1 policy_module(apache, 2.2.1)
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
16 ########################################
21 selinux_genbool(httpd_bool_t)
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
30 gen_tunable(allow_httpd_anon_write, false)
34 ## Allow Apache to use mod_auth_pam
37 gen_tunable(allow_httpd_mod_auth_pam, false)
41 ## Allow Apache to use mod_auth_ntlm_winbind
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
48 ## Allow httpd scripts and modules execmem/execstack
51 gen_tunable(httpd_execmem, false)
55 ## Allow httpd daemon to change system limits
58 gen_tunable(httpd_setrlimit, false)
62 ## Allow httpd to use built in scripting (usually php)
65 gen_tunable(httpd_builtin_scripting, false)
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
72 gen_tunable(httpd_can_network_connect, false)
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
79 gen_tunable(httpd_can_network_connect_cobbler, false)
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
86 gen_tunable(httpd_can_network_connect_db, false)
90 ## Allow httpd to connect to memcache server
93 gen_tunable(httpd_can_network_memcache, false)
97 ## Allow httpd to act as a relay
100 gen_tunable(httpd_can_network_relay, false)
104 ## Allow http daemon to send mail
107 gen_tunable(httpd_can_sendmail, false)
111 ## Allow http daemon to check spam
114 gen_tunable(httpd_can_check_spam, false)
118 ## Allow Apache to communicate with avahi service via dbus
121 gen_tunable(httpd_dbus_avahi, false)
125 ## Allow httpd to execute cgi scripts
128 gen_tunable(httpd_enable_cgi, false)
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
136 gen_tunable(httpd_enable_ftp_server, false)
140 ## Allow httpd to read home directories
143 gen_tunable(httpd_enable_homedirs, false)
147 ## Allow httpd to read user content
150 gen_tunable(httpd_read_user_content, false)
154 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
157 gen_tunable(httpd_ssi_exec, false)
161 ## Allow Apache to execute tmp content.
164 gen_tunable(httpd_tmp_exec, false)
168 ## Unify HTTPD to communicate with the terminal.
169 ## Needed for entering the passphrase for certificates at
173 gen_tunable(httpd_tty_comm, false)
177 ## Unify HTTPD handling of all content files.
180 gen_tunable(httpd_unified, false)
184 ## Allow httpd to access cifs file systems
187 gen_tunable(httpd_use_cifs, false)
191 ## Allow httpd to run gpg in gpg-web domain
194 gen_tunable(httpd_use_gpg, false)
198 ## Allow httpd to access nfs file systems
201 gen_tunable(httpd_use_nfs, false)
205 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
208 gen_tunable(allow_httpd_sys_script_anon_write, false)
210 attribute httpdcontent;
211 attribute httpd_user_content_type;
213 # domains that can exec all users scripts
214 attribute httpd_exec_scripts;
216 attribute httpd_script_exec_type;
217 attribute httpd_user_script_exec_type;
219 # user script domains
220 attribute httpd_script_domains;
224 init_daemon_domain(httpd_t, httpd_exec_t)
225 role system_r types httpd_t;
227 # httpd_cache_t is the type given to the /var/cache/httpd
228 # directory and the files under that directory
230 files_type(httpd_cache_t)
232 # httpd_config_t is the type given to the configuration files
234 files_config_file(httpd_config_t)
237 type httpd_helper_exec_t;
238 domain_type(httpd_helper_t)
239 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
240 role system_r types httpd_helper_t;
242 type httpd_initrc_exec_t;
243 init_script_file(httpd_initrc_exec_t)
246 systemd_unit_file(httpd_unit_t)
249 files_lock_file(httpd_lock_t)
252 logging_log_file(httpd_log_t)
254 # httpd_modules_t is the type given to module files (libraries)
255 # that come with Apache /etc/httpd/modules and /usr/lib/apache
256 type httpd_modules_t;
257 files_type(httpd_modules_t)
260 type httpd_php_exec_t;
261 domain_type(httpd_php_t)
262 domain_entry_file(httpd_php_t, httpd_php_exec_t)
263 role system_r types httpd_php_t;
265 type httpd_php_tmp_t;
266 files_tmp_file(httpd_php_tmp_t)
268 type httpd_rotatelogs_t;
269 type httpd_rotatelogs_exec_t;
270 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
272 type httpd_squirrelmail_t;
273 files_type(httpd_squirrelmail_t)
275 # SUEXEC runs user scripts as their own user ID
276 type httpd_suexec_t; #, daemon;
277 type httpd_suexec_exec_t;
278 domain_type(httpd_suexec_t)
279 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
280 role system_r types httpd_suexec_t;
282 type httpd_suexec_tmp_t;
283 files_tmp_file(httpd_suexec_tmp_t)
285 # setup the system domain for system CGI scripts
286 apache_content_template(sys)
288 typeattribute httpd_sys_content_t httpdcontent; # customizable
289 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
