]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/apache.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove module for gitosis.
[people/stevee/selinux-policy.git] / policy / modules / services / apache.te
CommitLineData
b7e9f9db 1policy_module(apache, 2.2.1)
a996bdf4
CP		 2
3#
20fa7032 4# NOTES:
a996bdf4
CP		 5# This policy will work with SUEXEC enabled as part of the Apache
6# configuration. However, the user CGI scripts will run under the
296273a7 7# system_u:system_r:httpd_user_script_t.
a996bdf4 8#
296273a7 9# The user CGI scripts must be labeled with the httpd_user_script_exec_t
a996bdf4 10# type, and the directory containing the scripts should also be labeled
20fa7032 11# with these types. This policy allows the user role to perform that
296273a7
CP		 12# relabeling. If it is desired that only admin role should be able to relabel
13# the user CGI scripts, then relabel rule for user roles should be removed.
a996bdf4
CP		 14#
15
16########################################
17#
18# Declarations
19#
20
3eaa9939
DW		 21selinux_genbool(httpd_bool_t)
22
56e1b3d2 23## <desc>
c5eae5f8
DG		 24## <p>
25## Allow Apache to modify public files
26## used for public file transfer services. Directories/Files must
27## be labeled public_content_rw_t.
28## </p>
56e1b3d2 29## </desc>
0bfccda4 30gen_tunable(allow_httpd_anon_write, false)
56e1b3d2
CP		 31
32## <desc>
c5eae5f8
DG		 33## <p>
34## Allow Apache to use mod_auth_pam
35## </p>
56e1b3d2 36## </desc>
0bfccda4 37gen_tunable(allow_httpd_mod_auth_pam, false)
56e1b3d2 38
7fa5a68a
DG		 39## <desc>
40## <p>
ab29591c 41## Allow Apache to use mod_auth_ntlm_winbind
7fa5a68a
DG		 42## </p>
43## </desc>
44gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
45
3eaa9939 46## <desc>
c5eae5f8
DG		 47## <p>
48## Allow httpd scripts and modules execmem/execstack
49## </p>
3eaa9939
DW		 50## </desc>
51gen_tunable(httpd_execmem, false)
52
53## <desc>
c5eae5f8
DG		 54## <p>
55## Allow httpd daemon to change system limits
56## </p>
3eaa9939
DW		 57## </desc>
58gen_tunable(httpd_setrlimit, false)
59
56e1b3d2 60## <desc>
c5eae5f8
DG		 61## <p>
62## Allow httpd to use built in scripting (usually php)
63## </p>
56e1b3d2 64## </desc>
0bfccda4 65gen_tunable(httpd_builtin_scripting, false)
56e1b3d2
CP		 66
67## <desc>
c5eae5f8
DG		 68## <p>
69## Allow HTTPD scripts and modules to connect to the network using any TCP port.
70## </p>
56e1b3d2 71## </desc>
0bfccda4 72gen_tunable(httpd_can_network_connect, false)
56e1b3d2 73
3eaa9939 74## <desc>
c5eae5f8
DG		 75## <p>
76## Allow HTTPD scripts and modules to connect to cobbler over the network.
77## </p>
3eaa9939
DW		 78## </desc>
79gen_tunable(httpd_can_network_connect_cobbler, false)
80
56e1b3d2 81## <desc>
c5eae5f8
DG		 82## <p>
83## Allow HTTPD scripts and modules to connect to databases over the network.
84## </p>
56e1b3d2
CP		 85## </desc>
86gen_tunable(httpd_can_network_connect_db, false)
87
ef98a374 88## <desc>
c5eae5f8
DG		 89## <p>
90## Allow httpd to connect to memcache server
91## </p>
ef98a374
DW		 92## </desc>
93gen_tunable(httpd_can_network_memcache, false)
94
56e1b3d2 95## <desc>
c5eae5f8
DG		 96## <p>
97## Allow httpd to act as a relay
98## </p>
56e1b3d2
CP		 99## </desc>
100gen_tunable(httpd_can_network_relay, false)
101
60def66b 102## <desc>
c5eae5f8
DG		 103## <p>
104## Allow http daemon to send mail
105## </p>
60def66b
CP		 106## </desc>
107gen_tunable(httpd_can_sendmail, false)
108
3eaa9939 109## <desc>
c5eae5f8
DG		 110## <p>
111## Allow http daemon to check spam
112## </p>
3eaa9939
DW		 113## </desc>
114gen_tunable(httpd_can_check_spam, false)
115
60def66b 116## <desc>
c5eae5f8
DG		 117## <p>
118## Allow Apache to communicate with avahi service via dbus
119## </p>
60def66b
CP		 120## </desc>
121gen_tunable(httpd_dbus_avahi, false)
122
56e1b3d2 123## <desc>
c5eae5f8
DG		 124## <p>
125## Allow httpd to execute cgi scripts
126## </p>
56e1b3d2 127## </desc>
0bfccda4 128gen_tunable(httpd_enable_cgi, false)
56e1b3d2
CP		 129
130## <desc>
c5eae5f8
DG		 131## <p>
132## Allow httpd to act as a FTP server by
133## listening on the ftp port.
134## </p>
56e1b3d2 135## </desc>
0bfccda4 136gen_tunable(httpd_enable_ftp_server, false)
56e1b3d2 137
a4787777
DW		 138## <desc>
139## <p>
140## Allow httpd to act as a FTP client
141## connecting to the ftp port and ephemeral ports
142## </p>
143## </desc>
144gen_tunable(httpd_can_connect_ftp, false)
145
f6155fb6
MG		 146## <desc>
147## <p>
148## Allow httpd to connect to the ldap port
149## </p>
150## </desc>
151gen_tunable(httpd_can_connect_ldap, false)
152
56e1b3d2 153## <desc>
c5eae5f8
DG		 154## <p>
155## Allow httpd to read home directories
156## </p>
56e1b3d2 157## </desc>
0bfccda4 158gen_tunable(httpd_enable_homedirs, false)
56e1b3d2 159
3eaa9939 160## <desc>
c5eae5f8
DG		 161## <p>
162## Allow httpd to read user content
163## </p>
3eaa9939
DW		 164## </desc>
165gen_tunable(httpd_read_user_content, false)
166
56e1b3d2 167## <desc>
c5eae5f8
DG		 168## <p>
169## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
170## </p>
56e1b3d2 171## </desc>
0bfccda4 172gen_tunable(httpd_ssi_exec, false)
56e1b3d2 173
3eaa9939 174## <desc>
c5eae5f8
DG		 175## <p>
176## Allow Apache to execute tmp content.
177## </p>
3eaa9939
DW		 178## </desc>
179gen_tunable(httpd_tmp_exec, false)
180
56e1b3d2 181## <desc>
c5eae5f8
DG		 182## <p>
183## Unify HTTPD to communicate with the terminal.
184## Needed for entering the passphrase for certificates at
185## the terminal.
