]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/apache.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
[people/stevee/selinux-policy.git] / policy / modules / services / apache.te
1 policy_module(apache, 2.2.1)
2
3 #
4 # NOTES:
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
8 #
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
14 #
15
16 ########################################
17 #
18 # Declarations
19 #
20
21 selinux_genbool(httpd_bool_t)
22
23 ## <desc>
24 ## <p>
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
28 ## </p>
29 ## </desc>
30 gen_tunable(allow_httpd_anon_write, false)
31
32 ## <desc>
33 ## <p>
34 ## Allow Apache to use mod_auth_pam
35 ## </p>
36 ## </desc>
37 gen_tunable(allow_httpd_mod_auth_pam, false)
38
39 ## <desc>
40 ## <p>
41 ## Allow Apache to use mod_auth_ntlm_winbind
42 ## </p>
43 ## </desc>
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
45
46 ## <desc>
47 ## <p>
48 ## Allow httpd scripts and modules execmem/execstack
49 ## </p>
50 ## </desc>
51 gen_tunable(httpd_execmem, false)
52
53 ## <desc>
54 ## <p>
55 ## Allow httpd daemon to change system limits
56 ## </p>
57 ## </desc>
58 gen_tunable(httpd_setrlimit, false)
59
60 ## <desc>
61 ## <p>
62 ## Allow httpd to use built in scripting (usually php)
63 ## </p>
64 ## </desc>
65 gen_tunable(httpd_builtin_scripting, false)
66
67 ## <desc>
68 ## <p>
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
70 ## </p>
71 ## </desc>
72 gen_tunable(httpd_can_network_connect, false)
73
74 ## <desc>
75 ## <p>
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
77 ## </p>
78 ## </desc>
79 gen_tunable(httpd_can_network_connect_cobbler, false)
80
81 ## <desc>
82 ## <p>
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
84 ## </p>
85 ## </desc>
86 gen_tunable(httpd_can_network_connect_db, false)
87
88 ## <desc>
89 ## <p>
90 ## Allow httpd to connect to memcache server
91 ## </p>
92 ## </desc>
93 gen_tunable(httpd_can_network_memcache, false)
94
95 ## <desc>
96 ## <p>
97 ## Allow httpd to act as a relay
98 ## </p>
99 ## </desc>
100 gen_tunable(httpd_can_network_relay, false)
101
102 ## <desc>
103 ## <p>
104 ## Allow http daemon to send mail
105 ## </p>
106 ## </desc>
107 gen_tunable(httpd_can_sendmail, false)
108
109 ## <desc>
110 ## <p>
111 ## Allow http daemon to check spam
112 ## </p>
113 ## </desc>
114 gen_tunable(httpd_can_check_spam, false)
115
116 ## <desc>
117 ## <p>
118 ## Allow Apache to communicate with avahi service via dbus
119 ## </p>
120 ## </desc>
121 gen_tunable(httpd_dbus_avahi, false)
122
123 ## <desc>
124 ## <p>
125 ## Allow httpd to execute cgi scripts
126 ## </p>
127 ## </desc>
128 gen_tunable(httpd_enable_cgi, false)
129
130 ## <desc>
131 ## <p>
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
134 ## </p>
135 ## </desc>
136 gen_tunable(httpd_enable_ftp_server, false)
137
138 ## <desc>
139 ## <p>
140 ## Allow httpd to read home directories
141 ## </p>
142 ## </desc>
143 gen_tunable(httpd_enable_homedirs, false)
144
145 ## <desc>
146 ## <p>
147 ## Allow httpd to read user content
148 ## </p>
149 ## </desc>
150 gen_tunable(httpd_read_user_content, false)
151
152 ## <desc>
153 ## <p>
154 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
155 ## </p>
156 ## </desc>
157 gen_tunable(httpd_ssi_exec, false)
158
159 ## <desc>
160 ## <p>
161 ## Allow Apache to execute tmp content.
162 ## </p>
163 ## </desc>
164 gen_tunable(httpd_tmp_exec, false)
165
166 ## <desc>
167 ## <p>
168 ## Unify HTTPD to communicate with the terminal.
169 ## Needed for entering the passphrase for certificates at
170 ## the terminal.
171 ## </p>
172 ## </desc>
173 gen_tunable(httpd_tty_comm, false)
174
175 ## <desc>
176 ## <p>
177 ## Unify HTTPD handling of all content files.
