## </desc>
gen_tunable(httpd_enable_ftp_server, false)
+## <desc>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_ftp, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to the ldap port
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_ldap, false)
+
## <desc>
## <p>
## Allow httpd to read home directories
attribute httpdcontent;
attribute httpd_user_content_type;
+attribute httpd_content_type;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+type httpd_unit_file_t;
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
+optional_policy(`
+ postgresql_unpriv_client(httpd_sys_script_t)
+')
+
typeattribute httpd_sys_content_t httpdcontent; # customizable
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
# Apache server local policy
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
+kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
+#corenet_tcp_connect_http_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
# php uploads a file to /tmp and then execs programs to acton them
manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
corenet_sendrecv_mssql_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_sendrecv_oracledb_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
')
tunable_policy(`httpd_can_network_memcache',`
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_execmem',`
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
')
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
- userdom_use_user_terminals(httpd_suexec_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
+')
+
optional_policy(`
calamaris_read_www_files(httpd_t)
')
dirsrv_signull(httpd_t)
dirsrvadmin_manage_config(httpd_t)
dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
')
optional_policy(`
')
')
-optional_policy(`
- git_read_generic_system_content_files(httpd_t)
- gitosis_read_lib_files(httpd_t)
-')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
gpg_domtrans_web(httpd_t)
passenger_read_lib_files(httpd_t)
')
+optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
')
optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
zarafa_stream_connect_server(httpd_t)
zarafa_search_config(httpd_t)
')
logging_send_syslog_msg(httpd_helper_t)
-userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_php_t)
corenet_tcp_connect_mssql_port(httpd_php_t)
corenet_sendrecv_mssql_client_packets(httpd_php_t)
- corenet_tcp_connect_oracledb_port(httpd_php_t)
- corenet_sendrecv_oracledb_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
+
+allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
- corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
')
fs_cifs_entry_type(httpd_sys_script_t)
userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
+
+########################################
+#
+# httpd_passwd local policy
+#
+
+allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(httpd_passwd_t)
+
+files_read_etc_files(httpd_passwd_t)
+
+miscfiles_read_localization(httpd_passwd_t)
+
+corecmd_exec_bin(httpd_passwd_t)
+
+kernel_read_system_state(httpd_passwd_t)
+
+dev_read_urand(httpd_passwd_t)
+
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_read_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
+seutil_dontaudit_search_config(httpd_script_type)
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
+
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
+
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+
+kernel_read_system_state(httpd_script_type)
+
+dev_read_urand(httpd_script_type)
+
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+files_read_usr_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+miscfiles_read_localization(httpd_script_type)
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+ nis_use_ypbind_uncond(httpd_script_type)
+')
+
+optional_policy(`
+ nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')