1 policy_module(apache, 2.2.1)
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
16 ########################################
21 selinux_genbool(httpd_bool_t)
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
30 gen_tunable(allow_httpd_anon_write, false)
34 ## Allow Apache to use mod_auth_pam
37 gen_tunable(allow_httpd_mod_auth_pam, false)
41 ## Allow Apache to use mod_auth_ntlm_winbind
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
48 ## Allow httpd scripts and modules execmem/execstack
51 gen_tunable(httpd_execmem, false)
55 ## Allow httpd daemon to change system limits
58 gen_tunable(httpd_setrlimit, false)
62 ## Allow httpd to use built in scripting (usually php)
65 gen_tunable(httpd_builtin_scripting, false)
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
72 gen_tunable(httpd_can_network_connect, false)
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
79 gen_tunable(httpd_can_network_connect_cobbler, false)
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
86 gen_tunable(httpd_can_network_connect_db, false)
90 ## Allow httpd to connect to memcache server
93 gen_tunable(httpd_can_network_memcache, false)
97 ## Allow httpd to act as a relay
100 gen_tunable(httpd_can_network_relay, false)
104 ## Allow http daemon to send mail
107 gen_tunable(httpd_can_sendmail, false)
111 ## Allow http daemon to check spam
114 gen_tunable(httpd_can_check_spam, false)
118 ## Allow Apache to communicate with avahi service via dbus
121 gen_tunable(httpd_dbus_avahi, false)
125 ## Allow httpd to execute cgi scripts
128 gen_tunable(httpd_enable_cgi, false)
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
136 gen_tunable(httpd_enable_ftp_server, false)
140 ## Allow httpd to act as a FTP client
141 ## connecting to the ftp port and ephemeral ports
144 gen_tunable(httpd_can_connect_ftp, false)
148 ## Allow httpd to read home directories
151 gen_tunable(httpd_enable_homedirs, false)
155 ## Allow httpd to read user content
158 gen_tunable(httpd_read_user_content, false)
162 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
165 gen_tunable(httpd_ssi_exec, false)
169 ## Allow Apache to execute tmp content.
172 gen_tunable(httpd_tmp_exec, false)
176 ## Unify HTTPD to communicate with the terminal.
177 ## Needed for entering the passphrase for certificates at
181 gen_tunable(httpd_tty_comm, false)
185 ## Unify HTTPD handling of all content files.
188 gen_tunable(httpd_unified, false)
192 ## Allow httpd to access cifs file systems
195 gen_tunable(httpd_use_cifs, false)
199 ## Allow httpd to run gpg in gpg-web domain
202 gen_tunable(httpd_use_gpg, false)
206 ## Allow httpd to access nfs file systems
209 gen_tunable(httpd_use_nfs, false)
213 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
216 gen_tunable(allow_httpd_sys_script_anon_write, false)
218 attribute httpdcontent;
219 attribute httpd_user_content_type;
221 # domains that can exec all users scripts
222 attribute httpd_exec_scripts;
224 attribute httpd_script_exec_type;
225 attribute httpd_user_script_exec_type;
227 # user script domains
228 attribute httpd_script_domains;
232 init_daemon_domain(httpd_t, httpd_exec_t)
233 role system_r types httpd_t;
235 # httpd_cache_t is the type given to the /var/cache/httpd
236 # directory and the files under that directory
238 files_type(httpd_cache_t)
240 # httpd_config_t is the type given to the configuration files
242 files_config_file(httpd_config_t)
245 type httpd_helper_exec_t;
246 domain_type(httpd_helper_t)
247 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
248 role system_r types httpd_helper_t;
250 type httpd_initrc_exec_t;
251 init_script_file(httpd_initrc_exec_t)
253 type httpd_unit_file_t;
254 systemd_unit_file(httpd_unit_file_t)
257 files_lock_file(httpd_lock_t)
260 logging_log_file(httpd_log_t)
262 # httpd_modules_t is the type given to module files (libraries)
263 # that come with Apache /etc/httpd/modules and /usr/lib/apache
264 type httpd_modules_t;
265 files_type(httpd_modules_t)
268 type httpd_php_exec_t;
269 domain_type(httpd_php_t)
270 domain_entry_file(httpd_php_t, httpd_php_exec_t)
271 role system_r types httpd_php_t;
273 type httpd_php_tmp_t;
274 files_tmp_file(httpd_php_tmp_t)
276 type httpd_rotatelogs_t;
277 type httpd_rotatelogs_exec_t;
278 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
280 type httpd_squirrelmail_t;
281 files_type(httpd_squirrelmail_t)
283 # SUEXEC runs user scripts as their own user ID
284 type httpd_suexec_t; #, daemon;
285 type httpd_suexec_exec_t;
286 domain_type(httpd_suexec_t)
287 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
288 role system_r types httpd_suexec_t;
290 type httpd_suexec_tmp_t;
291 files_tmp_file(httpd_suexec_tmp_t)
293 # setup the system domain for system CGI scripts
294 apache_content_template(sys)
296 typeattribute httpd_sys_content_t httpdcontent; # customizable