290 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
292 # Removal of fastcgi, will cause problems without the following
293 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
294 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
295 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
296 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
297 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
300 files_tmp_file(httpd_tmp_t)
303 files_tmpfs_file(httpd_tmpfs_t)
305 apache_content_template(user)
306 ubac_constrained(httpd_user_script_t)
307 typeattribute httpd_user_content_t httpdcontent;
308 typeattribute httpd_user_rw_content_t httpdcontent;
309 typeattribute httpd_user_ra_content_t httpdcontent;
311 userdom_user_home_content(httpd_user_content_t)
312 userdom_user_home_content(httpd_user_htaccess_t)
313 userdom_user_home_content(httpd_user_script_exec_t)
314 userdom_user_home_content(httpd_user_ra_content_t)
315 userdom_user_home_content(httpd_user_rw_content_t)
316 typeattribute httpd_user_script_t httpd_script_domains;
317 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
318 typealias httpd_user_content_t alias httpd_unconfined_content_t;
319 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
320 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
321 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
322 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
323 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
324 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
325 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
326 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
327 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
328 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
329 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
330 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
331 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
333 # for apache2 memory mapped files
334 type httpd_var_lib_t;
335 files_type(httpd_var_lib_t)
337 type httpd_var_run_t;
338 files_pid_file(httpd_var_run_t)
340 # Removal of fastcgi, will cause problems without the following
341 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
343 # File Type of squirrelmail attachments
344 type squirrelmail_spool_t;
345 files_tmp_file(squirrelmail_spool_t)
346 files_spool_file(squirrelmail_spool_t)
349 prelink_object_file(httpd_modules_t)
352 ########################################
354 # Apache server local policy
357 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
358 dontaudit httpd_t self:capability { net_admin sys_tty_config };
359 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
360 allow httpd_t self:fd use;
361 allow httpd_t self:sock_file read_sock_file_perms;
362 allow httpd_t self:fifo_file rw_fifo_file_perms;
363 allow httpd_t self:shm create_shm_perms;
364 allow httpd_t self:sem create_sem_perms;
365 allow httpd_t self:msgq create_msgq_perms;
366 allow httpd_t self:msg { send receive };
367 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
368 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
369 allow httpd_t self:tcp_socket create_stream_socket_perms;
370 allow httpd_t self:udp_socket create_socket_perms;
371 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
373 # Allow httpd_t to put files in /var/cache/httpd etc
374 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
375 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
376 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
377 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
379 # Allow the httpd_t to read the web servers config files
380 allow httpd_t httpd_config_t:dir list_dir_perms;
381 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
382 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
384 can_exec(httpd_t, httpd_exec_t)
386 allow httpd_t httpd_lock_t:file manage_file_perms;
387 files_lock_filetrans(httpd_t, httpd_lock_t, file)
389 allow httpd_t httpd_log_t:dir setattr;
390 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
391 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
392 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
393 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
394 # cjp: need to refine create interfaces to
395 # cut this back to add_name only
396 logging_log_filetrans(httpd_t, httpd_log_t, file)
398 allow httpd_t httpd_modules_t:dir list_dir_perms;
399 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
400 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
401 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
403 apache_domtrans_rotatelogs(httpd_t)
404 # Apache-httpd needs to be able to send signals to the log rotate procs.