178 ## </p>
179 ## </desc>
180 gen_tunable(httpd_unified, false)
181
182 ## <desc>
183 ## <p>
184 ## Allow httpd to access cifs file systems
185 ## </p>
186 ## </desc>
187 gen_tunable(httpd_use_cifs, false)
188
189 ## <desc>
190 ## <p>
191 ## Allow httpd to run gpg in gpg-web domain
192 ## </p>
193 ## </desc>
194 gen_tunable(httpd_use_gpg, false)
195
196 ## <desc>
197 ## <p>
198 ## Allow httpd to access nfs file systems
199 ## </p>
200 ## </desc>
201 gen_tunable(httpd_use_nfs, false)
202
203 ## <desc>
204 ## <p>
205 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
206 ## </p>
207 ## </desc>
208 gen_tunable(allow_httpd_sys_script_anon_write, false)
209
210 attribute httpdcontent;
211 attribute httpd_user_content_type;
212
213 # domains that can exec all users scripts
214 attribute httpd_exec_scripts;
215
216 attribute httpd_script_exec_type;
217 attribute httpd_user_script_exec_type;
218
219 # user script domains
220 attribute httpd_script_domains;
221
222 type httpd_t;
223 type httpd_exec_t;
224 init_daemon_domain(httpd_t, httpd_exec_t)
225 role system_r types httpd_t;
226
227 # httpd_cache_t is the type given to the /var/cache/httpd
228 # directory and the files under that directory
229 type httpd_cache_t;
230 files_type(httpd_cache_t)
231
232 # httpd_config_t is the type given to the configuration files
233 type httpd_config_t;
234 files_config_file(httpd_config_t)
235
236 type httpd_helper_t;
237 type httpd_helper_exec_t;
238 domain_type(httpd_helper_t)
239 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
240 role system_r types httpd_helper_t;
241
242 type httpd_initrc_exec_t;
243 init_script_file(httpd_initrc_exec_t)
244
245 type httpd_unit_t;
246 systemd_unit_file(httpd_unit_t)
247
248 type httpd_lock_t;
249 files_lock_file(httpd_lock_t)
250
251 type httpd_log_t;
252 logging_log_file(httpd_log_t)
253
254 # httpd_modules_t is the type given to module files (libraries)
255 # that come with Apache /etc/httpd/modules and /usr/lib/apache
256 type httpd_modules_t;
257 files_type(httpd_modules_t)
258
259 type httpd_php_t;
260 type httpd_php_exec_t;
261 domain_type(httpd_php_t)
262 domain_entry_file(httpd_php_t, httpd_php_exec_t)
263 role system_r types httpd_php_t;
264
265 type httpd_php_tmp_t;
266 files_tmp_file(httpd_php_tmp_t)
267
268 type httpd_rotatelogs_t;
269 type httpd_rotatelogs_exec_t;
270 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
271
272 type httpd_squirrelmail_t;
273 files_type(httpd_squirrelmail_t)
274
275 # SUEXEC runs user scripts as their own user ID
276 type httpd_suexec_t; #, daemon;
277 type httpd_suexec_exec_t;
278 domain_type(httpd_suexec_t)
279 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
280 role system_r types httpd_suexec_t;
281
282 type httpd_suexec_tmp_t;
283 files_tmp_file(httpd_suexec_tmp_t)
284
285 # setup the system domain for system CGI scripts
286 apache_content_template(sys)
287
288 typeattribute httpd_sys_content_t httpdcontent; # customizable
289 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
290 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
291
292 # Removal of fastcgi, will cause problems without the following
293 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
294 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
295 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
296 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
297 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
298
299 type httpd_tmp_t;
300 files_tmp_file(httpd_tmp_t)
301
302 type httpd_tmpfs_t;
303 files_tmpfs_file(httpd_tmpfs_t)
304
305 apache_content_template(user)
306 ubac_constrained(httpd_user_script_t)
307 typeattribute httpd_user_content_t httpdcontent;
308 typeattribute httpd_user_rw_content_t httpdcontent;
309 typeattribute httpd_user_ra_content_t httpdcontent;
310
311 userdom_user_home_content(httpd_user_content_t)
312 userdom_user_home_content(httpd_user_htaccess_t)
313 userdom_user_home_content(httpd_user_script_exec_t)
314 userdom_user_home_content(httpd_user_ra_content_t)
315 userdom_user_home_content(httpd_user_rw_content_t)
316 typeattribute httpd_user_script_t httpd_script_domains;
317 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
318 typealias httpd_user_content_t alias httpd_unconfined_content_t;
319 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
320 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
321 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
322 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
323 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
324 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
325 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
326 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
327 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
328 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
329 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
330 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
331 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
332
333 # for apache2 memory mapped files
334 type httpd_var_lib_t;
335 files_type(httpd_var_lib_t)
336
337 type httpd_var_run_t;
338 files_pid_file(httpd_var_run_t)
339
340 # Removal of fastcgi, will cause problems without the following
341 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
342
343 # File Type of squirrelmail attachments
344 type squirrelmail_spool_t;
345 files_tmp_file(squirrelmail_spool_t)
346 files_spool_file(squirrelmail_spool_t)
347
348 optional_policy(`
349 prelink_object_file(httpd_modules_t)
350 ')
351
352 ########################################
353 #
354 # Apache server local policy
355 #
356
357 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
358 dontaudit httpd_t self:capability { net_admin sys_tty_config };