297 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
298 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
300 # Removal of fastcgi, will cause problems without the following
301 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
302 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
303 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
304 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
305 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
308 files_tmp_file(httpd_tmp_t)
311 files_tmpfs_file(httpd_tmpfs_t)
313 apache_content_template(user)
314 ubac_constrained(httpd_user_script_t)
315 typeattribute httpd_user_content_t httpdcontent;
316 typeattribute httpd_user_rw_content_t httpdcontent;
317 typeattribute httpd_user_ra_content_t httpdcontent;
319 userdom_user_home_content(httpd_user_content_t)
320 userdom_user_home_content(httpd_user_htaccess_t)
321 userdom_user_home_content(httpd_user_script_exec_t)
322 userdom_user_home_content(httpd_user_ra_content_t)
323 userdom_user_home_content(httpd_user_rw_content_t)
324 typeattribute httpd_user_script_t httpd_script_domains;
325 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
326 typealias httpd_user_content_t alias httpd_unconfined_content_t;
327 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
328 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
329 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
330 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
331 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
332 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
333 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
334 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
335 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
336 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
337 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
338 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
339 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
341 # for apache2 memory mapped files
342 type httpd_var_lib_t;
343 files_type(httpd_var_lib_t)
345 type httpd_var_run_t;
346 files_pid_file(httpd_var_run_t)
348 # Removal of fastcgi, will cause problems without the following
349 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
351 # File Type of squirrelmail attachments
352 type squirrelmail_spool_t;
353 files_tmp_file(squirrelmail_spool_t)
354 files_spool_file(squirrelmail_spool_t)
357 prelink_object_file(httpd_modules_t)
361 type httpd_passwd_exec_t;
362 application_domain(httpd_passwd_t, httpd_passwd_exec_t)
363 role system_r types httpd_passwd_t;
365 ########################################
367 # Apache server local policy
370 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
371 dontaudit httpd_t self:capability { net_admin sys_tty_config };
372 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
373 allow httpd_t self:fd use;
374 allow httpd_t self:sock_file read_sock_file_perms;
375 allow httpd_t self:fifo_file rw_fifo_file_perms;
376 allow httpd_t self:shm create_shm_perms;
377 allow httpd_t self:sem create_sem_perms;
378 allow httpd_t self:msgq create_msgq_perms;
379 allow httpd_t self:msg { send receive };
380 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
381 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
382 allow httpd_t self:tcp_socket create_stream_socket_perms;
383 allow httpd_t self:udp_socket create_socket_perms;
384 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
386 # Allow httpd_t to put files in /var/cache/httpd etc
387 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
388 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
389 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
390 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
392 # Allow the httpd_t to read the web servers config files
393 allow httpd_t httpd_config_t:dir list_dir_perms;
394 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
395 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
397 can_exec(httpd_t, httpd_exec_t)
399 allow httpd_t httpd_lock_t:file manage_file_perms;
400 files_lock_filetrans(httpd_t, httpd_lock_t, file)
402 allow httpd_t httpd_log_t:dir setattr;
403 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
404 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
405 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
406 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
407 # cjp: need to refine create interfaces to
408 # cut this back to add_name only
409 logging_log_filetrans(httpd_t, httpd_log_t, file)
411 allow httpd_t httpd_modules_t:dir list_dir_perms;
412 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
413 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
414 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
416 apache_domtrans_rotatelogs(httpd_t)
417 # Apache-httpd needs to be able to send signals to the log rotate procs.