405 allow httpd_t httpd_rotatelogs_t:process signal_perms;
407 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
408 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
409 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
411 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
413 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
414 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
415 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
417 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
419 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
420 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
421 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
422 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
423 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
425 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
426 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
427 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
428 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
429 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
430 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
432 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
433 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
435 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
436 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
437 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
438 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
439 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
441 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
442 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
443 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
445 kernel_read_kernel_sysctls(httpd_t)
446 # for modules that want to access /proc/meminfo
447 kernel_read_system_state(httpd_t)
448 kernel_read_network_state(httpd_t)
449 kernel_search_network_sysctl(httpd_t)
451 corenet_all_recvfrom_unlabeled(httpd_t)
452 corenet_all_recvfrom_netlabel(httpd_t)
453 corenet_tcp_sendrecv_generic_if(httpd_t)
454 corenet_udp_sendrecv_generic_if(httpd_t)
455 corenet_tcp_sendrecv_generic_node(httpd_t)
456 corenet_udp_sendrecv_generic_node(httpd_t)
457 corenet_tcp_sendrecv_all_ports(httpd_t)
458 corenet_udp_sendrecv_all_ports(httpd_t)
459 corenet_tcp_bind_generic_node(httpd_t)
460 corenet_udp_bind_generic_node(httpd_t)
461 corenet_tcp_bind_http_port(httpd_t)
462 corenet_tcp_bind_http_cache_port(httpd_t)
463 corenet_tcp_bind_ntop_port(httpd_t)
464 corenet_tcp_bind_jboss_management_port(httpd_t)
465 corenet_sendrecv_http_server_packets(httpd_t)
466 # Signal self for shutdown
467 #corenet_tcp_connect_http_port(httpd_t)
469 dev_read_sysfs(httpd_t)
470 dev_read_rand(httpd_t)
471 dev_read_urand(httpd_t)
472 dev_rw_crypto(httpd_t)
474 fs_getattr_all_fs(httpd_t)
475 fs_search_auto_mountpoints(httpd_t)
476 fs_read_iso9660_files(httpd_t)
477 fs_read_anon_inodefs_files(httpd_t)
479 auth_use_nsswitch(httpd_t)
481 application_exec_all(httpd_t)
483 domain_use_interactive_fds(httpd_t)
485 files_dontaudit_getattr_all_pids(httpd_t)
486 files_read_usr_files(httpd_t)
487 files_list_mnt(httpd_t)
488 files_search_spool(httpd_t)
489 files_read_var_symlinks(httpd_t)
490 files_read_var_lib_files(httpd_t)
491 files_search_home(httpd_t)
492 files_getattr_home_dir(httpd_t)
493 # for modules that want to access /etc/mtab
494 files_read_etc_runtime_files(httpd_t)
495 # Allow httpd_t to have access to files such as nisswitch.conf
496 files_read_etc_files(httpd_t)
498 files_read_var_lib_symlinks(httpd_t)
500 fs_search_auto_mountpoints(httpd_sys_script_t)
501 # php uploads a file to /tmp and then execs programs to acton them
502 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
503 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
504 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
505 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
506 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
507 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
509 libs_read_lib_files(httpd_t)
511 logging_send_syslog_msg(httpd_t)
513 miscfiles_read_localization(httpd_t)
514 miscfiles_read_fonts(httpd_t)
515 miscfiles_read_public_files(httpd_t)
516 miscfiles_read_generic_certs(httpd_t)
518 seutil_dontaudit_search_config(httpd_t)
520 userdom_use_unpriv_users_fds(httpd_t)
522 tunable_policy(`httpd_setrlimit',`
523 allow httpd_t self:process setrlimit;
524 allow httpd_t self:capability sys_resource;