186## </p>
56e1b3d2 187## </desc>
0bfccda4 188gen_tunable(httpd_tty_comm, false)
56e1b3d2
CP		 189
190## <desc>
c5eae5f8
DG		 191## <p>
192## Unify HTTPD handling of all content files.
193## </p>
56e1b3d2 194## </desc>
0bfccda4 195gen_tunable(httpd_unified, false)
56e1b3d2 196
60def66b 197## <desc>
c5eae5f8
DG		 198## <p>
199## Allow httpd to access cifs file systems
200## </p>
60def66b
CP		 201## </desc>
202gen_tunable(httpd_use_cifs, false)
203
204## <desc>
c5eae5f8
DG		 205## <p>
206## Allow httpd to run gpg in gpg-web domain
207## </p>
60def66b
CP		 208## </desc>
209gen_tunable(httpd_use_gpg, false)
210
211## <desc>
c5eae5f8
DG		 212## <p>
213## Allow httpd to access nfs file systems
214## </p>
60def66b
CP		 215## </desc>
216gen_tunable(httpd_use_nfs, false)
217
3eaa9939 218## <desc>
c5eae5f8
DG		 219## <p>
220## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
221## </p>
3eaa9939
DW		 222## </desc>
223gen_tunable(allow_httpd_sys_script_anon_write, false)
224
a996bdf4 225attribute httpdcontent;
a334d291 226attribute httpd_user_content_type;
14dcf129 227attribute httpd_content_type;
a996bdf4 228
e749cd12
CP		 229# domains that can exec all users scripts
230attribute httpd_exec_scripts;
231
14dcf129 232attribute httpd_script_type;
123a990b 233attribute httpd_script_exec_type;
a334d291 234attribute httpd_user_script_exec_type;
123a990b 235
e749cd12
CP		 236# user script domains
237attribute httpd_script_domains;
238
a996bdf4
CP		 239type httpd_t;
240type httpd_exec_t;
0bfccda4 241init_daemon_domain(httpd_t, httpd_exec_t)
e749cd12 242role system_r types httpd_t;
a996bdf4
CP		 243
244# httpd_cache_t is the type given to the /var/cache/httpd
245# directory and the files under that directory
246type httpd_cache_t;
247files_type(httpd_cache_t)
248
249# httpd_config_t is the type given to the configuration files
250type httpd_config_t;
5e4542af 251files_config_file(httpd_config_t)
a996bdf4
CP		 252
253type httpd_helper_t;
a996bdf4 254type httpd_helper_exec_t;
e749cd12 255domain_type(httpd_helper_t)
0bfccda4 256domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
e749cd12 257role system_r types httpd_helper_t;
a996bdf4 258
83caba3e
CP		 259type httpd_initrc_exec_t;
260init_script_file(httpd_initrc_exec_t)
261
8149320e
DW		 262type httpd_unit_file_t;
263systemd_unit_file(httpd_unit_file_t)
eedf23b8 264
a996bdf4
CP		 265type httpd_lock_t;
266files_lock_file(httpd_lock_t)
267
268type httpd_log_t;
269logging_log_file(httpd_log_t)
270
20fa7032 271# httpd_modules_t is the type given to module files (libraries)
a996bdf4
CP		 272# that come with Apache /etc/httpd/modules and /usr/lib/apache
273type httpd_modules_t;
274files_type(httpd_modules_t)
275
276type httpd_php_t;
a996bdf4 277type httpd_php_exec_t;
e749cd12 278domain_type(httpd_php_t)
0bfccda4 279domain_entry_file(httpd_php_t, httpd_php_exec_t)
e749cd12 280role system_r types httpd_php_t;
a996bdf4
CP		 281
282type httpd_php_tmp_t;
283files_tmp_file(httpd_php_tmp_t)
284
123a990b
CP		 285type httpd_rotatelogs_t;
286type httpd_rotatelogs_exec_t;
287init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
288
a996bdf4
CP		 289type httpd_squirrelmail_t;
290files_type(httpd_squirrelmail_t)
291
292# SUEXEC runs user scripts as their own user ID
293type httpd_suexec_t; #, daemon;
a996bdf4 294type httpd_suexec_exec_t;
e749cd12 295domain_type(httpd_suexec_t)
0bfccda4 296domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
e749cd12 297role system_r types httpd_suexec_t;
a996bdf4
CP		 298
299type httpd_suexec_tmp_t;
300files_tmp_file(httpd_suexec_tmp_t)
301
c2b18fa1
CP		 302# setup the system domain for system CGI scripts
303apache_content_template(sys)
3eaa9939 304
14dcf129 305optional_policy(`
306 postgresql_unpriv_client(httpd_sys_script_t)
307')
308
3eaa9939
DW		 309typeattribute httpd_sys_content_t httpdcontent; # customizable
310typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
311typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
c2b18fa1 312
28fdb87a
DG		 313# Removal of fastcgi, will cause problems without the following
314typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
315typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
316typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
317typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
318typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
319
a996bdf4
CP		 320type httpd_tmp_t;
321files_tmp_file(httpd_tmp_t)
322
323type httpd_tmpfs_t;
324files_tmpfs_file(httpd_tmpfs_t)
325
296273a7
CP		 326apache_content_template(user)
327ubac_constrained(httpd_user_script_t)
3eaa9939
DW		 328typeattribute httpd_user_content_t httpdcontent;
329typeattribute httpd_user_rw_content_t httpdcontent;
330typeattribute httpd_user_ra_content_t httpdcontent;
331
296273a7
CP		 332userdom_user_home_content(httpd_user_content_t)
333userdom_user_home_content(httpd_user_htaccess_t)
334userdom_user_home_content(httpd_user_script_exec_t)
83caba3e
CP		 335userdom_user_home_content(httpd_user_ra_content_t)
336userdom_user_home_content(httpd_user_rw_content_t)
296273a7
CP		 337typeattribute httpd_user_script_t httpd_script_domains;
338typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
3eaa9939 339typealias httpd_user_content_t alias httpd_unconfined_content_t;
296273a7 340typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
83caba3e
CP		 341typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
342typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
296273a7
CP		 343typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
344typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
345typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
346typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
347typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
348typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
83caba3e
CP		 349typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
350typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
351typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
352typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
296273a7 353
a996bdf4
CP		 354# for apache2 memory mapped files
355type httpd_var_lib_t;
356files_type(httpd_var_lib_t)
357
358type httpd_var_run_t;
359files_pid_file(httpd_var_run_t)
360
28fdb87a
DG		 361# Removal of fastcgi, will cause problems without the following
362typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
363
a996bdf4
CP		 364# File Type of squirrelmail attachments
365type squirrelmail_spool_t;
366files_tmp_file(squirrelmail_spool_t)
0059652b 367files_spool_file(squirrelmail_spool_t)
a996bdf4 368
bb7170f6 369optional_policy(`
2c243586
CP		 370 prelink_object_file(httpd_modules_t)
371')
372
395df07f
DW		 373type httpd_passwd_t;
374type httpd_passwd_exec_t;
375application_domain(httpd_passwd_t, httpd_passwd_exec_t)
376role system_r types httpd_passwd_t;
377
a996bdf4
CP		 378########################################
379#
380# Apache server local policy
381#
382
60def66b 383allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