418 allow httpd_t httpd_rotatelogs_t:process signal_perms;
420 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
421 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
422 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
424 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
426 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
427 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
428 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
430 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
432 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
433 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
434 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
435 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
436 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
438 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
439 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
440 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
441 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
442 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
443 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
445 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
446 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
448 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
449 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
450 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
451 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
452 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
454 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
455 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
456 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
458 kernel_read_kernel_sysctls(httpd_t)
459 # for modules that want to access /proc/meminfo
460 kernel_read_system_state(httpd_t)
461 kernel_read_network_state(httpd_t)
462 kernel_read_network_state(httpd_t)
463 kernel_search_network_sysctl(httpd_t)
465 corenet_all_recvfrom_unlabeled(httpd_t)
466 corenet_all_recvfrom_netlabel(httpd_t)
467 corenet_tcp_sendrecv_generic_if(httpd_t)
468 corenet_udp_sendrecv_generic_if(httpd_t)
469 corenet_tcp_sendrecv_generic_node(httpd_t)
470 corenet_udp_sendrecv_generic_node(httpd_t)
471 corenet_tcp_sendrecv_all_ports(httpd_t)
472 corenet_udp_sendrecv_all_ports(httpd_t)
473 corenet_tcp_bind_generic_node(httpd_t)
474 corenet_udp_bind_generic_node(httpd_t)
475 corenet_tcp_bind_http_port(httpd_t)
476 corenet_tcp_bind_http_cache_port(httpd_t)
477 corenet_tcp_bind_ntop_port(httpd_t)
478 corenet_tcp_bind_jboss_management_port(httpd_t)
479 corenet_sendrecv_http_server_packets(httpd_t)
480 corenet_tcp_bind_puppet_port(httpd_t)
481 # Signal self for shutdown
482 #corenet_tcp_connect_http_port(httpd_t)
484 dev_read_sysfs(httpd_t)
485 dev_read_rand(httpd_t)
486 dev_read_urand(httpd_t)
487 dev_rw_crypto(httpd_t)
489 fs_getattr_all_fs(httpd_t)
490 fs_search_auto_mountpoints(httpd_t)
491 fs_read_iso9660_files(httpd_t)
492 fs_read_anon_inodefs_files(httpd_t)
494 auth_use_nsswitch(httpd_t)
496 application_exec_all(httpd_t)
498 domain_use_interactive_fds(httpd_t)
500 files_dontaudit_getattr_all_pids(httpd_t)
501 files_read_usr_files(httpd_t)
502 files_list_mnt(httpd_t)
503 files_search_spool(httpd_t)
504 files_read_var_symlinks(httpd_t)
505 files_read_var_lib_files(httpd_t)
506 files_search_home(httpd_t)
507 files_getattr_home_dir(httpd_t)
508 # for modules that want to access /etc/mtab
509 files_read_etc_runtime_files(httpd_t)
510 # Allow httpd_t to have access to files such as nisswitch.conf
511 files_read_etc_files(httpd_t)
513 files_read_var_lib_symlinks(httpd_t)
515 fs_search_auto_mountpoints(httpd_sys_script_t)
516 # php uploads a file to /tmp and then execs programs to acton them
517 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
518 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
519 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
520 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
521 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
522 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
524 libs_read_lib_files(httpd_t)
526 ifdef(`hide_broken_symptoms',`
527 libs_exec_lib_files(httpd_t)
530 logging_send_syslog_msg(httpd_t)
532 miscfiles_read_localization(httpd_t)
533 miscfiles_read_fonts(httpd_t)
534 miscfiles_read_public_files(httpd_t)
535 miscfiles_read_generic_certs(httpd_t)
536 miscfiles_read_tetex_data(httpd_t)
538 seutil_dontaudit_search_config(httpd_t)
540 userdom_use_unpriv_users_fds(httpd_t)
542 tunable_policy(`httpd_setrlimit',`
543 allow httpd_t self:process setrlimit;
544 allow httpd_t self:capability sys_resource;
547 tunable_policy(`allow_httpd_anon_write',`