359 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
360 allow httpd_t self:fd use;
361 allow httpd_t self:sock_file read_sock_file_perms;
362 allow httpd_t self:fifo_file rw_fifo_file_perms;
363 allow httpd_t self:shm create_shm_perms;
364 allow httpd_t self:sem create_sem_perms;
365 allow httpd_t self:msgq create_msgq_perms;
366 allow httpd_t self:msg { send receive };
367 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
368 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
369 allow httpd_t self:tcp_socket create_stream_socket_perms;
370 allow httpd_t self:udp_socket create_socket_perms;
371 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
372
373 # Allow httpd_t to put files in /var/cache/httpd etc
374 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
375 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
376 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
377 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
378
379 # Allow the httpd_t to read the web servers config files
380 allow httpd_t httpd_config_t:dir list_dir_perms;
381 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
382 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
383
384 can_exec(httpd_t, httpd_exec_t)
385
386 allow httpd_t httpd_lock_t:file manage_file_perms;
387 files_lock_filetrans(httpd_t, httpd_lock_t, file)
388
389 allow httpd_t httpd_log_t:dir setattr;
390 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
391 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
392 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
393 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
394 # cjp: need to refine create interfaces to
395 # cut this back to add_name only
396 logging_log_filetrans(httpd_t, httpd_log_t, file)
397
398 allow httpd_t httpd_modules_t:dir list_dir_perms;
399 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
400 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
401 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
402
403 apache_domtrans_rotatelogs(httpd_t)
404 # Apache-httpd needs to be able to send signals to the log rotate procs.
405 allow httpd_t httpd_rotatelogs_t:process signal_perms;
406
407 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
408 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
409 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
410
411 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
412
413 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
414 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
415 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
416
417 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
418
419 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
420 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
421 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
422 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
423 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
424
425 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
426 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
427 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
428 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
429 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
430 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
431
432 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
433 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
434
435 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
436 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
437 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
438 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
439 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
440
441 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
442 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
443 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
444
445 kernel_read_kernel_sysctls(httpd_t)
446 # for modules that want to access /proc/meminfo
447 kernel_read_system_state(httpd_t)
448 kernel_read_network_state(httpd_t)
449 kernel_search_network_sysctl(httpd_t)
450
451 corenet_all_recvfrom_unlabeled(httpd_t)
452 corenet_all_recvfrom_netlabel(httpd_t)
453 corenet_tcp_sendrecv_generic_if(httpd_t)
454 corenet_udp_sendrecv_generic_if(httpd_t)
455 corenet_tcp_sendrecv_generic_node(httpd_t)
456 corenet_udp_sendrecv_generic_node(httpd_t)
457 corenet_tcp_sendrecv_all_ports(httpd_t)
458 corenet_udp_sendrecv_all_ports(httpd_t)
459 corenet_tcp_bind_generic_node(httpd_t)
460 corenet_udp_bind_generic_node(httpd_t)
461 corenet_tcp_bind_http_port(httpd_t)
462 corenet_tcp_bind_http_cache_port(httpd_t)
463 corenet_tcp_bind_ntop_port(httpd_t)
464 corenet_tcp_bind_jboss_management_port(httpd_t)
465 corenet_sendrecv_http_server_packets(httpd_t)
466 # Signal self for shutdown
467 #corenet_tcp_connect_http_port(httpd_t)
468
469 dev_read_sysfs(httpd_t)
470 dev_read_rand(httpd_t)
471 dev_read_urand(httpd_t)
472 dev_rw_crypto(httpd_t)
473
474 fs_getattr_all_fs(httpd_t)
475 fs_search_auto_mountpoints(httpd_t)
476 fs_read_iso9660_files(httpd_t)
477 fs_read_anon_inodefs_files(httpd_t)
478
479 auth_use_nsswitch(httpd_t)
480
481 application_exec_all(httpd_t)
482
483 domain_use_interactive_fds(httpd_t)
484
485 files_dontaudit_getattr_all_pids(httpd_t)
486 files_read_usr_files(httpd_t)
487 files_list_mnt(httpd_t)
488 files_search_spool(httpd_t)
489 files_read_var_symlinks(httpd_t)
490 files_read_var_lib_files(httpd_t)
491 files_search_home(httpd_t)
492 files_getattr_home_dir(httpd_t)
493 # for modules that want to access /etc/mtab
494 files_read_etc_runtime_files(httpd_t)
495 # Allow httpd_t to have access to files such as nisswitch.conf
496 files_read_etc_files(httpd_t)
497 # for tomcat