a996bdf4
CP		 384dontaudit httpd_t self:capability { net_admin sys_tty_config };
385allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
386allow httpd_t self:fd use;
c0868a7a
CP		 387allow httpd_t self:sock_file read_sock_file_perms;
388allow httpd_t self:fifo_file rw_fifo_file_perms;
a996bdf4
CP		 389allow httpd_t self:shm create_shm_perms;
390allow httpd_t self:sem create_sem_perms;
391allow httpd_t self:msgq create_msgq_perms;
392allow httpd_t self:msg { send receive };
e9a4084d
CP		 393allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
394allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
33c7e6b4 395allow httpd_t self:tcp_socket create_stream_socket_perms;
e9a4084d 396allow httpd_t self:udp_socket create_socket_perms;
55e9f0e7 397dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
a996bdf4
CP		 398
399# Allow httpd_t to put files in /var/cache/httpd etc
0bfccda4
CP		 400manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
401manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
402manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
3eaa9939 403files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
a996bdf4
CP		 404
405# Allow the httpd_t to read the web servers config files
c0868a7a 406allow httpd_t httpd_config_t:dir list_dir_perms;
0bfccda4
CP		 407read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
408read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
a996bdf4
CP		 409
410can_exec(httpd_t, httpd_exec_t)
411
c0868a7a 412allow httpd_t httpd_lock_t:file manage_file_perms;
0bfccda4 413files_lock_filetrans(httpd_t, httpd_lock_t, file)
a996bdf4 414
c0868a7a 415allow httpd_t httpd_log_t:dir setattr;
0bfccda4
CP		 416create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
417append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
418read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
419read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
c2b18fa1
CP		 420# cjp: need to refine create interfaces to
421# cut this back to add_name only
0bfccda4 422logging_log_filetrans(httpd_t, httpd_log_t, file)
a996bdf4 423
c0868a7a 424allow httpd_t httpd_modules_t:dir list_dir_perms;
0bfccda4
CP		 425mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
426read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
60def66b 427read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
a996bdf4 428
d6d16b97
CP		 429apache_domtrans_rotatelogs(httpd_t)
430# Apache-httpd needs to be able to send signals to the log rotate procs.
431allow httpd_t httpd_rotatelogs_t:process signal_perms;
432
0bfccda4
CP		 433manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
434manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
435manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
a996bdf4 436
0b36a214 437allow httpd_t httpd_suexec_exec_t:file read_file_perms;
725926c5 438
c0868a7a 439allow httpd_t httpd_sys_content_t:dir list_dir_perms;
0bfccda4
CP		 440read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
441read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
3d37bca1 442
60def66b
CP		 443allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
444
0bfccda4
CP		 445manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
446manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
6d5f4f28 447manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
60def66b 448manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
6d5f4f28 449files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
a996bdf4 450
0bfccda4
CP		 451manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
452manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
453manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
454manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
455manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
20fa7032 456fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
a996bdf4 457
0bfccda4
CP		 458manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
459files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
a996bdf4 460
60def66b
CP		 461setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
462manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
0bfccda4
CP		 463manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
464manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
60def66b 465files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
a996bdf4 466
0bfccda4
CP		 467manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
468manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
469manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
a996bdf4 470
445522dc 471kernel_read_kernel_sysctls(httpd_t)
a996bdf4
CP		 472# for modules that want to access /proc/meminfo
473kernel_read_system_state(httpd_t)
ae082fdc 474kernel_read_network_state(httpd_t)
2e02954a 475kernel_read_network_state(httpd_t)
3eaa9939 476kernel_search_network_sysctl(httpd_t)
a996bdf4 477
19006686
CP		 478corenet_all_recvfrom_unlabeled(httpd_t)
479corenet_all_recvfrom_netlabel(httpd_t)
668b3093
CP		 480corenet_tcp_sendrecv_generic_if(httpd_t)
481corenet_udp_sendrecv_generic_if(httpd_t)
c1262146
CP		 482corenet_tcp_sendrecv_generic_node(httpd_t)
483corenet_udp_sendrecv_generic_node(httpd_t)
a996bdf4
CP		 484corenet_tcp_sendrecv_all_ports(httpd_t)
485corenet_udp_sendrecv_all_ports(httpd_t)
c1262146 486corenet_tcp_bind_generic_node(httpd_t)
3eaa9939 487corenet_udp_bind_generic_node(httpd_t)
a996bdf4
CP		 488corenet_tcp_bind_http_port(httpd_t)
489corenet_tcp_bind_http_cache_port(httpd_t)
3eaa9939 490corenet_tcp_bind_ntop_port(httpd_t)
a57cacf8 491corenet_tcp_bind_jboss_management_port(httpd_t)
968ace93 492corenet_sendrecv_http_server_packets(httpd_t)
2e02954a 493corenet_tcp_bind_puppet_port(httpd_t)
d6d16b97 494# Signal self for shutdown
6f358681 495#corenet_tcp_connect_http_port(httpd_t)
a996bdf4
CP		 496
497dev_read_sysfs(httpd_t)
498dev_read_rand(httpd_t)
499dev_read_urand(httpd_t)
c2b18fa1 500dev_rw_crypto(httpd_t)
a996bdf4
CP		 501
502fs_getattr_all_fs(httpd_t)
503fs_search_auto_mountpoints(httpd_t)
3eaa9939
DW		 504fs_read_iso9660_files(httpd_t)
505fs_read_anon_inodefs_files(httpd_t)
a996bdf4 506
77f6e2cd
CP		 507auth_use_nsswitch(httpd_t)
508
3eaa9939 509application_exec_all(httpd_t)
a996bdf4 510
15722ec9 511domain_use_interactive_fds(httpd_t)
a996bdf4 512
60def66b 513files_dontaudit_getattr_all_pids(httpd_t)
a996bdf4
CP		 514files_read_usr_files(httpd_t)
515files_list_mnt(httpd_t)
516files_search_spool(httpd_t)
ac84f68a 517files_read_var_symlinks(httpd_t)
a996bdf4
CP		 518files_read_var_lib_files(httpd_t)
519files_search_home(httpd_t)
520files_getattr_home_dir(httpd_t)
521# for modules that want to access /etc/mtab
522files_read_etc_runtime_files(httpd_t)
523# Allow httpd_t to have access to files such as nisswitch.conf
524files_read_etc_files(httpd_t)
6e99a6cf
CP		 525# for tomcat
526files_read_var_lib_symlinks(httpd_t)
a996bdf4 527
d6d16b97 528fs_search_auto_mountpoints(httpd_sys_script_t)
3eaa9939
DW		 529# php uploads a file to /tmp and then execs programs to acton them
530manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
531manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
27b4213b 532manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
bfa36011 533manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
27b4213b 534manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
3eaa9939 535files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
d6d16b97 536
1815bad1 537libs_read_lib_files(httpd_t)
a996bdf4 538
2e02954a
DW		 539ifdef(`hide_broken_symptoms',`
540 libs_exec_lib_files(httpd_t)
541')
542
a996bdf4
CP		 543logging_send_syslog_msg(httpd_t)
544
545miscfiles_read_localization(httpd_t)
546miscfiles_read_fonts(httpd_t)
6e99a6cf 547miscfiles_read_public_files(httpd_t)
83406219 548miscfiles_read_generic_certs(httpd_t)
8c068e04 549miscfiles_read_tetex_data(httpd_t)
a996bdf4
CP		 550
551seutil_dontaudit_search_config(httpd_t)
552
103fe280 553userdom_use_unpriv_users_fds(httpd_t)
a996bdf4 554
3eaa9939
DW		 555tunable_policy(`httpd_setrlimit',`
556 allow httpd_t self:process setrlimit;
0c28fe6e 557 allow httpd_t self:capability sys_resource;
3eaa9939
DW		 558')
559
6e99a6cf
CP		 560tunable_policy(`allow_httpd_anon_write',`
561 miscfiles_manage_public_files(httpd_t)
20fa7032 562')
6e99a6cf 563
123a990b
CP		 564#
565# We need optionals to be able to be within booleans to make this work
566#
567tunable_policy(`allow_httpd_mod_auth_pam',`
3eaa9939
DW		 568 auth_domtrans_chkpwd(httpd_t)
569 logging_send_audit_msgs(httpd_t)
570')
571
3eaa9939 572optional_policy(`
c5eae5f8 573 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
3eaa9939 574 samba_domtrans_winbind_helper(httpd_t)
c5eae5f8 575 ')
123a990b
CP		 576')
577
6e99a6cf 578tunable_policy(`httpd_can_network_connect',`
6e99a6cf 579 corenet_tcp_connect_all_ports(httpd_t)
6e99a6cf
CP		 580')
581
9b26005b 582tunable_policy(`httpd_can_network_connect_db',`
ec7dfab4 583 corenet_tcp_connect_firebird_port(httpd_t)
9b26005b
DG		 584 corenet_tcp_connect_mssql_port(httpd_t)
585 corenet_sendrecv_mssql_client_packets(httpd_t)
f1686cd5
MG		 586 corenet_tcp_connect_oracle_port(httpd_t)
587 corenet_sendrecv_oracle_client_packets(httpd_t)
9b26005b
DG		 588')
589
ef98a374
DW		 590tunable_policy(`httpd_can_network_memcache',`
591 corenet_tcp_connect_memcache_port(httpd_t)
592')
593
bb437244
CP		 594tunable_policy(`httpd_can_network_relay',`
595 # allow httpd to work as a relay
596 corenet_tcp_connect_gopher_port(httpd_t)
597 corenet_tcp_connect_ftp_port(httpd_t)
598 corenet_tcp_connect_http_port(httpd_t)
599 corenet_tcp_connect_http_cache_port(httpd_t)
3eaa9939 600 corenet_tcp_connect_squid_port(httpd_t)
60def66b 601 corenet_tcp_connect_memcache_port(httpd_t)
141cffdd
CP		 602 corenet_sendrecv_gopher_client_packets(httpd_t)
603 corenet_sendrecv_ftp_client_packets(httpd_t)
604 corenet_sendrecv_http_client_packets(httpd_t)
605 corenet_sendrecv_http_cache_client_packets(httpd_t)
3eaa9939 606 corenet_sendrecv_squid_client_packets(httpd_t)
4943b049 607 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
3eaa9939
DW		 608')
609
f6bcb24b
DG		 610tunable_policy(`httpd_execmem',`
611 allow httpd_t self:process { execmem execstack };
612 allow httpd_sys_script_t self:process { execmem execstack };
613 allow httpd_suexec_t self:process { execmem execstack };
614')
615
3eaa9939
DW		 616tunable_policy(`httpd_enable_cgi && httpd_unified',`
617 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
618 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
619 can_exec(httpd_sys_script_t, httpd_sys_content_t)
bb437244
CP		 620')
621
3eaa9939
DW		 622tunable_policy(`allow_httpd_sys_script_anon_write',`
623 miscfiles_manage_public_files(httpd_sys_script_t)
c5eae5f8 624')
3eaa9939 625
60def66b
CP		 626tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
627 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
628')
629
630tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
631 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
632')
633
6e99a6cf 634tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
c0868a7a 635 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
3eaa9939
DW		 636 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
637 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
638 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
639 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
6e99a6cf 640
0bfccda4
CP		 641 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
642 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
643 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
6e99a6cf
CP		 644')
645
e6b51a26 646tunable_policy(`httpd_can_connect_ftp',`
a4787777 647 corenet_tcp_connect_ftp_port(httpd_t)
e6b51a26 648 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
a4787777
DW		 649')
650
f6155fb6
MG		 651tunable_policy(`httpd_can_connect_ldap',`
652 corenet_tcp_connect_ldap_port(httpd_t)
653')
654
bea7b454
CP		 655tunable_policy(`httpd_enable_ftp_server',`
656 corenet_tcp_bind_ftp_port(httpd_t)
e6b51a26 657 corenet_tcp_bind_all_ephemeral_ports(httpd_t)
bea7b454
CP		 658')
659
3eaa9939 660tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
c5eae5f8 661 can_exec(httpd_t, httpd_tmp_t)
3eaa9939
DW		 662')
663
664tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
c5eae5f8 665 can_exec(httpd_sys_script_t, httpd_tmp_t)
3eaa9939
DW		 666')
667
a996bdf4 668tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
ff3a735f 669 fs_list_auto_mountpoints(httpd_t)
a996bdf4
CP		 670 fs_read_nfs_files(httpd_t)
671 fs_read_nfs_symlinks(httpd_t)
672')
673
3eaa9939 674tunable_policy(`httpd_use_nfs',`
ff3a735f 675 fs_list_auto_mountpoints(httpd_t)
3eaa9939
DW		 676 fs_manage_nfs_dirs(httpd_t)
677 fs_manage_nfs_files(httpd_t)
678 fs_manage_nfs_symlinks(httpd_t)
679')
680
a996bdf4
CP		 681tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
682 fs_read_cifs_files(httpd_t)
683 fs_read_cifs_symlinks(httpd_t)
684')
685
60def66b
CP		 686tunable_policy(`httpd_can_sendmail',`
687 # allow httpd to connect to mail servers
688 corenet_tcp_connect_smtp_port(httpd_t)
689 corenet_sendrecv_smtp_client_packets(httpd_t)
3eaa9939
DW		 690 corenet_tcp_connect_pop_port(httpd_t)
691 corenet_sendrecv_pop_client_packets(httpd_t)
60def66b 692 mta_send_mail(httpd_t)
3eaa9939
DW		 693 mta_signal_system_mail(httpd_t)
694')
695
696tunable_policy(`httpd_use_cifs',`
697 fs_manage_cifs_dirs(httpd_t)
698 fs_manage_cifs_files(httpd_t)
699 fs_manage_cifs_symlinks(httpd_t)
60def66b
CP		 700')
701
e749cd12 702tunable_policy(`httpd_ssi_exec',`
3f67f722 703 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
e749cd12
CP		 704 allow httpd_sys_script_t httpd_t:fd use;
705 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
706 allow httpd_sys_script_t httpd_t:process sigchld;
707')
708
6e99a6cf
CP		 709# When the admin starts the server, the server wants to access
710# the TTY or PTY associated with the session. The httpd appears
711# to run correctly without this permission, so the permission
20fa7032 712# are dontaudited here.