548 miscfiles_manage_public_files(httpd_t)
552 # We need optionals to be able to be within booleans to make this work
554 tunable_policy(`allow_httpd_mod_auth_pam',`
555 auth_domtrans_chkpwd(httpd_t)
556 logging_send_audit_msgs(httpd_t)
560 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
561 samba_domtrans_winbind_helper(httpd_t)
565 tunable_policy(`httpd_can_network_connect',`
566 corenet_tcp_connect_all_ports(httpd_t)
569 tunable_policy(`httpd_can_network_connect_db',`
570 corenet_tcp_connect_firebird_port(httpd_t)
571 corenet_tcp_connect_mssql_port(httpd_t)
572 corenet_sendrecv_mssql_client_packets(httpd_t)
573 corenet_tcp_connect_oracle_port(httpd_t)
574 corenet_sendrecv_oracle_client_packets(httpd_t)
577 tunable_policy(`httpd_can_network_memcache',`
578 corenet_tcp_connect_memcache_port(httpd_t)
581 tunable_policy(`httpd_can_network_relay',`
582 # allow httpd to work as a relay
583 corenet_tcp_connect_gopher_port(httpd_t)
584 corenet_tcp_connect_ftp_port(httpd_t)
585 corenet_tcp_connect_http_port(httpd_t)
586 corenet_tcp_connect_http_cache_port(httpd_t)
587 corenet_tcp_connect_squid_port(httpd_t)
588 corenet_tcp_connect_memcache_port(httpd_t)
589 corenet_sendrecv_gopher_client_packets(httpd_t)
590 corenet_sendrecv_ftp_client_packets(httpd_t)
591 corenet_sendrecv_http_client_packets(httpd_t)
592 corenet_sendrecv_http_cache_client_packets(httpd_t)
593 corenet_sendrecv_squid_client_packets(httpd_t)
594 corenet_tcp_connect_ephermeral_ports(httpd_t)
597 tunable_policy(`httpd_execmem',`
598 allow httpd_t self:process { execmem execstack };
599 allow httpd_sys_script_t self:process { execmem execstack };
600 allow httpd_suexec_t self:process { execmem execstack };
603 tunable_policy(`httpd_enable_cgi && httpd_unified',`
604 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
605 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
606 can_exec(httpd_sys_script_t, httpd_sys_content_t)
609 tunable_policy(`allow_httpd_sys_script_anon_write',`
610 miscfiles_manage_public_files(httpd_sys_script_t)
613 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
614 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
617 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
618 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
621 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
622 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
623 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
624 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
625 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
626 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
628 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
629 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
630 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
633 tunable_policy(`httpd_can_network_connect_ftp',`
634 corenet_tcp_connect_ftp_port(httpd_t)
635 corenet_tcp_connect_ephemeral_ports(httpd_t)
638 tunable_policy(`httpd_enable_ftp_server',`
639 corenet_tcp_bind_ftp_port(httpd_t)
640 corenet_tcp_bind_ephemeral_ports(httpd_t)
643 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
644 can_exec(httpd_t, httpd_tmp_t)
647 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
648 can_exec(httpd_sys_script_t, httpd_tmp_t)
651 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
652 fs_list_auto_mountpoints(httpd_t)
653 fs_read_nfs_files(httpd_t)
654 fs_read_nfs_symlinks(httpd_t)
657 tunable_policy(`httpd_use_nfs',`
658 fs_list_auto_mountpoints(httpd_t)
659 fs_manage_nfs_dirs(httpd_t)
660 fs_manage_nfs_files(httpd_t)
661 fs_manage_nfs_symlinks(httpd_t)
664 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
665 fs_read_cifs_files(httpd_t)
666 fs_read_cifs_symlinks(httpd_t)
669 tunable_policy(`httpd_can_sendmail',`
670 # allow httpd to connect to mail servers
671 corenet_tcp_connect_smtp_port(httpd_t)
672 corenet_sendrecv_smtp_client_packets(httpd_t)
673 corenet_tcp_connect_pop_port(httpd_t)
674 corenet_sendrecv_pop_client_packets(httpd_t)
675 mta_send_mail(httpd_t)
676 mta_signal_system_mail(httpd_t)
679 tunable_policy(`httpd_use_cifs',`
680 fs_manage_cifs_dirs(httpd_t)
681 fs_manage_cifs_files(httpd_t)
682 fs_manage_cifs_symlinks(httpd_t)
685 tunable_policy(`httpd_ssi_exec',`
686 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
687 allow httpd_sys_script_t httpd_t:fd use;
688 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
689 allow httpd_sys_script_t httpd_t:process sigchld;
692 # When the admin starts the server, the server wants to access
693 # the TTY or PTY associated with the session. The httpd appears
694 # to run correctly without this permission, so the permission
695 # are dontaudited here.
