_perms;
954
955 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
956 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
957
958 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
959
960 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
961 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
962 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
963
964 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
965
966 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
967 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
968 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
969
970 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
971
972 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
973 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
974 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
975
976 kernel_read_kernel_sysctls(httpd_suexec_t)
977 kernel_list_proc(httpd_suexec_t)
978 kernel_read_proc_symlinks(httpd_suexec_t)
979
980 dev_read_urand(httpd_suexec_t)
981
982 fs_read_iso9660_files(httpd_suexec_t)
983 fs_search_auto_mountpoints(httpd_suexec_t)
984
985 application_exec_all(httpd_suexec_t)
986
987 files_read_etc_files(httpd_suexec_t)
988 files_read_usr_files(httpd_suexec_t)
989 files_dontaudit_search_pids(httpd_suexec_t)
990 files_search_home(httpd_suexec_t)
991
992 auth_use_nsswitch(httpd_suexec_t)
993
994 logging_search_logs(httpd_suexec_t)
995 logging_send_syslog_msg(httpd_suexec_t)
996
997 miscfiles_read_localization(httpd_suexec_t)
998 miscfiles_read_public_files(httpd_suexec_t)
999
1000 tunable_policy(`httpd_can_network_connect',`
1001 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1002 allow httpd_suexec_t self:udp_socket create_socket_perms;
1003
1004 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1005 corenet_all_recvfrom_netlabel(httpd_suexec_t)
1006 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1007 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
1008 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1009 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
1010 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1011 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
1012 corenet_tcp_connect_all_ports(httpd_suexec_t)
1013 corenet_sendrecv_all_client_packets(httpd_suexec_t)
1014 ')
1015
1016 tunable_policy(`httpd_can_network_connect_db',`
1017 corenet_tcp_connect_firebird_port(httpd_suexec_t)
1018 corenet_tcp_connect_mssql_port(httpd_suexec_t)
1019 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
1020 corenet_tcp_connect_oracle_port(httpd_suexec_t)
1021 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
1022 ')
1023
1024 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
1025
1026 tunable_policy(`httpd_can_sendmail',`
1027 mta_send_mail(httpd_suexec_t)
1028 ')
1029
1030 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1031 allow httpd_sys_script_t httpdcontent:file entrypoint;
1032 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1033 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1034 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1035 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1036 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1037 ')
1038
1039 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1040 fs_list_auto_mountpoints(httpd_suexec_t)
1041 fs_read_nfs_files(httpd_suexec_t)
1042 fs_read_nfs_symlinks(httpd_suexec_t)
1043 fs_exec_nfs_files(httpd_suexec_t)
1044 ')
1045
1046 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1047 fs_read_cifs_files(httpd_suexec_t)
1048 fs_read_cifs_symlinks(httpd_suexec_t)
1049 fs_exec_cifs_files(httpd_suexec_t)
1050 ')
1051
1052 optional_policy(`
1053 mailman_domtrans_cgi(httpd_suexec_t)
1054 ')
1055
1056 optional_policy(`
1057 mta_stub(httpd_suexec_t)
1058
1059 # apache should set close-on-exec
1060 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1061 ')
1062
1063 optional_policy(`
1064 mysql_stream_connect(httpd_suexec_t)
1065 mysql_rw_db_sockets(httpd_suexec_t)
1066 mysql_read_config(httpd_suexec_t)
1067
1068 tunable_policy(`httpd_can_network_connect_db',`
1069 mysql_tcp_connect(httpd_suexec_t)
1070 ')
1071 ')
1072
1073 optional_policy(`
1074 postgresql_stream_connect(httpd_suexec_t)
1075 postgresql_unpriv_client(httpd_suexec_t)
1076
1077 tunable_policy(`httpd_can_network_connect_db',`
1078 postgresql_tcp_connect(httpd_suexec_t)
1079 ')
1080 ')
1081
1082 ########################################
1083 #
1084 # Apache system script local policy
1085 #
1086
1087 allow httpd_sys_script_t self:process getsched;
1088
1089 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1090 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1091
1092 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1093
1094 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1095
1096 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1097 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1098 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1099
1100 kernel_read_kernel_sysctls(httpd_sys_script_t)
1101
1102 files_read_var_symlinks(httpd_sys_script_t)
1103 files_search_var_lib(httpd_sys_script_t)
1104 files_search_spool(httpd_sys_script_t)
1105
1106 logging_inherit_append_all_logs(httpd_sys_script_t)
1107
1108 # Should we add a boolean?