498 files_read_var_lib_symlinks(httpd_t)
499
500 fs_search_auto_mountpoints(httpd_sys_script_t)
501 # php uploads a file to /tmp and then execs programs to acton them
502 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
503 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
504 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
505 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
506 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
507 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
508
509 libs_read_lib_files(httpd_t)
510
511 logging_send_syslog_msg(httpd_t)
512
513 miscfiles_read_localization(httpd_t)
514 miscfiles_read_fonts(httpd_t)
515 miscfiles_read_public_files(httpd_t)
516 miscfiles_read_generic_certs(httpd_t)
517
518 seutil_dontaudit_search_config(httpd_t)
519
520 userdom_use_unpriv_users_fds(httpd_t)
521
522 tunable_policy(`httpd_setrlimit',`
523 allow httpd_t self:process setrlimit;
524 allow httpd_t self:capability sys_resource;
525 ')
526
527 tunable_policy(`allow_httpd_anon_write',`
528 miscfiles_manage_public_files(httpd_t)
529 ')
530
531 #
532 # We need optionals to be able to be within booleans to make this work
533 #
534 tunable_policy(`allow_httpd_mod_auth_pam',`
535 auth_domtrans_chkpwd(httpd_t)
536 logging_send_audit_msgs(httpd_t)
537 ')
538
539 optional_policy(`
540 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
541 samba_domtrans_winbind_helper(httpd_t)
542 ')
543 ')
544
545 tunable_policy(`httpd_can_network_connect',`
546 corenet_tcp_connect_all_ports(httpd_t)
547 ')
548
549 tunable_policy(`httpd_can_network_connect_db',`
550 corenet_tcp_connect_firebird_port(httpd_t)
551 corenet_tcp_connect_mssql_port(httpd_t)
552 corenet_sendrecv_mssql_client_packets(httpd_t)
553 corenet_tcp_connect_oracle_port(httpd_t)
554 corenet_sendrecv_oracle_client_packets(httpd_t)
555 ')
556
557 tunable_policy(`httpd_can_network_memcache',`
558 corenet_tcp_connect_memcache_port(httpd_t)
559 ')
560
561 tunable_policy(`httpd_can_network_relay',`
562 # allow httpd to work as a relay
563 corenet_tcp_connect_gopher_port(httpd_t)
564 corenet_tcp_connect_ftp_port(httpd_t)
565 corenet_tcp_connect_http_port(httpd_t)
566 corenet_tcp_connect_http_cache_port(httpd_t)
567 corenet_tcp_connect_squid_port(httpd_t)
568 corenet_tcp_connect_memcache_port(httpd_t)
569 corenet_sendrecv_gopher_client_packets(httpd_t)
570 corenet_sendrecv_ftp_client_packets(httpd_t)
571 corenet_sendrecv_http_client_packets(httpd_t)
572 corenet_sendrecv_http_cache_client_packets(httpd_t)
573 corenet_sendrecv_squid_client_packets(httpd_t)
574 ')
575
576 tunable_policy(`httpd_execmem',`
577 allow httpd_t self:process { execmem execstack };
578 allow httpd_sys_script_t self:process { execmem execstack };
579 allow httpd_suexec_t self:process { execmem execstack };
580 ')
581
582 tunable_policy(`httpd_enable_cgi && httpd_unified',`
583 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
584 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
585 can_exec(httpd_sys_script_t, httpd_sys_content_t)
586 ')
587
588 tunable_policy(`allow_httpd_sys_script_anon_write',`
589 miscfiles_manage_public_files(httpd_sys_script_t)
590 ')
591
592 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
593 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
594 ')
595
596 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
597 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
598 ')
599
600 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
601 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
602 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
603 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
604 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
605 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
606
607 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
608 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
609 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
610 ')
611
612 tunable_policy(`httpd_enable_ftp_server',`
613 corenet_tcp_bind_ftp_port(httpd_t)
614 ')
615
616 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
617 can_exec(httpd_t, httpd_tmp_t)
618 ')
619
620 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
621 can_exec(httpd_sys_script_t, httpd_tmp_t)
622 ')
623
624 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
625 fs_list_auto_mountpoints(httpd_t)
626 fs_read_nfs_files(httpd_t)
627 fs_read_nfs_symlinks(httpd_t)
628 ')
629
630 tunable_policy(`httpd_use_nfs',`
631 fs_list_auto_mountpoints(httpd_t)
632 fs_manage_nfs_dirs(httpd_t)
633 fs_manage_nfs_files(httpd_t)
634 fs_manage_nfs_symlinks(httpd_t)
635 ')
636
637 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
638 fs_read_cifs_files(httpd_t)
639 fs_read_cifs_symlinks(httpd_t)
640 ')
641
642 tunable_policy(`httpd_can_sendmail',`
643 # allow httpd to connect to mail servers
644 corenet_tcp_connect_smtp_port(httpd_t)
645 corenet_sendrecv_smtp_client_packets(httpd_t)
646 corenet_tcp_connect_pop_port(httpd_t)
647 corenet_sendrecv_pop_client_packets(httpd_t)
648 mta_send_mail(httpd_t)
649 mta_signal_system_mail(httpd_t)
650 ')
651
652 tunable_policy(`httpd_use_cifs',`
653 fs_manage_cifs_dirs(httpd_t)
654 fs_manage_cifs_files(httpd_t)
655 fs_manage_cifs_symlinks(httpd_t)
656 ')
657
658 tunable_policy(`httpd_ssi_exec',`
659 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
660 allow httpd_sys_script_t httpd_t:fd use;
661 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
662 allow httpd_sys_script_t httpd_t:process sigchld;
663 ')
664
665 # When the admin starts the server, the server wants to access
666 # the TTY or PTY associated with the session. The httpd appears
667 # to run correctly without this permission, so the permission
668 # are dontaudited here.