6e99a6cf 713tunable_policy(`httpd_tty_comm',`
af2d8802
MG		 714 userdom_use_inherited_user_terminals(httpd_t)
715 userdom_use_inherited_user_terminals(httpd_suexec_t)
6e99a6cf 716',`
296273a7 717 userdom_dontaudit_use_user_terminals(httpd_t)
3eaa9939 718 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
a996bdf4
CP		 719')
720
6795d321
MG		 721optional_policy(`
722 # Support for ABRT retrace server
723 # mod_wsgi
9dd53ce4 724 abrt_manage_spool_retrace(httpd_t)
6795d321
MG		 725 abrt_domtrans_retrace_worker(httpd_t)
726 abrt_read_config(httpd_t)
727')
728
bb7170f6 729optional_policy(`
99c902f3
CP		 730 calamaris_read_www_files(httpd_t)
731')
732
60def66b
CP		 733optional_policy(`
734 ccs_read_config(httpd_t)
735')
736
1031ee6f 737optional_policy(`
3eaa9939
DW		 738 cobbler_list_config(httpd_t)
739 cobbler_read_config(httpd_t)
2968e068 740 cobbler_read_lib_files(httpd_t)
3eaa9939
DW		 741
742 tunable_policy(`httpd_can_network_connect_cobbler',`
743 corenet_tcp_connect_cobbler_port(httpd_t)
744 ')
1031ee6f
DG		 745')
746
350b6ab7
CP		 747optional_policy(`
748 cron_system_entry(httpd_t, httpd_exec_t)
749')
750
60def66b
CP		 751optional_policy(`
752 cvs_read_data(httpd_t)
753')
754
bb7170f6 755optional_policy(`
44d5d93f
CP		 756 daemontools_service_domain(httpd_t, httpd_exec_t)
757')
758
ab29591c
DW		 759optional_policy(`
760 dirsrv_manage_config(httpd_t)
761 dirsrv_manage_log(httpd_t)
762 dirsrv_manage_var_run(httpd_t)
763 dirsrv_read_share(httpd_t)
764 dirsrv_signal(httpd_t)
765 dirsrv_signull(httpd_t)
766 dirsrvadmin_manage_config(httpd_t)
767 dirsrvadmin_manage_tmp(httpd_t)
d248b945 768 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
ab29591c
DW		 769')
770
3eaa9939 771optional_policy(`
60def66b
CP		 772 dbus_system_bus_client(httpd_t)
773
774 tunable_policy(`httpd_dbus_avahi',`
775 avahi_dbus_chat(httpd_t)
776 ')
777')
778
779optional_policy(`
780 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
3eaa9939 781 gpg_domtrans_web(httpd_t)
60def66b
CP		 782 ')
783')
784
bb7170f6 785optional_policy(`
83caba3e 786 kerberos_keytab_template(httpd, httpd_t)
a996bdf4
CP		 787')
788
bb7170f6 789optional_policy(`
799a0b43
CP		 790 mailman_signal_cgi(httpd_t)
791 mailman_domtrans_cgi(httpd_t)
60def66b 792 mailman_read_data_files(httpd_t)
799a0b43 793 # should have separate types for public and private archives
0500e01f 794 mailman_search_data(httpd_t)
799a0b43
CP		 795 mailman_read_archive(httpd_t)
796')
797
0def274b
MG		 798optional_policy(`
799 mediawiki_read_tmp_files(httpd_t)
800 mediawiki_delete_tmp_files(httpd_t)
801')
802
bb7170f6 803optional_policy(`
0b6acad1 804 # Allow httpd to work with mysql
3eaa9939 805 mysql_read_config(httpd_t)
a996bdf4 806 mysql_stream_connect(httpd_t)
1815bad1 807 mysql_rw_db_sockets(httpd_t)
0b6acad1
CP		 808
809 tunable_policy(`httpd_can_network_connect_db',`
dc1920b2 810 mysql_tcp_connect(httpd_t)
0b6acad1 811 ')
a996bdf4
CP		 812')
813
f1e604bb
CP		 814optional_policy(`
815 nagios_read_config(httpd_t)
3eaa9939 816 nagios_read_log(httpd_t)
f1e604bb
CP		 817')
818
5bd9fd7b
CP		 819optional_policy(`
820 openca_domtrans(httpd_t)
821 openca_signal(httpd_t)
822 openca_sigstop(httpd_t)
823 openca_kill(httpd_t)
824')
825
d7de04f8 826optional_policy(`
c5eae5f8
DG		 827 passenger_domtrans(httpd_t)
828 passenger_manage_pid_content(httpd_t)
829 passenger_read_lib_files(httpd_t)
d7de04f8
MG		 830')
831
2e02954a
DW		 832optional_policy(`
833 puppet_read_lib(httpd_t)
834')
835
3eaa9939
DW		 836optional_policy(`
837 rpc_search_nfs_state_data(httpd_t)
838')
839
bb7170f6 840optional_policy(`
725926c5 841 # Allow httpd to work with postgresql
1815bad1 842 postgresql_stream_connect(httpd_t)
e8cb08ae 843 postgresql_unpriv_client(httpd_t)
0b6acad1
CP		 844
845 tunable_policy(`httpd_can_network_connect_db',`
846 postgresql_tcp_connect(httpd_t)
847 ')
725926c5
CP		 848')
849
bb7170f6 850optional_policy(`
a996bdf4
CP		 851 seutil_sigchld_newrole(httpd_t)
852')
853
6b19be33 854optional_policy(`
ddd1ccaa 855 smokeping_read_lib_files(httpd_t)
3eaa9939
DW		 856')
857
858optional_policy(`
859 files_dontaudit_rw_usr_dirs(httpd_t)
6b19be33
CP		 860 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
861 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
862')
863
bb7170f6 864optional_policy(`
a996bdf4
CP		 865 udev_read_db(httpd_t)
866')
867
f30e6ea8
CP		 868optional_policy(`
869 yam_read_content(httpd_t)
870')
871
3eaa9939 872optional_policy(`
5243a989 873 zarafa_manage_lib_files(httpd_t)
3eaa9939 874 zarafa_stream_connect_server(httpd_t)
d889c6bb 875 zarafa_search_config(httpd_t)
3eaa9939
DW		 876')
877
a996bdf4
CP		 878########################################
879#
880# Apache helper local policy
881#
882
c0868a7a 883domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
a996bdf4 884
0b36a214 885allow httpd_helper_t httpd_config_t:file read_file_perms;
a996bdf4 886
0b36a214 887allow httpd_helper_t httpd_log_t:file append_file_perms;
a996bdf4 888
e749cd12
CP		 889logging_send_syslog_msg(httpd_helper_t)
890
af2d8802 891userdom_use_inherited_user_terminals(httpd_helper_t)
aba9c7a3 892
3eaa9939 893tunable_policy(`httpd_tty_comm',`
af2d8802 894 userdom_use_inherited_user_terminals(httpd_helper_t)
3eaa9939
DW		 895')
896
a996bdf4
CP		 897########################################
898#
899# Apache PHP script local policy
900#
901
902allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
903allow httpd_php_t self:fd use;
c0868a7a
CP		 904allow httpd_php_t self:fifo_file rw_fifo_file_perms;
905allow httpd_php_t self:sock_file read_sock_file_perms;
a996bdf4
CP		 906allow httpd_php_t self:unix_dgram_socket create_socket_perms;
907allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
908allow httpd_php_t self:unix_dgram_socket sendto;
909allow httpd_php_t self:unix_stream_socket connectto;
910allow httpd_php_t self:shm create_shm_perms;
911allow httpd_php_t self:sem create_sem_perms;
912allow httpd_php_t self:msgq create_msgq_perms;
913allow httpd_php_t self:msg { send receive };
914
c0868a7a 915domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
a996bdf4
CP		 916
917# allow php to read and append to apache logfiles