696 tunable_policy(`httpd_tty_comm',`
697 userdom_use_inherited_user_terminals(httpd_t)
698 userdom_use_inherited_user_terminals(httpd_suexec_t)
700 userdom_dontaudit_use_user_terminals(httpd_t)
701 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
705 # Support for ABRT retrace server
707 abrt_manage_spool_retrace(httpd_t)
708 abrt_domtrans_retrace_worker(httpd_t)
709 abrt_read_config(httpd_t)
713 calamaris_read_www_files(httpd_t)
717 ccs_read_config(httpd_t)
721 cobbler_list_config(httpd_t)
722 cobbler_read_config(httpd_t)
723 cobbler_read_lib_files(httpd_t)
725 tunable_policy(`httpd_can_network_connect_cobbler',`
726 corenet_tcp_connect_cobbler_port(httpd_t)
731 cron_system_entry(httpd_t, httpd_exec_t)
735 cvs_read_data(httpd_t)
739 daemontools_service_domain(httpd_t, httpd_exec_t)
743 dirsrv_manage_config(httpd_t)
744 dirsrv_manage_log(httpd_t)
745 dirsrv_manage_var_run(httpd_t)
746 dirsrv_read_share(httpd_t)
747 dirsrv_signal(httpd_t)
748 dirsrv_signull(httpd_t)
749 dirsrvadmin_manage_config(httpd_t)
750 dirsrvadmin_manage_tmp(httpd_t)
751 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
755 dbus_system_bus_client(httpd_t)
757 tunable_policy(`httpd_dbus_avahi',`
758 avahi_dbus_chat(httpd_t)
763 git_read_generic_system_content_files(httpd_t)
764 gitosis_read_lib_files(httpd_t)
768 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
769 gpg_domtrans_web(httpd_t)
774 kerberos_keytab_template(httpd, httpd_t)
778 mailman_signal_cgi(httpd_t)
779 mailman_domtrans_cgi(httpd_t)
780 mailman_read_data_files(httpd_t)
781 # should have separate types for public and private archives
782 mailman_search_data(httpd_t)
783 mailman_read_archive(httpd_t)
787 mediawiki_read_tmp_files(httpd_t)
788 mediawiki_delete_tmp_files(httpd_t)
792 # Allow httpd to work with mysql
793 mysql_read_config(httpd_t)
794 mysql_stream_connect(httpd_t)
795 mysql_rw_db_sockets(httpd_t)
797 tunable_policy(`httpd_can_network_connect_db',`
798 mysql_tcp_connect(httpd_t)
803 nagios_read_config(httpd_t)
804 nagios_read_log(httpd_t)
808 openca_domtrans(httpd_t)
809 openca_signal(httpd_t)
810 openca_sigstop(httpd_t)
815 passenger_domtrans(httpd_t)
816 passenger_manage_pid_content(httpd_t)
817 passenger_read_lib_files(httpd_t)
821 puppet_read_lib(httpd_t)
825 rpc_search_nfs_state_data(httpd_t)
829 # Allow httpd to work with postgresql
830 postgresql_stream_connect(httpd_t)
831 postgresql_unpriv_client(httpd_t)
833 tunable_policy(`httpd_can_network_connect_db',`
834 postgresql_tcp_connect(httpd_t)
839 seutil_sigchld_newrole(httpd_t)
843 smokeping_read_lib_files(httpd_t)
847 files_dontaudit_rw_usr_dirs(httpd_t)
848 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
849 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
853 udev_read_db(httpd_t)
857 yam_read_content(httpd_t)
861 zarafa_manage_lib_files(httpd_t)
862 zarafa_stream_connect_server(httpd_t)
863 zarafa_search_config(httpd_t)
866 ########################################
868 # Apache helper local policy
871 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
873 allow httpd_helper_t httpd_config_t:file read_file_perms;
875 allow httpd_helper_t httpd_log_t:file append_file_perms;
877 logging_send_syslog_msg(httpd_helper_t)
879 userdom_use_inherited_user_terminals(httpd_helper_t)
881 tunable_policy(`httpd_tty_comm',`
882 userdom_use_inherited_user_terminals(httpd_helper_t)
885 ########################################
887 # Apache PHP script local policy
890 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
891 allow httpd_php_t self:fd use;
892 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
893 allow httpd_php_t self:sock_file read_sock_file_perms;
894 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
895 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
896 allow httpd_php_t self:unix_dgram_socket sendto;
897 allow httpd_php_t self:unix_stream_socket connectto;
898 allow httpd_php_t self:shm create_shm_perms;
899 allow httpd_php_t self:sem create_sem_perms;
900 allow httpd_php_t self:msgq create_msgq_perms;
901 allow httpd_php_t self:msg { send receive };
903 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