669 tunable_policy(`httpd_tty_comm',`
670 userdom_use_inherited_user_terminals(httpd_t)
671 userdom_use_inherited_user_terminals(httpd_suexec_t)
672 ',`
673 userdom_dontaudit_use_user_terminals(httpd_t)
674 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
675 ')
676
677 optional_policy(`
678 # Support for ABRT retrace server
679 # mod_wsgi
680 abrt_manage_spool_retrace(httpd_t)
681 abrt_domtrans_retrace_worker(httpd_t)
682 abrt_read_config(httpd_t)
683 ')
684
685 optional_policy(`
686 calamaris_read_www_files(httpd_t)
687 ')
688
689 optional_policy(`
690 ccs_read_config(httpd_t)
691 ')
692
693 optional_policy(`
694 cobbler_list_config(httpd_t)
695 cobbler_read_config(httpd_t)
696 cobbler_read_lib_files(httpd_t)
697
698 tunable_policy(`httpd_can_network_connect_cobbler',`
699 corenet_tcp_connect_cobbler_port(httpd_t)
700 ')
701 ')
702
703 optional_policy(`
704 cron_system_entry(httpd_t, httpd_exec_t)
705 ')
706
707 optional_policy(`
708 cvs_read_data(httpd_t)
709 ')
710
711 optional_policy(`
712 daemontools_service_domain(httpd_t, httpd_exec_t)
713 ')
714
715 optional_policy(`
716 dirsrv_manage_config(httpd_t)
717 dirsrv_manage_log(httpd_t)
718 dirsrv_manage_var_run(httpd_t)
719 dirsrv_read_share(httpd_t)
720 dirsrv_signal(httpd_t)
721 dirsrv_signull(httpd_t)
722 dirsrvadmin_manage_config(httpd_t)
723 dirsrvadmin_manage_tmp(httpd_t)
724 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
725 ')
726
727 optional_policy(`
728 dbus_system_bus_client(httpd_t)
729
730 tunable_policy(`httpd_dbus_avahi',`
731 avahi_dbus_chat(httpd_t)
732 ')
733 ')
734
735 optional_policy(`
736 git_read_generic_system_content_files(httpd_t)
737 gitosis_read_lib_files(httpd_t)
738 ')
739
740 optional_policy(`
741 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
742 gpg_domtrans_web(httpd_t)
743 ')
744 ')
745
746 optional_policy(`
747 kerberos_keytab_template(httpd, httpd_t)
748 ')
749
750 optional_policy(`
751 mailman_signal_cgi(httpd_t)
752 mailman_domtrans_cgi(httpd_t)
753 mailman_read_data_files(httpd_t)
754 # should have separate types for public and private archives
755 mailman_search_data(httpd_t)
756 mailman_read_archive(httpd_t)
757 ')
758
759 optional_policy(`
760 mediawiki_read_tmp_files(httpd_t)
761 mediawiki_delete_tmp_files(httpd_t)
762 ')
763
764 optional_policy(`
765 # Allow httpd to work with mysql
766 mysql_read_config(httpd_t)
767 mysql_stream_connect(httpd_t)
768 mysql_rw_db_sockets(httpd_t)
769
770 tunable_policy(`httpd_can_network_connect_db',`
771 mysql_tcp_connect(httpd_t)
772 ')
773 ')
774
775 optional_policy(`
776 nagios_read_config(httpd_t)
777 nagios_read_log(httpd_t)
778 ')
779
780 optional_policy(`
781 openca_domtrans(httpd_t)
782 openca_signal(httpd_t)
783 openca_sigstop(httpd_t)
784 openca_kill(httpd_t)
785 ')
786
787 optional_policy(`
788 passenger_domtrans(httpd_t)
789 passenger_manage_pid_content(httpd_t)
790 passenger_read_lib_files(httpd_t)
791 ')
792
793 optional_policy(`
794 rpc_search_nfs_state_data(httpd_t)
795 ')
796
797 optional_policy(`
798 # Allow httpd to work with postgresql
799 postgresql_stream_connect(httpd_t)
800 postgresql_unpriv_client(httpd_t)
801
802 tunable_policy(`httpd_can_network_connect_db',`
803 postgresql_tcp_connect(httpd_t)
804 ')
805 ')
806
807 optional_policy(`
808 seutil_sigchld_newrole(httpd_t)
809 ')
810
811 optional_policy(`
812 smokeping_read_lib_files(httpd_t)
813 ')
814
815 optional_policy(`
816 files_dontaudit_rw_usr_dirs(httpd_t)
817 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
818 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
819 ')
820
821 optional_policy(`
822 udev_read_db(httpd_t)
823 ')
824
825 optional_policy(`
826 yam_read_content(httpd_t)
827 ')
828
829 optional_policy(`
830 zarafa_manage_lib_files(httpd_t)
831 zarafa_stream_connect_server(httpd_t)
832 zarafa_search_config(httpd_t)
833 ')
834
835 ########################################
836 #
837 # Apache helper local policy
838 #
839