c0868a7a 918allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
a996bdf4 919
0bfccda4
CP		 920manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
921manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
103fe280 922files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
a996bdf4
CP		 923
924fs_search_auto_mountpoints(httpd_php_t)
925
60def66b
CP		 926auth_use_nsswitch(httpd_php_t)
927
a996bdf4 928libs_exec_lib_files(httpd_php_t)
a996bdf4 929
103fe280 930userdom_use_unpriv_users_fds(httpd_php_t)
a996bdf4 931
60def66b 932tunable_policy(`httpd_can_network_connect_db',`
ec7dfab4 933 corenet_tcp_connect_firebird_port(httpd_php_t)
9b26005b
DG		 934 corenet_tcp_connect_mssql_port(httpd_php_t)
935 corenet_sendrecv_mssql_client_packets(httpd_php_t)
f1686cd5
MG		 936 corenet_tcp_connect_oracle_port(httpd_php_t)
937 corenet_sendrecv_oracle_client_packets(httpd_php_t)
a996bdf4
CP		 938')
939
bb7170f6 940optional_policy(`
60def66b 941 mysql_stream_connect(httpd_php_t)
9b26005b 942 mysql_rw_db_sockets(httpd_php_t)
60def66b 943 mysql_read_config(httpd_php_t)
9b26005b
DG		 944
945 tunable_policy(`httpd_can_network_connect_db',`
946 mysql_tcp_connect(httpd_php_t)
947 ')
a996bdf4
CP		 948')
949
5fe7de9e
CP		 950optional_policy(`
951 postgresql_stream_connect(httpd_php_t)
9b26005b
DG		 952 postgresql_unpriv_client(httpd_php_t)
953
954 tunable_policy(`httpd_can_network_connect_db',`
955 postgresql_tcp_connect(httpd_php_t)
956 ')
5fe7de9e
CP		 957')
958
a996bdf4
CP		 959########################################
960#
961# Apache suexec local policy
962#
963
964allow httpd_suexec_t self:capability { setuid setgid };
965allow httpd_suexec_t self:process signal_perms;
5b6698f7
MG		 966
967allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
a996bdf4
CP		 968allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
969
56e1b3d2 970domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
a996bdf4 971
0bfccda4
CP		 972create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
973append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
974read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
c0868a7a 975
60def66b 976allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
a996bdf4 977
0bfccda4
CP		 978manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
979manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
103fe280 980files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
a996bdf4 981
3eaa9939
DW		 982can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
983
f6bcb24b
DG		 984read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
985read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
986read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
987
445522dc 988kernel_read_kernel_sysctls(httpd_suexec_t)
a996bdf4
CP		 989kernel_list_proc(httpd_suexec_t)
990kernel_read_proc_symlinks(httpd_suexec_t)
991
992dev_read_urand(httpd_suexec_t)
993
3eaa9939 994fs_read_iso9660_files(httpd_suexec_t)
a996bdf4
CP		 995fs_search_auto_mountpoints(httpd_suexec_t)
996
3eaa9939 997application_exec_all(httpd_suexec_t)
a996bdf4
CP		 998
999files_read_etc_files(httpd_suexec_t)
1000files_read_usr_files(httpd_suexec_t)
6e99a6cf 1001files_dontaudit_search_pids(httpd_suexec_t)
725926c5 1002files_search_home(httpd_suexec_t)
a996bdf4 1003
c0cf6e0a
CP		 1004auth_use_nsswitch(httpd_suexec_t)
1005
a996bdf4
CP		 1006logging_search_logs(httpd_suexec_t)
1007logging_send_syslog_msg(httpd_suexec_t)
1008
1009miscfiles_read_localization(httpd_suexec_t)
60def66b 1010miscfiles_read_public_files(httpd_suexec_t)
a996bdf4
CP		 1011
1012tunable_policy(`httpd_can_network_connect',`
1013 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1014 allow httpd_suexec_t self:udp_socket create_socket_perms;
1015
19006686
CP		 1016 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1017 corenet_all_recvfrom_netlabel(httpd_suexec_t)
668b3093
CP		 1018 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1019 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
c1262146
CP		 1020 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1021 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
a996bdf4
CP		 1022 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1023 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
a996bdf4 1024 corenet_tcp_connect_all_ports(httpd_suexec_t)
141cffdd 1025 corenet_sendrecv_all_client_packets(httpd_suexec_t)
a996bdf4
CP		 1026')
1027
9b26005b 1028tunable_policy(`httpd_can_network_connect_db',`
ec7dfab4 1029 corenet_tcp_connect_firebird_port(httpd_suexec_t)
9b26005b
DG		 1030 corenet_tcp_connect_mssql_port(httpd_suexec_t)
1031 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
f1686cd5
MG		 1032 corenet_tcp_connect_oracle_port(httpd_suexec_t)
1033 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
9b26005b
DG		 1034')
1035
3eaa9939 1036domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
f6bcb24b 1037
5b6698f7
MG		 1038tunable_policy(`httpd_can_sendmail',`
1039 mta_send_mail(httpd_suexec_t)
1040')
1041
6e99a6cf 1042tunable_policy(`httpd_enable_cgi && httpd_unified',`
60def66b 1043 allow httpd_sys_script_t httpdcontent:file entrypoint;
c0868a7a 1044 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
3eaa9939
DW		 1045 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1046 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1047 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1048 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1049')
c5eae5f8 1050
a996bdf4 1051tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
182abff9 1052 fs_list_auto_mountpoints(httpd_suexec_t)
a996bdf4
CP		 1053 fs_read_nfs_files(httpd_suexec_t)
1054 fs_read_nfs_symlinks(httpd_suexec_t)
4d851fe9 1055 fs_exec_nfs_files(httpd_suexec_t)
a996bdf4
CP		 1056')
1057
1058tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1059 fs_read_cifs_files(httpd_suexec_t)
1060 fs_read_cifs_symlinks(httpd_suexec_t)
4d851fe9 1061 fs_exec_cifs_files(httpd_suexec_t)
a996bdf4
CP		 1062')
1063
bb7170f6 1064optional_policy(`
799a0b43
CP		 1065 mailman_domtrans_cgi(httpd_suexec_t)
1066')
1067
bb7170f6 1068optional_policy(`
725926c5
CP		 1069 mta_stub(httpd_suexec_t)
1070