1109 apache_domtrans_rotatelogs(httpd_sys_script_t)
1110
1111 auth_use_nsswitch(httpd_sys_script_t)
1112
1113 ifdef(`distro_redhat',`
1114 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1115 ')
1116
1117 tunable_policy(`httpd_can_sendmail',`
1118 mta_send_mail(httpd_sys_script_t)
1119 ')
1120
1121 optional_policy(`
1122 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1123 spamassassin_domtrans_client(httpd_t)
1124 ')
1125 ')
1126
1127 tunable_policy(`httpd_can_network_connect_db',`
1128 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1129 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1130 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1131 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1132 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1133 ')
1134
1135 fs_cifs_entry_type(httpd_sys_script_t)
1136 fs_read_iso9660_files(httpd_sys_script_t)
1137 fs_nfs_entry_type(httpd_sys_script_t)
1138
1139 tunable_policy(`httpd_use_nfs',`
1140 fs_list_auto_mountpoints(httpd_sys_script_t)
1141 fs_manage_nfs_dirs(httpd_sys_script_t)
1142 fs_manage_nfs_files(httpd_sys_script_t)
1143 fs_manage_nfs_symlinks(httpd_sys_script_t)
1144 fs_exec_nfs_files(httpd_sys_script_t)
1145
1146 fs_list_auto_mountpoints(httpd_suexec_t)
1147 fs_manage_nfs_dirs(httpd_suexec_t)
1148 fs_manage_nfs_files(httpd_suexec_t)
1149 fs_manage_nfs_symlinks(httpd_suexec_t)
1150 fs_exec_nfs_files(httpd_suexec_t)
1151 ')
1152
1153 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1154 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1155 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1156
1157 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1158 corenet_udp_bind_generic_node(httpd_sys_script_t)
1159 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1160 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1161 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1162 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1163 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1164 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1165 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1166 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1167 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1168 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1169 ')
1170
1171 tunable_policy(`httpd_enable_homedirs',`
1172 userdom_search_user_home_dirs(httpd_sys_script_t)
1173 ')
1174
1175 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1176 fs_list_auto_mountpoints(httpd_sys_script_t)
1177 fs_read_nfs_files(httpd_sys_script_t)
1178 fs_read_nfs_symlinks(httpd_sys_script_t)
1179 ')
1180
1181 tunable_policy(`httpd_read_user_content',`
1182 userdom_read_user_home_content_files(httpd_sys_script_t)
1183 ')
1184
1185 tunable_policy(`httpd_use_cifs',`
1186 fs_manage_cifs_dirs(httpd_sys_script_t)
1187 fs_manage_cifs_files(httpd_sys_script_t)
1188 fs_manage_cifs_symlinks(httpd_sys_script_t)
1189 fs_manage_cifs_dirs(httpd_suexec_t)
1190 fs_manage_cifs_files(httpd_suexec_t)
1191 fs_manage_cifs_symlinks(httpd_suexec_t)
1192 fs_exec_cifs_files(httpd_suexec_t)
1193 ')
1194
1195 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1196 fs_read_cifs_files(httpd_sys_script_t)
1197 fs_read_cifs_symlinks(httpd_sys_script_t)
1198 ')
1199
1200 optional_policy(`
1201 clamav_domtrans_clamscan(httpd_sys_script_t)
1202 ')
1203
1204 optional_policy(`
1205 mysql_stream_connect(httpd_sys_script_t)
1206 mysql_rw_db_sockets(httpd_sys_script_t)
1207 mysql_read_config(httpd_sys_script_t)
1208
1209 tunable_policy(`httpd_can_network_connect_db',`
1210 mysql_tcp_connect(httpd_sys_script_t)
1211 ')
1212 ')
1213
1214 optional_policy(`
1215 postgresql_stream_connect(httpd_sys_script_t)
1216 postgresql_unpriv_client(httpd_sys_script_t)
1217
1218 tunable_policy(`httpd_can_network_connect_db',`
1219 postgresql_tcp_connect(httpd_sys_script_t)
1220 ')
1221 ')
1222
1223 ########################################
1224 #
1225 # httpd_rotatelogs local policy
1226 #
1227
1228 allow httpd_rotatelogs_t self:capability dac_override;
1229
1230 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1231
1232 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1233 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1234 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1235
1236 files_read_etc_files(httpd_rotatelogs_t)
1237
1238 logging_search_logs(httpd_rotatelogs_t)
1239
1240 miscfiles_read_localization(httpd_rotatelogs_t)
1241
1242 ########################################
1243 #
1244 # Unconfined script local policy
1245 #
1246
1247 optional_policy(`
1248 type httpd_unconfined_script_t;
1249 type httpd_unconfined_script_exec_t;
1250 domain_type(httpd_unconfined_script_t)
1251 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1252 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1253 unconfined_domain(httpd_unconfined_script_t)
1254
1255 role system_r types httpd_unconfined_script_t;
1256 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1257 ')
1258
1259 ########################################
1260 #
1261 # User content local policy
1262 #
1263
1264 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1265 allow httpd_user_script_t httpdcontent:file entrypoint;
1266 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1267 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1268 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1269 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1270 ')
1271
1272 # allow accessing files/dirs below the users home dir
1273 tunable_policy(`httpd_enable_homedirs',`
1274 userdom_search_user_home_content(httpd_t)
1275 userdom_search_user_home_content(httpd_suexec_t)
1276 userdom_search_user_home_content(httpd_user_script_t)
1277 ')
1278
1279 tunable_policy(`httpd_read_user_content',`
1280 userdom_read_user_home_content_files(httpd_t)
1281 userdom_read_user_home_content_files(httpd_suexec_t)
1282 userdom_read_user_home_content_files(httpd_user_script_t)
1283 ')
1284
1285 ########################################
1286 #
1287 # httpd_passwd local policy
1288 #
1289
1290 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1291 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1292 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1293
1294 domain_use_interactive_fds(httpd_passwd_t)
1295
1296 files_read_etc_files(httpd_passwd_t)
1297
1298 miscfiles_read_localization(httpd_passwd_t)
1299
1300 corecmd_exec_bin(httpd_passwd_t)
1301
1302 kernel_read_system_state(httpd_passwd_t)
1303
1304 dev_read_urand(httpd_passwd_t)
1305
1306 systemd_passwd_agent_dev_template(httpd)
1307
1308 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1309 dontaudit httpd_passwd_t httpd_config_t:file read;
1310
The IPFire selinux policy.