840 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
841
842 allow httpd_helper_t httpd_config_t:file read_file_perms;
843
844 allow httpd_helper_t httpd_log_t:file append_file_perms;
845
846 logging_send_syslog_msg(httpd_helper_t)
847
848 userdom_use_inherited_user_terminals(httpd_helper_t)
849
850 tunable_policy(`httpd_tty_comm',`
851 userdom_use_inherited_user_terminals(httpd_helper_t)
852 ')
853
854 ########################################
855 #
856 # Apache PHP script local policy
857 #
858
859 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
860 allow httpd_php_t self:fd use;
861 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
862 allow httpd_php_t self:sock_file read_sock_file_perms;
863 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
864 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
865 allow httpd_php_t self:unix_dgram_socket sendto;
866 allow httpd_php_t self:unix_stream_socket connectto;
867 allow httpd_php_t self:shm create_shm_perms;
868 allow httpd_php_t self:sem create_sem_perms;
869 allow httpd_php_t self:msgq create_msgq_perms;
870 allow httpd_php_t self:msg { send receive };
871
872 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
873
874 # allow php to read and append to apache logfiles
875 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
876
877 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
878 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
879 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
880
881 fs_search_auto_mountpoints(httpd_php_t)
882
883 auth_use_nsswitch(httpd_php_t)
884
885 libs_exec_lib_files(httpd_php_t)
886
887 userdom_use_unpriv_users_fds(httpd_php_t)
888
889 tunable_policy(`httpd_can_network_connect_db',`
890 corenet_tcp_connect_firebird_port(httpd_php_t)
891 corenet_tcp_connect_mssql_port(httpd_php_t)
892 corenet_sendrecv_mssql_client_packets(httpd_php_t)
893 corenet_tcp_connect_oracle_port(httpd_php_t)
894 corenet_sendrecv_oracle_client_packets(httpd_php_t)
895 ')
896
897 optional_policy(`
898 mysql_stream_connect(httpd_php_t)
899 mysql_rw_db_sockets(httpd_php_t)
900 mysql_read_config(httpd_php_t)
901
902 tunable_policy(`httpd_can_network_connect_db',`
903 mysql_tcp_connect(httpd_php_t)
904 ')
905 ')
906
907 optional_policy(`
908 postgresql_stream_connect(httpd_php_t)
909 postgresql_unpriv_client(httpd_php_t)
910
911 tunable_policy(`httpd_can_network_connect_db',`
912 postgresql_tcp_connect(httpd_php_t)
913 ')
914 ')
915
916 ########################################
917 #
918 # Apache suexec local policy
919 #
920
921 allow httpd_suexec_t self:capability { setuid setgid };
922 allow httpd_suexec_t self:process signal_perms;
923
924 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
925 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
926
927 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
928
929 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
930 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
931 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
932
933 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
934
935 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
936 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
937 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
938
939 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
940
941 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
942 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
943 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
944
945 kernel_read_kernel_sysctls(httpd_suexec_t)
946 kernel_list_proc(httpd_suexec_t)
947 kernel_read_proc_symlinks(httpd_suexec_t)
948
949 dev_read_urand(httpd_suexec_t)
950
951 fs_read_iso9660_files(httpd_suexec_t)
952 fs_search_auto_mountpoints(httpd_suexec_t)
953
954 application_exec_all(httpd_suexec_t)
955
956 files_read_etc_files(httpd_suexec_t)
957 files_read_usr_files(httpd_suexec_t)
958 files_dontaudit_search_pids(httpd_suexec_t)
959 files_search_home(httpd_suexec_t)