905 # allow php to read and append to apache logfiles
906 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
908 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
909 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
910 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
912 fs_search_auto_mountpoints(httpd_php_t)
914 auth_use_nsswitch(httpd_php_t)
916 libs_exec_lib_files(httpd_php_t)
918 userdom_use_unpriv_users_fds(httpd_php_t)
920 tunable_policy(`httpd_can_network_connect_db',`
921 corenet_tcp_connect_firebird_port(httpd_php_t)
922 corenet_tcp_connect_mssql_port(httpd_php_t)
923 corenet_sendrecv_mssql_client_packets(httpd_php_t)
924 corenet_tcp_connect_oracle_port(httpd_php_t)
925 corenet_sendrecv_oracle_client_packets(httpd_php_t)
929 mysql_stream_connect(httpd_php_t)
930 mysql_rw_db_sockets(httpd_php_t)
931 mysql_read_config(httpd_php_t)
933 tunable_policy(`httpd_can_network_connect_db',`
934 mysql_tcp_connect(httpd_php_t)
939 postgresql_stream_connect(httpd_php_t)
940 postgresql_unpriv_client(httpd_php_t)
942 tunable_policy(`httpd_can_network_connect_db',`
943 postgresql_tcp_connect(httpd_php_t)
947 ########################################
949 # Apache suexec local policy
952 allow httpd_suexec_t self:capability { setuid setgid };
953 allow httpd_suexec_t self:process signal_perms;
955 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
956 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
958 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
960 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
961 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
962 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
964 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
966 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
967 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
968 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
970 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
972 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
973 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
974 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
976 kernel_read_kernel_sysctls(httpd_suexec_t)
977 kernel_list_proc(httpd_suexec_t)
978 kernel_read_proc_symlinks(httpd_suexec_t)
980 dev_read_urand(httpd_suexec_t)
982 fs_read_iso9660_files(httpd_suexec_t)
983 fs_search_auto_mountpoints(httpd_suexec_t)
985 application_exec_all(httpd_suexec_t)
987 files_read_etc_files(httpd_suexec_t)
988 files_read_usr_files(httpd_suexec_t)
989 files_dontaudit_search_pids(httpd_suexec_t)
990 files_search_home(httpd_suexec_t)
992 auth_use_nsswitch(httpd_suexec_t)
994 logging_search_logs(httpd_suexec_t)
995 logging_send_syslog_msg(httpd_suexec_t)
997 miscfiles_read_localization(httpd_suexec_t)
998 miscfiles_read_public_files(httpd_suexec_t)
1000 tunable_policy(`httpd_can_network_connect',`
1001 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1002 allow httpd_suexec_t self:udp_socket create_socket_perms;
1004 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1005 corenet_all_recvfrom_netlabel(httpd_suexec_t)
1006 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1007 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
1008 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1009 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
1010 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1011 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
1012 corenet_tcp_connect_all_ports(httpd_suexec_t)
1013 corenet_sendrecv_all_client_packets(httpd_suexec_t)
1016 tunable_policy(`httpd_can_network_connect_db',`
1017 corenet_tcp_connect_firebird_port(httpd_suexec_t)
1018 corenet_tcp_connect_mssql_port(httpd_suexec_t)
1019 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
1020 corenet_tcp_connect_oracle_port(httpd_suexec_t)
1021 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
1024 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
1026 tunable_policy(`httpd_can_sendmail',`
1027 mta_send_mail(httpd_suexec_t)
1030 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1031 allow httpd_sys_script_t httpdcontent:file entrypoint;