1071 # apache should set close-on-exec
1072 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1073')
1074
3eaa9939
DW		 1075optional_policy(`
1076 mysql_stream_connect(httpd_suexec_t)
1077 mysql_rw_db_sockets(httpd_suexec_t)
1078 mysql_read_config(httpd_suexec_t)
9b26005b
DG		 1079
1080 tunable_policy(`httpd_can_network_connect_db',`
1081 mysql_tcp_connect(httpd_suexec_t)
1082 ')
1083')
1084
1085optional_policy(`
1086 postgresql_stream_connect(httpd_suexec_t)
1087 postgresql_unpriv_client(httpd_suexec_t)
1088
1089 tunable_policy(`httpd_can_network_connect_db',`
1090 postgresql_tcp_connect(httpd_suexec_t)
1091 ')
3eaa9939
DW		 1092')
1093
a996bdf4
CP		 1094########################################
1095#
1096# Apache system script local policy
1097#
1098
60def66b
CP		 1099allow httpd_sys_script_t self:process getsched;
1100
1101allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
6e99a6cf
CP		 1102allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1103
1104dontaudit httpd_sys_script_t httpd_config_t:dir search;
1105
0b36a214 1106allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
6e99a6cf 1107
c0868a7a 1108allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
0bfccda4
CP		 1109read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1110read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
6e99a6cf 1111
445522dc 1112kernel_read_kernel_sysctls(httpd_sys_script_t)
6e99a6cf 1113
ac84f68a 1114files_read_var_symlinks(httpd_sys_script_t)
6e99a6cf
CP		 1115files_search_var_lib(httpd_sys_script_t)
1116files_search_spool(httpd_sys_script_t)
1117
3eaa9939
DW		 1118logging_inherit_append_all_logs(httpd_sys_script_t)
1119
123a990b
CP		 1120# Should we add a boolean?
1121apache_domtrans_rotatelogs(httpd_sys_script_t)
1122
3eaa9939
DW		 1123auth_use_nsswitch(httpd_sys_script_t)
1124
6e99a6cf 1125ifdef(`distro_redhat',`
0b36a214 1126 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
6e99a6cf
CP		 1127')
1128
60def66b
CP		 1129tunable_policy(`httpd_can_sendmail',`
1130 mta_send_mail(httpd_sys_script_t)
1131')
1132
3eaa9939 1133optional_policy(`
c5eae5f8
DG		 1134 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1135 spamassassin_domtrans_client(httpd_t)
1136 ')
3eaa9939
DW		 1137')
1138
9b26005b 1139tunable_policy(`httpd_can_network_connect_db',`
ec7dfab4 1140 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
9b26005b
DG		 1141 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1142 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
f1686cd5
MG		 1143 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1144 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
9b26005b
DG		 1145')
1146
f6bcb24b
DG		 1147fs_cifs_entry_type(httpd_sys_script_t)
1148fs_read_iso9660_files(httpd_sys_script_t)
1149fs_nfs_entry_type(httpd_sys_script_t)
1150
3eaa9939 1151tunable_policy(`httpd_use_nfs',`
182abff9 1152 fs_list_auto_mountpoints(httpd_sys_script_t)
3eaa9939
DW		 1153 fs_manage_nfs_dirs(httpd_sys_script_t)
1154 fs_manage_nfs_files(httpd_sys_script_t)
1155 fs_manage_nfs_symlinks(httpd_sys_script_t)
1156 fs_exec_nfs_files(httpd_sys_script_t)
1157
182abff9 1158 fs_list_auto_mountpoints(httpd_suexec_t)
3eaa9939
DW		 1159 fs_manage_nfs_dirs(httpd_suexec_t)
1160 fs_manage_nfs_files(httpd_suexec_t)
1161 fs_manage_nfs_symlinks(httpd_suexec_t)
1162 fs_exec_nfs_files(httpd_suexec_t)
1163')
1164
60def66b
CP		 1165tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1166 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1167 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1168
a90706ef 1169 corenet_tcp_bind_generic_node(httpd_sys_script_t)
8e6c3bd1 1170 corenet_udp_bind_generic_node(httpd_sys_script_t)
60def66b
CP		 1171 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1172 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
a90706ef
DW		 1173 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1174 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1175 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1176 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
60def66b
CP		 1177 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1178 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1179 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1180 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1181')
1182
e311e23a 1183tunable_policy(`httpd_enable_homedirs',`
c53b75bd 1184 userdom_search_user_home_dirs(httpd_sys_script_t)
e311e23a
CP		 1185')
1186
d6d16b97 1187tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
182abff9 1188 fs_list_auto_mountpoints(httpd_sys_script_t)
d6d16b97
CP		 1189 fs_read_nfs_files(httpd_sys_script_t)
1190 fs_read_nfs_symlinks(httpd_sys_script_t)
1191')
1192
c53b75bd
DG		 1193tunable_policy(`httpd_read_user_content',`
1194 userdom_read_user_home_content_files(httpd_sys_script_t)
1195')
1196
3eaa9939
DW		 1197tunable_policy(`httpd_use_cifs',`
1198 fs_manage_cifs_dirs(httpd_sys_script_t)
1199 fs_manage_cifs_files(httpd_sys_script_t)
1200 fs_manage_cifs_symlinks(httpd_sys_script_t)
1201 fs_manage_cifs_dirs(httpd_suexec_t)
1202 fs_manage_cifs_files(httpd_suexec_t)
1203 fs_manage_cifs_symlinks(httpd_suexec_t)
1204 fs_exec_cifs_files(httpd_suexec_t)
1205')
1206
d6d16b97
CP		 1207tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1208 fs_read_cifs_files(httpd_sys_script_t)
1209 fs_read_cifs_symlinks(httpd_sys_script_t)
1210')
1211
165b42d2
CP		 1212optional_policy(`
1213 clamav_domtrans_clamscan(httpd_sys_script_t)
1214')
1215
bb7170f6 1216optional_policy(`
6e99a6cf 1217 mysql_stream_connect(httpd_sys_script_t)
1815bad1 1218 mysql_rw_db_sockets(httpd_sys_script_t)
3eaa9939 1219 mysql_read_config(httpd_sys_script_t)
9b26005b
DG		 1220
1221 tunable_policy(`httpd_can_network_connect_db',`
1222 mysql_tcp_connect(httpd_sys_script_t)
1223 ')
6e99a6cf
CP		 1224')
1225
5fe7de9e
CP		 1226optional_policy(`
1227 postgresql_stream_connect(httpd_sys_script_t)
9b26005b
DG		 1228 postgresql_unpriv_client(httpd_sys_script_t)
1229
1230 tunable_policy(`httpd_can_network_connect_db',`
1231 postgresql_tcp_connect(httpd_sys_script_t)
1232 ')
5fe7de9e
CP		 1233')
1234
123a990b
CP		 1235########################################