960
961 auth_use_nsswitch(httpd_suexec_t)
962
963 logging_search_logs(httpd_suexec_t)
964 logging_send_syslog_msg(httpd_suexec_t)
965
966 miscfiles_read_localization(httpd_suexec_t)
967 miscfiles_read_public_files(httpd_suexec_t)
968
969 tunable_policy(`httpd_can_network_connect',`
970 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
971 allow httpd_suexec_t self:udp_socket create_socket_perms;
972
973 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
974 corenet_all_recvfrom_netlabel(httpd_suexec_t)
975 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
976 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
977 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
978 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
979 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
980 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
981 corenet_tcp_connect_all_ports(httpd_suexec_t)
982 corenet_sendrecv_all_client_packets(httpd_suexec_t)
983 ')
984
985 tunable_policy(`httpd_can_network_connect_db',`
986 corenet_tcp_connect_firebird_port(httpd_suexec_t)
987 corenet_tcp_connect_mssql_port(httpd_suexec_t)
988 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
989 corenet_tcp_connect_oracle_port(httpd_suexec_t)
990 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
991 ')
992
993 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
994
995 tunable_policy(`httpd_can_sendmail',`
996 mta_send_mail(httpd_suexec_t)
997 ')
998
999 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1000 allow httpd_sys_script_t httpdcontent:file entrypoint;
1001 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1002 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1003 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1004 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1005 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1006 ')
1007
1008 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1009 fs_list_auto_mountpoints(httpd_suexec_t)
1010 fs_read_nfs_files(httpd_suexec_t)
1011 fs_read_nfs_symlinks(httpd_suexec_t)
1012 fs_exec_nfs_files(httpd_suexec_t)
1013 ')
1014
1015 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1016 fs_read_cifs_files(httpd_suexec_t)
1017 fs_read_cifs_symlinks(httpd_suexec_t)
1018 fs_exec_cifs_files(httpd_suexec_t)
1019 ')
1020
1021 optional_policy(`
1022 mailman_domtrans_cgi(httpd_suexec_t)
1023 ')
1024
1025 optional_policy(`
1026 mta_stub(httpd_suexec_t)
1027
1028 # apache should set close-on-exec
1029 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1030 ')
1031
1032 optional_policy(`
1033 mysql_stream_connect(httpd_suexec_t)
1034 mysql_rw_db_sockets(httpd_suexec_t)
1035 mysql_read_config(httpd_suexec_t)
1036
1037 tunable_policy(`httpd_can_network_connect_db',`
1038 mysql_tcp_connect(httpd_suexec_t)
1039 ')
1040 ')
1041
1042 optional_policy(`
1043 postgresql_stream_connect(httpd_suexec_t)
1044 postgresql_unpriv_client(httpd_suexec_t)
1045
1046 tunable_policy(`httpd_can_network_connect_db',`
1047 postgresql_tcp_connect(httpd_suexec_t)
1048 ')
1049 ')
1050
1051 ########################################
1052 #
1053 # Apache system script local policy
1054 #
1055
1056 allow httpd_sys_script_t self:process getsched;
1057
1058 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1059 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1060
1061 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1062
1063 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1064
1065 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1066 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1067 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1068
1069 kernel_read_kernel_sysctls(httpd_sys_script_t)
1070
1071 files_read_var_symlinks(httpd_sys_script_t)
1072 files_search_var_lib(httpd_sys_script_t)
1073 files_search_spool(httpd_sys_script_t)
1074
1075 logging_inherit_append_all_logs(httpd_sys_script_t)
1076
1077 # Should we add a boolean?