527 tunable_policy(`allow_httpd_anon_write',`
528 miscfiles_manage_public_files(httpd_t)
532 # We need optionals to be able to be within booleans to make this work
534 tunable_policy(`allow_httpd_mod_auth_pam',`
535 auth_domtrans_chkpwd(httpd_t)
536 logging_send_audit_msgs(httpd_t)
540 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
541 samba_domtrans_winbind_helper(httpd_t)
545 tunable_policy(`httpd_can_network_connect',`
546 corenet_tcp_connect_all_ports(httpd_t)
549 tunable_policy(`httpd_can_network_connect_db',`
550 corenet_tcp_connect_firebird_port(httpd_t)
551 corenet_tcp_connect_mssql_port(httpd_t)
552 corenet_sendrecv_mssql_client_packets(httpd_t)
553 corenet_tcp_connect_oracle_port(httpd_t)
554 corenet_sendrecv_oracle_client_packets(httpd_t)
557 tunable_policy(`httpd_can_network_memcache',`
558 corenet_tcp_connect_memcache_port(httpd_t)
561 tunable_policy(`httpd_can_network_relay',`
562 # allow httpd to work as a relay
563 corenet_tcp_connect_gopher_port(httpd_t)
564 corenet_tcp_connect_ftp_port(httpd_t)
565 corenet_tcp_connect_http_port(httpd_t)
566 corenet_tcp_connect_http_cache_port(httpd_t)
567 corenet_tcp_connect_squid_port(httpd_t)
568 corenet_tcp_connect_memcache_port(httpd_t)
569 corenet_sendrecv_gopher_client_packets(httpd_t)
570 corenet_sendrecv_ftp_client_packets(httpd_t)
571 corenet_sendrecv_http_client_packets(httpd_t)
572 corenet_sendrecv_http_cache_client_packets(httpd_t)
573 corenet_sendrecv_squid_client_packets(httpd_t)
576 tunable_policy(`httpd_execmem',`
577 allow httpd_t self:process { execmem execstack };
578 allow httpd_sys_script_t self:process { execmem execstack };
579 allow httpd_suexec_t self:process { execmem execstack };
582 tunable_policy(`httpd_enable_cgi && httpd_unified',`
583 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
584 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
585 can_exec(httpd_sys_script_t, httpd_sys_content_t)
588 tunable_policy(`allow_httpd_sys_script_anon_write',`
589 miscfiles_manage_public_files(httpd_sys_script_t)
592 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
593 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
596 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
597 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
600 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
601 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
602 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
603 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
604 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
605 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
607 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
608 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
609 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
612 tunable_policy(`httpd_enable_ftp_server',`
613 corenet_tcp_bind_ftp_port(httpd_t)
616 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
617 can_exec(httpd_t, httpd_tmp_t)
620 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
621 can_exec(httpd_sys_script_t, httpd_tmp_t)
624 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
625 fs_list_auto_mountpoints(httpd_t)
626 fs_read_nfs_files(httpd_t)
627 fs_read_nfs_symlinks(httpd_t)
630 tunable_policy(`httpd_use_nfs',`
631 fs_list_auto_mountpoints(httpd_t)
632 fs_manage_nfs_dirs(httpd_t)
633 fs_manage_nfs_files(httpd_t)
634 fs_manage_nfs_symlinks(httpd_t)
637 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
638 fs_read_cifs_files(httpd_t)
639 fs_read_cifs_symlinks(httpd_t)
642 tunable_policy(`httpd_can_sendmail',`
643 # allow httpd to connect to mail servers
644 corenet_tcp_connect_smtp_port(httpd_t)
645 corenet_sendrecv_smtp_client_packets(httpd_t)
646 corenet_tcp_connect_pop_port(httpd_t)
647 corenet_sendrecv_pop_client_packets(httpd_t)
648 mta_send_mail(httpd_t)
649 mta_signal_system_mail(httpd_t)
652 tunable_policy(`httpd_use_cifs',`
653 fs_manage_cifs_dirs(httpd_t)
654 fs_manage_cifs_files(httpd_t)
655 fs_manage_cifs_symlinks(httpd_t)
658 tunable_policy(`httpd_ssi_exec',`
659 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
660 allow httpd_sys_script_t httpd_t:fd use;
661 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
662 allow httpd_sys_script_t httpd_t:process sigchld;
665 # When the admin starts the server, the server wants to access
666 # the TTY or PTY associated with the session. The httpd appears
667 # to run correctly without this permission, so the permission
668 # are dontaudited here.