1236#
1237# httpd_rotatelogs local policy
1238#
1239
60def66b
CP		 1240allow httpd_rotatelogs_t self:capability dac_override;
1241
0bfccda4 1242manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
123a990b
CP		 1243
1244kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1245kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1246kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1247
1248files_read_etc_files(httpd_rotatelogs_t)
1249
d6d16b97
CP		 1250logging_search_logs(httpd_rotatelogs_t)
1251
123a990b 1252miscfiles_read_localization(httpd_rotatelogs_t)
296273a7 1253
60def66b
CP		 1254########################################
1255#
1256# Unconfined script local policy
1257#
1258
1259optional_policy(`
1260 type httpd_unconfined_script_t;
1261 type httpd_unconfined_script_exec_t;
1262 domain_type(httpd_unconfined_script_t)
1263 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1264 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1265 unconfined_domain(httpd_unconfined_script_t)
1266
1267 role system_r types httpd_unconfined_script_t;
1268 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1269')
1270
296273a7
CP		 1271########################################
1272#
1273# User content local policy
1274#
1275
1276tunable_policy(`httpd_enable_cgi && httpd_unified',`
1277 allow httpd_user_script_t httpdcontent:file entrypoint;
3eaa9939
DW		 1278 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1279 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1280 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1281 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
296273a7
CP		 1282')
1283
1284# allow accessing files/dirs below the users home dir
1285tunable_policy(`httpd_enable_homedirs',`
3eaa9939
DW		 1286 userdom_search_user_home_content(httpd_t)
1287 userdom_search_user_home_content(httpd_suexec_t)
1288 userdom_search_user_home_content(httpd_user_script_t)
296273a7 1289')
3eaa9939
DW		 1290
1291tunable_policy(`httpd_read_user_content',`
bbdbce34 1292 userdom_read_user_home_content_files(httpd_t)
3eaa9939 1293 userdom_read_user_home_content_files(httpd_suexec_t)
f6bcb24b 1294 userdom_read_user_home_content_files(httpd_user_script_t)
3eaa9939 1295')
395df07f
DW		 1296
1297########################################
1298#
1299# httpd_passwd local policy
1300#
1301
1302allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1303allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1304allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1305
1306domain_use_interactive_fds(httpd_passwd_t)
1307
1308files_read_etc_files(httpd_passwd_t)
1309
1310miscfiles_read_localization(httpd_passwd_t)
1311
1312corecmd_exec_bin(httpd_passwd_t)
1313
1314kernel_read_system_state(httpd_passwd_t)
1315
1316dev_read_urand(httpd_passwd_t)
1317
d9cc16b3 1318systemd_manage_passwd_run(httpd_t)
d40a9795 1319#systemd_passwd_agent_dev_template(httpd)
395df07f
DW		 1320
1321domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1322dontaudit httpd_passwd_t httpd_config_t:file read;
1323
14dcf129 1324
1325search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
1326corecmd_shell_entry_type(httpd_script_type)
1327
1328allow httpd_script_type self:fifo_file rw_file_perms;
1329allow httpd_script_type self:unix_stream_socket connectto;
1330
1331allow httpd_script_type httpd_t:fifo_file write;
1332# apache should set close-on-exec
1333apache_dontaudit_leaks(httpd_script_type)
1334
1335append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
1336logging_search_logs(httpd_script_type)
1337
1338kernel_dontaudit_search_sysctl(httpd_script_type)
1339kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
1340
1341dev_read_rand(httpd_script_type)
1342dev_read_urand(httpd_script_type)
1343
1344corecmd_exec_all_executables(httpd_script_type)
1345application_exec_all(httpd_script_type)
1346
1347files_exec_etc_files(httpd_script_type)
1348files_read_etc_files(httpd_script_type)
1349files_search_home(httpd_script_type)
1350
1351libs_exec_ld_so(httpd_script_type)
1352libs_exec_lib_files(httpd_script_type)
1353
1354miscfiles_read_fonts(httpd_script_type)
1355miscfiles_read_public_files(httpd_script_type)
1356
1357seutil_dontaudit_search_config(httpd_script_type)
1358allow httpd_t httpd_script_type:unix_stream_socket connectto;
1359
1360allow httpd_t httpd_script_exec_type:file read_file_perms;
1361allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
1362allow httpd_t httpd_script_type:process { signal sigkill sigstop };
1363allow httpd_t httpd_script_exec_type:dir list_dir_perms;
1364
1365allow httpd_script_type self:process { setsched signal_perms };
1366allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
1367allow httpd_script_type self:unix_dgram_socket create_socket_perms;
1368
1369allow httpd_script_type httpd_t:fd use;
1370allow httpd_script_type httpd_t:process sigchld;
1371
1372dontaudit httpd_script_type httpd_t:tcp_socket { read write };
1373
1374kernel_read_system_state(httpd_script_type)
1375
1376dev_read_urand(httpd_script_type)
1377
1378fs_getattr_xattr_fs(httpd_script_type)
1379
1380files_read_etc_runtime_files(httpd_script_type)
1381files_read_usr_files(httpd_script_type)
1382
1383libs_read_lib_files(httpd_script_type)
1384
1385miscfiles_read_localization(httpd_script_type)
1386allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
1387
1388tunable_policy(`httpd_enable_cgi && allow_ypbind',`
1389 nis_use_ypbind_uncond(httpd_script_type)
1390')
1391
1392optional_policy(`
1393 nscd_socket_use(httpd_script_type)
1394')
1395
1396read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1397
1398tunable_policy(`httpd_builtin_scripting',`
1399 allow httpd_t httpd_content_type:dir search_dir_perms;
1400 allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
1401
1402 allow httpd_t httpd_content_type:dir list_dir_perms;
1403 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1404 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1405
1406 allow httpd_t httpd_content_type:dir list_dir_perms;
1407 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1408 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1409')
The IPFire selinux policy.