1078 apache_domtrans_rotatelogs(httpd_sys_script_t)
1079
1080 auth_use_nsswitch(httpd_sys_script_t)
1081
1082 ifdef(`distro_redhat',`
1083 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1084 ')
1085
1086 tunable_policy(`httpd_can_sendmail',`
1087 mta_send_mail(httpd_sys_script_t)
1088 ')
1089
1090 optional_policy(`
1091 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1092 spamassassin_domtrans_client(httpd_t)
1093 ')
1094 ')
1095
1096 tunable_policy(`httpd_can_network_connect_db',`
1097 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1098 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1099 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1100 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1101 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1102 ')
1103
1104 fs_cifs_entry_type(httpd_sys_script_t)
1105 fs_read_iso9660_files(httpd_sys_script_t)
1106 fs_nfs_entry_type(httpd_sys_script_t)
1107
1108 tunable_policy(`httpd_use_nfs',`
1109 fs_list_auto_mountpoints(httpd_sys_script_t)
1110 fs_manage_nfs_dirs(httpd_sys_script_t)
1111 fs_manage_nfs_files(httpd_sys_script_t)
1112 fs_manage_nfs_symlinks(httpd_sys_script_t)
1113 fs_exec_nfs_files(httpd_sys_script_t)
1114
1115 fs_list_auto_mountpoints(httpd_suexec_t)
1116 fs_manage_nfs_dirs(httpd_suexec_t)
1117 fs_manage_nfs_files(httpd_suexec_t)
1118 fs_manage_nfs_symlinks(httpd_suexec_t)
1119 fs_exec_nfs_files(httpd_suexec_t)
1120 ')
1121
1122 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1123 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1124 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1125
1126 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1127 corenet_udp_bind_generic_node(httpd_sys_script_t)
1128 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1129 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1130 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1131 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1132 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1133 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1134 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1135 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1136 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1137 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1138 ')
1139
1140 tunable_policy(`httpd_enable_homedirs',`
1141 userdom_search_user_home_dirs(httpd_sys_script_t)
1142 ')
1143
1144 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1145 fs_list_auto_mountpoints(httpd_sys_script_t)
1146 fs_read_nfs_files(httpd_sys_script_t)
1147 fs_read_nfs_symlinks(httpd_sys_script_t)
1148 ')
1149
1150 tunable_policy(`httpd_read_user_content',`
1151 userdom_read_user_home_content_files(httpd_sys_script_t)
1152 ')
1153
1154 tunable_policy(`httpd_use_cifs',`
1155 fs_manage_cifs_dirs(httpd_sys_script_t)
1156 fs_manage_cifs_files(httpd_sys_script_t)
1157 fs_manage_cifs_symlinks(httpd_sys_script_t)
1158 fs_manage_cifs_dirs(httpd_suexec_t)
1159 fs_manage_cifs_files(httpd_suexec_t)
1160 fs_manage_cifs_symlinks(httpd_suexec_t)
1161 fs_exec_cifs_files(httpd_suexec_t)
1162 ')
1163
1164 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1165 fs_read_cifs_files(httpd_sys_script_t)
1166 fs_read_cifs_symlinks(httpd_sys_script_t)
1167 ')
1168
1169 optional_policy(`
1170 clamav_domtrans_clamscan(httpd_sys_script_t)
1171 ')
1172
1173 optional_policy(`
1174 mysql_stream_connect(httpd_sys_script_t)
1175 mysql_rw_db_sockets(httpd_sys_script_t)
1176 mysql_read_config(httpd_sys_script_t)
1177
1178 tunable_policy(`httpd_can_network_connect_db',`
1179 mysql_tcp_connect(httpd_sys_script_t)
1180 ')
1181 ')
1182
1183 optional_policy(`
1184 postgresql_stream_connect(httpd_sys_script_t)
1185 postgresql_unpriv_client(httpd_sys_script_t)
1186
1187 tunable_policy(`httpd_can_network_connect_db',`
1188 postgresql_tcp_connect(httpd_sys_script_t)
1189 ')
1190 ')
1191
1192 ########################################
1193 #
1194 # httpd_rotatelogs local policy
1195 #
1196
1197 allow httpd_rotatelogs_t self:capability dac_override;
1198
1199 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1200
1201 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1202 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1203 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1204
1205 files_read_etc_files(httpd_rotatelogs_t)
1206
1207 logging_search_logs(httpd_rotatelogs_t)
1208
1209 miscfiles_read_localization(httpd_rotatelogs_t)
1210
1211 ########################################
1212 #
1213 # Unconfined script local policy
1214 #
1215
1216 optional_policy(`
1217 type httpd_unconfined_script_t;
1218 type httpd_unconfined_script_exec_t;
1219 domain_type(httpd_unconfined_script_t)
1220 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1221 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1222 unconfined_domain(httpd_unconfined_script_t)
1223
1224 role system_r types httpd_unconfined_script_t;
1225 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1226 ')
1227
1228 ########################################
1229 #
1230 # User content local policy
1231 #
1232
1233 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1234 allow httpd_user_script_t httpdcontent:file entrypoint;
1235 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1236 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1237 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1238 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1239 ')
1240
1241 # allow accessing files/dirs below the users home dir
1242 tunable_policy(`httpd_enable_homedirs',`
1243 userdom_search_user_home_content(httpd_t)
1244 userdom_search_user_home_content(httpd_suexec_t)
1245 userdom_search_user_home_content(httpd_user_script_t)
1246 ')
1247
1248 tunable_policy(`httpd_read_user_content',`
1249 userdom_read_user_home_content_files(httpd_t)
1250 userdom_read_user_home_content_files(httpd_suexec_t)
1251 userdom_read_user_home_content_files(httpd_user_script_t)
1252 ')
The IPFire selinux policy.