669 tunable_policy(`httpd_tty_comm',`
670 userdom_use_inherited_user_terminals(httpd_t)
671 userdom_use_inherited_user_terminals(httpd_suexec_t)
673 userdom_dontaudit_use_user_terminals(httpd_t)
674 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
678 # Support for ABRT retrace server
680 abrt_manage_spool_retrace(httpd_t)
681 abrt_domtrans_retrace_worker(httpd_t)
682 abrt_read_config(httpd_t)
686 calamaris_read_www_files(httpd_t)
690 ccs_read_config(httpd_t)
694 cobbler_list_config(httpd_t)
695 cobbler_read_config(httpd_t)
696 cobbler_read_lib_files(httpd_t)
698 tunable_policy(`httpd_can_network_connect_cobbler',`
699 corenet_tcp_connect_cobbler_port(httpd_t)
704 cron_system_entry(httpd_t, httpd_exec_t)
708 cvs_read_data(httpd_t)
712 daemontools_service_domain(httpd_t, httpd_exec_t)
716 dirsrv_manage_config(httpd_t)
717 dirsrv_manage_log(httpd_t)
718 dirsrv_manage_var_run(httpd_t)
719 dirsrv_read_share(httpd_t)
720 dirsrv_signal(httpd_t)
721 dirsrv_signull(httpd_t)
722 dirsrvadmin_manage_config(httpd_t)
723 dirsrvadmin_manage_tmp(httpd_t)
724 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
728 dbus_system_bus_client(httpd_t)
730 tunable_policy(`httpd_dbus_avahi',`
731 avahi_dbus_chat(httpd_t)
736 git_read_generic_system_content_files(httpd_t)
737 gitosis_read_lib_files(httpd_t)
741 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
742 gpg_domtrans_web(httpd_t)
747 kerberos_keytab_template(httpd, httpd_t)
751 mailman_signal_cgi(httpd_t)
752 mailman_domtrans_cgi(httpd_t)
753 mailman_read_data_files(httpd_t)
754 # should have separate types for public and private archives
755 mailman_search_data(httpd_t)
756 mailman_read_archive(httpd_t)
760 mediawiki_read_tmp_files(httpd_t)
761 mediawiki_delete_tmp_files(httpd_t)
765 # Allow httpd to work with mysql
766 mysql_read_config(httpd_t)
767 mysql_stream_connect(httpd_t)
768 mysql_rw_db_sockets(httpd_t)
770 tunable_policy(`httpd_can_network_connect_db',`
771 mysql_tcp_connect(httpd_t)
776 nagios_read_config(httpd_t)
777 nagios_read_log(httpd_t)
781 openca_domtrans(httpd_t)
782 openca_signal(httpd_t)
783 openca_sigstop(httpd_t)
788 passenger_domtrans(httpd_t)
789 passenger_manage_pid_content(httpd_t)
790 passenger_read_lib_files(httpd_t)
794 rpc_search_nfs_state_data(httpd_t)
798 # Allow httpd to work with postgresql
799 postgresql_stream_connect(httpd_t)
800 postgresql_unpriv_client(httpd_t)
802 tunable_policy(`httpd_can_network_connect_db',`
803 postgresql_tcp_connect(httpd_t)
808 seutil_sigchld_newrole(httpd_t)
812 smokeping_read_lib_files(httpd_t)
816 files_dontaudit_rw_usr_dirs(httpd_t)
817 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
818 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
822 udev_read_db(httpd_t)
826 yam_read_content(httpd_t)
830 zarafa_manage_lib_files(httpd_t)
831 zarafa_stream_connect_server(httpd_t)
832 zarafa_search_config(httpd_t)
835 ########################################
837 # Apache helper local policy
840 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
842 allow httpd_helper_t httpd_config_t:file read_file_perms;
844 allow httpd_helper_t httpd_log_t:file append_file_perms;
846 logging_send_syslog_msg(httpd_helper_t)
848 userdom_use_inherited_user_terminals(httpd_helper_t)
850 tunable_policy(`httpd_tty_comm',`
851 userdom_use_inherited_user_terminals(httpd_helper_t)
854 ########################################
856 # Apache PHP script local policy