1032 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1033 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1034 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1035 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1036 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1039 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1040 fs_list_auto_mountpoints(httpd_suexec_t)
1041 fs_read_nfs_files(httpd_suexec_t)
1042 fs_read_nfs_symlinks(httpd_suexec_t)
1043 fs_exec_nfs_files(httpd_suexec_t)
1046 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1047 fs_read_cifs_files(httpd_suexec_t)
1048 fs_read_cifs_symlinks(httpd_suexec_t)
1049 fs_exec_cifs_files(httpd_suexec_t)
1053 mailman_domtrans_cgi(httpd_suexec_t)
1057 mta_stub(httpd_suexec_t)
1059 # apache should set close-on-exec
1060 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1064 mysql_stream_connect(httpd_suexec_t)
1065 mysql_rw_db_sockets(httpd_suexec_t)
1066 mysql_read_config(httpd_suexec_t)
1068 tunable_policy(`httpd_can_network_connect_db',`
1069 mysql_tcp_connect(httpd_suexec_t)
1074 postgresql_stream_connect(httpd_suexec_t)
1075 postgresql_unpriv_client(httpd_suexec_t)
1077 tunable_policy(`httpd_can_network_connect_db',`
1078 postgresql_tcp_connect(httpd_suexec_t)
1082 ########################################
1084 # Apache system script local policy
1087 allow httpd_sys_script_t self:process getsched;
1089 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1090 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1092 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1094 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1096 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1097 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1098 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1100 kernel_read_kernel_sysctls(httpd_sys_script_t)
1102 files_read_var_symlinks(httpd_sys_script_t)
1103 files_search_var_lib(httpd_sys_script_t)
1104 files_search_spool(httpd_sys_script_t)
1106 logging_inherit_append_all_logs(httpd_sys_script_t)
1108 # Should we add a boolean?
1109 apache_domtrans_rotatelogs(httpd_sys_script_t)
1111 auth_use_nsswitch(httpd_sys_script_t)
1113 ifdef(`distro_redhat',`
1114 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1117 tunable_policy(`httpd_can_sendmail',`
1118 mta_send_mail(httpd_sys_script_t)
1122 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1123 spamassassin_domtrans_client(httpd_t)
1127 tunable_policy(`httpd_can_network_connect_db',`
1128 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1129 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1130 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1131 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1132 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1135 fs_cifs_entry_type(httpd_sys_script_t)
1136 fs_read_iso9660_files(httpd_sys_script_t)
1137 fs_nfs_entry_type(httpd_sys_script_t)
1139 tunable_policy(`httpd_use_nfs',`
1140 fs_list_auto_mountpoints(httpd_sys_script_t)
1141 fs_manage_nfs_dirs(httpd_sys_script_t)
1142 fs_manage_nfs_files(httpd_sys_script_t)
1143 fs_manage_nfs_symlinks(httpd_sys_script_t)
1144 fs_exec_nfs_files(httpd_sys_script_t)
1146 fs_list_auto_mountpoints(httpd_suexec_t)
1147 fs_manage_nfs_dirs(httpd_suexec_t)
1148 fs_manage_nfs_files(httpd_suexec_t)
1149 fs_manage_nfs_symlinks(httpd_suexec_t)
1150 fs_exec_nfs_files(httpd_suexec_t)
1153 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1154 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1155 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1157 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1158 corenet_udp_bind_generic_node(httpd_sys_script_t)
1159 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1160 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1161 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1162 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1163 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1164 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1165 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1166 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1167 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1168 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1171 tunable_policy(`httpd_enable_homedirs',`