859 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
860 allow httpd_php_t self:fd use;
861 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
862 allow httpd_php_t self:sock_file read_sock_file_perms;
863 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
864 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
865 allow httpd_php_t self:unix_dgram_socket sendto;
866 allow httpd_php_t self:unix_stream_socket connectto;
867 allow httpd_php_t self:shm create_shm_perms;
868 allow httpd_php_t self:sem create_sem_perms;
869 allow httpd_php_t self:msgq create_msgq_perms;
870 allow httpd_php_t self:msg { send receive };
872 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
874 # allow php to read and append to apache logfiles
875 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
877 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
878 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
879 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
881 fs_search_auto_mountpoints(httpd_php_t)
883 auth_use_nsswitch(httpd_php_t)
885 libs_exec_lib_files(httpd_php_t)
887 userdom_use_unpriv_users_fds(httpd_php_t)
889 tunable_policy(`httpd_can_network_connect_db',`
890 corenet_tcp_connect_firebird_port(httpd_php_t)
891 corenet_tcp_connect_mssql_port(httpd_php_t)
892 corenet_sendrecv_mssql_client_packets(httpd_php_t)
893 corenet_tcp_connect_oracle_port(httpd_php_t)
894 corenet_sendrecv_oracle_client_packets(httpd_php_t)
898 mysql_stream_connect(httpd_php_t)
899 mysql_rw_db_sockets(httpd_php_t)
900 mysql_read_config(httpd_php_t)
902 tunable_policy(`httpd_can_network_connect_db',`
903 mysql_tcp_connect(httpd_php_t)
908 postgresql_stream_connect(httpd_php_t)
909 postgresql_unpriv_client(httpd_php_t)
911 tunable_policy(`httpd_can_network_connect_db',`
912 postgresql_tcp_connect(httpd_php_t)
916 ########################################
918 # Apache suexec local policy
921 allow httpd_suexec_t self:capability { setuid setgid };
922 allow httpd_suexec_t self:process signal_perms;
924 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
925 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
927 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
929 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
930 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
931 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
933 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
935 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
936 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
937 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
939 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
941 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
942 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
943 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
945 kernel_read_kernel_sysctls(httpd_suexec_t)
946 kernel_list_proc(httpd_suexec_t)
947 kernel_read_proc_symlinks(httpd_suexec_t)
949 dev_read_urand(httpd_suexec_t)
951 fs_read_iso9660_files(httpd_suexec_t)
952 fs_search_auto_mountpoints(httpd_suexec_t)
954 application_exec_all(httpd_suexec_t)
956 files_read_etc_files(httpd_suexec_t)
957 files_read_usr_files(httpd_suexec_t)
958 files_dontaudit_search_pids(httpd_suexec_t)
959 files_search_home(httpd_suexec_t)
961 auth_use_nsswitch(httpd_suexec_t)
963 logging_search_logs(httpd_suexec_t)
964 logging_send_syslog_msg(httpd_suexec_t)
966 miscfiles_read_localization(httpd_suexec_t)
967 miscfiles_read_public_files(httpd_suexec_t)
969 tunable_policy(`httpd_can_network_connect',`
970 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
971 allow httpd_suexec_t self:udp_socket create_socket_perms;
973 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
974 corenet_all_recvfrom_netlabel(httpd_suexec_t)
975 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
976 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
977 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
978 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
979 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
980 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
981 corenet_tcp_connect_all_ports(httpd_suexec_t)
982 corenet_sendrecv_all_client_packets(httpd_suexec_t)
985 tunable_policy(`httpd_can_network_connect_db',`
986 corenet_tcp_connect_firebird_port(httpd_suexec_t)
987 corenet_tcp_connect_mssql_port(httpd_suexec_t)
988 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
989 corenet_tcp_connect_oracle_port(httpd_suexec_t)
990 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
993 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
995 tunable_policy(`httpd_can_sendmail',`
996 mta_send_mail(httpd_suexec_t)
999 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1000 allow httpd_sys_script_t httpdcontent:file entrypoint;
1001 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1002 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1003 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1004 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1005 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1008 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1009 fs_list_auto_mountpoints(httpd_suexec_t)
1010 fs_read_nfs_files(httpd_suexec_t)
1011 fs_read_nfs_symlinks(httpd_suexec_t)
1012 fs_exec_nfs_files(httpd_suexec_t)
1015 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1016 fs_read_cifs_files(httpd_suexec_t)
1017 fs_read_cifs_symlinks(httpd_suexec_t)
1018 fs_exec_cifs_files(httpd_suexec_t)
1022 mailman_domtrans_cgi(httpd_suexec_t)
1026 mta_stub(httpd_suexec_t)
1028 # apache should set close-on-exec
1029 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1033 mysql_stream_connect(httpd_suexec_t)
1034 mysql_rw_db_sockets(httpd_suexec_t)
1035 mysql_read_config(httpd_suexec_t)
1037 tunable_policy(`httpd_can_network_connect_db',`
1038 mysql_tcp_connect(httpd_suexec_t)
1043 postgresql_stream_connect(httpd_suexec_t)
1044 postgresql_unpriv_client(httpd_suexec_t)
1046 tunable_policy(`httpd_can_network_connect_db',`
1047 postgresql_tcp_connect(httpd_suexec_t)
1051 ########################################
1053 # Apache system script local policy
1056 allow httpd_sys_script_t self:process getsched;
1058 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1059 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1061 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1063 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1065 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1066 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1067 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1069 kernel_read_kernel_sysctls(httpd_sys_script_t)
1071 files_read_var_symlinks(httpd_sys_script_t)
1072 files_search_var_lib(httpd_sys_script_t)
1073 files_search_spool(httpd_sys_script_t)
1075 logging_inherit_append_all_logs(httpd_sys_script_t)
1077 # Should we add a boolean?