1172 userdom_search_user_home_dirs(httpd_sys_script_t)
1175 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1176 fs_list_auto_mountpoints(httpd_sys_script_t)
1177 fs_read_nfs_files(httpd_sys_script_t)
1178 fs_read_nfs_symlinks(httpd_sys_script_t)
1181 tunable_policy(`httpd_read_user_content',`
1182 userdom_read_user_home_content_files(httpd_sys_script_t)
1185 tunable_policy(`httpd_use_cifs',`
1186 fs_manage_cifs_dirs(httpd_sys_script_t)
1187 fs_manage_cifs_files(httpd_sys_script_t)
1188 fs_manage_cifs_symlinks(httpd_sys_script_t)
1189 fs_manage_cifs_dirs(httpd_suexec_t)
1190 fs_manage_cifs_files(httpd_suexec_t)
1191 fs_manage_cifs_symlinks(httpd_suexec_t)
1192 fs_exec_cifs_files(httpd_suexec_t)
1195 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1196 fs_read_cifs_files(httpd_sys_script_t)
1197 fs_read_cifs_symlinks(httpd_sys_script_t)
1201 clamav_domtrans_clamscan(httpd_sys_script_t)
1205 mysql_stream_connect(httpd_sys_script_t)
1206 mysql_rw_db_sockets(httpd_sys_script_t)
1207 mysql_read_config(httpd_sys_script_t)
1209 tunable_policy(`httpd_can_network_connect_db',`
1210 mysql_tcp_connect(httpd_sys_script_t)
1215 postgresql_stream_connect(httpd_sys_script_t)
1216 postgresql_unpriv_client(httpd_sys_script_t)
1218 tunable_policy(`httpd_can_network_connect_db',`
1219 postgresql_tcp_connect(httpd_sys_script_t)
1223 ########################################
1225 # httpd_rotatelogs local policy
1228 allow httpd_rotatelogs_t self:capability dac_override;
1230 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1232 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1233 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1234 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1236 files_read_etc_files(httpd_rotatelogs_t)
1238 logging_search_logs(httpd_rotatelogs_t)
1240 miscfiles_read_localization(httpd_rotatelogs_t)
1242 ########################################
1244 # Unconfined script local policy
1248 type httpd_unconfined_script_t;
1249 type httpd_unconfined_script_exec_t;
1250 domain_type(httpd_unconfined_script_t)
1251 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1252 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1253 unconfined_domain(httpd_unconfined_script_t)
1255 role system_r types httpd_unconfined_script_t;
1256 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1259 ########################################
1261 # User content local policy
1264 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1265 allow httpd_user_script_t httpdcontent:file entrypoint;
1266 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1267 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1268 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1269 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1272 # allow accessing files/dirs below the users home dir
1273 tunable_policy(`httpd_enable_homedirs',`
1274 userdom_search_user_home_content(httpd_t)
1275 userdom_search_user_home_content(httpd_suexec_t)
1276 userdom_search_user_home_content(httpd_user_script_t)
1279 tunable_policy(`httpd_read_user_content',`
1280 userdom_read_user_home_content_files(httpd_t)
1281 userdom_read_user_home_content_files(httpd_suexec_t)
1282 userdom_read_user_home_content_files(httpd_user_script_t)
1285 ########################################
1287 # httpd_passwd local policy
1290 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1291 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1292 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1294 domain_use_interactive_fds(httpd_passwd_t)
1296 files_read_etc_files(httpd_passwd_t)
1298 miscfiles_read_localization(httpd_passwd_t)
1300 corecmd_exec_bin(httpd_passwd_t)
1302 kernel_read_system_state(httpd_passwd_t)
1304 dev_read_urand(httpd_passwd_t)
1306 systemd_passwd_agent_dev_template(httpd)
1308 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1309 dontaudit httpd_passwd_t httpd_config_t:file read;