1078 apache_domtrans_rotatelogs(httpd_sys_script_t)
1080 auth_use_nsswitch(httpd_sys_script_t)
1082 ifdef(`distro_redhat',`
1083 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1086 tunable_policy(`httpd_can_sendmail',`
1087 mta_send_mail(httpd_sys_script_t)
1091 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1092 spamassassin_domtrans_client(httpd_t)
1096 tunable_policy(`httpd_can_network_connect_db',`
1097 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1098 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1099 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1100 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1101 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1104 fs_cifs_entry_type(httpd_sys_script_t)
1105 fs_read_iso9660_files(httpd_sys_script_t)
1106 fs_nfs_entry_type(httpd_sys_script_t)
1108 tunable_policy(`httpd_use_nfs',`
1109 fs_list_auto_mountpoints(httpd_sys_script_t)
1110 fs_manage_nfs_dirs(httpd_sys_script_t)
1111 fs_manage_nfs_files(httpd_sys_script_t)
1112 fs_manage_nfs_symlinks(httpd_sys_script_t)
1113 fs_exec_nfs_files(httpd_sys_script_t)
1115 fs_list_auto_mountpoints(httpd_suexec_t)
1116 fs_manage_nfs_dirs(httpd_suexec_t)
1117 fs_manage_nfs_files(httpd_suexec_t)
1118 fs_manage_nfs_symlinks(httpd_suexec_t)
1119 fs_exec_nfs_files(httpd_suexec_t)
1122 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1123 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1124 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1126 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1127 corenet_udp_bind_generic_node(httpd_sys_script_t)
1128 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1129 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1130 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1131 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1132 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1133 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1134 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1135 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1136 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1137 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1140 tunable_policy(`httpd_enable_homedirs',`
1141 userdom_search_user_home_dirs(httpd_sys_script_t)
1144 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1145 fs_list_auto_mountpoints(httpd_sys_script_t)
1146 fs_read_nfs_files(httpd_sys_script_t)
1147 fs_read_nfs_symlinks(httpd_sys_script_t)
1150 tunable_policy(`httpd_read_user_content',`
1151 userdom_read_user_home_content_files(httpd_sys_script_t)
1154 tunable_policy(`httpd_use_cifs',`
1155 fs_manage_cifs_dirs(httpd_sys_script_t)
1156 fs_manage_cifs_files(httpd_sys_script_t)
1157 fs_manage_cifs_symlinks(httpd_sys_script_t)
1158 fs_manage_cifs_dirs(httpd_suexec_t)
1159 fs_manage_cifs_files(httpd_suexec_t)
1160 fs_manage_cifs_symlinks(httpd_suexec_t)
1161 fs_exec_cifs_files(httpd_suexec_t)
1164 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1165 fs_read_cifs_files(httpd_sys_script_t)
1166 fs_read_cifs_symlinks(httpd_sys_script_t)
1170 clamav_domtrans_clamscan(httpd_sys_script_t)
1174 mysql_stream_connect(httpd_sys_script_t)
1175 mysql_rw_db_sockets(httpd_sys_script_t)
1176 mysql_read_config(httpd_sys_script_t)
1178 tunable_policy(`httpd_can_network_connect_db',`
1179 mysql_tcp_connect(httpd_sys_script_t)
1184 postgresql_stream_connect(httpd_sys_script_t)
1185 postgresql_unpriv_client(httpd_sys_script_t)
1187 tunable_policy(`httpd_can_network_connect_db',`
1188 postgresql_tcp_connect(httpd_sys_script_t)
1192 ########################################
1194 # httpd_rotatelogs local policy
1197 allow httpd_rotatelogs_t self:capability dac_override;
1199 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1201 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1202 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1203 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1205 files_read_etc_files(httpd_rotatelogs_t)
1207 logging_search_logs(httpd_rotatelogs_t)
1209 miscfiles_read_localization(httpd_rotatelogs_t)
1211 ########################################
1213 # Unconfined script local policy
1217 type httpd_unconfined_script_t;
1218 type httpd_unconfined_script_exec_t;
1219 domain_type(httpd_unconfined_script_t)
1220 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1221 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1222 unconfined_domain(httpd_unconfined_script_t)
1224 role system_r types httpd_unconfined_script_t;
1225 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1228 ########################################
1230 # User content local policy
1233 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1234 allow httpd_user_script_t httpdcontent:file entrypoint;
1235 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1236 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1237 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1238 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1241 # allow accessing files/dirs below the users home dir
1242 tunable_policy(`httpd_enable_homedirs',`
1243 userdom_search_user_home_content(httpd_t)
1244 userdom_search_user_home_content(httpd_suexec_t)
1245 userdom_search_user_home_content(httpd_user_script_t)
1248 tunable_policy(`httpd_read_user_content',`
1249 userdom_read_user_home_content_files(httpd_t)
1250 userdom_read_user_home_content_files(httpd_suexec_t)
1251 userdom_read_user_home_content_files(httpd_user_script_t)