]>
Commit | Line | Data |
---|---|---|
b7e9f9db | 1 | policy_module(apache, 2.2.1) |
a996bdf4 CP |
2 | |
3 | # | |
20fa7032 | 4 | # NOTES: |
a996bdf4 CP |
5 | # This policy will work with SUEXEC enabled as part of the Apache |
6 | # configuration. However, the user CGI scripts will run under the | |
296273a7 | 7 | # system_u:system_r:httpd_user_script_t. |
a996bdf4 | 8 | # |
296273a7 | 9 | # The user CGI scripts must be labeled with the httpd_user_script_exec_t |
a996bdf4 | 10 | # type, and the directory containing the scripts should also be labeled |
20fa7032 | 11 | # with these types. This policy allows the user role to perform that |
296273a7 CP |
12 | # relabeling. If it is desired that only admin role should be able to relabel |
13 | # the user CGI scripts, then relabel rule for user roles should be removed. | |
a996bdf4 CP |
14 | # |
15 | ||
16 | ######################################## | |
17 | # | |
18 | # Declarations | |
19 | # | |
20 | ||
3eaa9939 DW |
21 | selinux_genbool(httpd_bool_t) |
22 | ||
56e1b3d2 | 23 | ## <desc> |
c5eae5f8 DG |
24 | ## <p> |
25 | ## Allow Apache to modify public files | |
26 | ## used for public file transfer services. Directories/Files must | |
27 | ## be labeled public_content_rw_t. | |
28 | ## </p> | |
56e1b3d2 | 29 | ## </desc> |
0bfccda4 | 30 | gen_tunable(allow_httpd_anon_write, false) |
56e1b3d2 CP |
31 | |
32 | ## <desc> | |
c5eae5f8 DG |
33 | ## <p> |
34 | ## Allow Apache to use mod_auth_pam | |
35 | ## </p> | |
56e1b3d2 | 36 | ## </desc> |
0bfccda4 | 37 | gen_tunable(allow_httpd_mod_auth_pam, false) |
56e1b3d2 | 38 | |
7fa5a68a DG |
39 | ## <desc> |
40 | ## <p> | |
ab29591c | 41 | ## Allow Apache to use mod_auth_ntlm_winbind |
7fa5a68a DG |
42 | ## </p> |
43 | ## </desc> | |
44 | gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) | |
45 | ||
3eaa9939 | 46 | ## <desc> |
c5eae5f8 DG |
47 | ## <p> |
48 | ## Allow httpd scripts and modules execmem/execstack | |
49 | ## </p> | |
3eaa9939 DW |
50 | ## </desc> |
51 | gen_tunable(httpd_execmem, false) | |
52 | ||
53 | ## <desc> | |
c5eae5f8 DG |
54 | ## <p> |
55 | ## Allow httpd daemon to change system limits | |
56 | ## </p> | |
3eaa9939 DW |
57 | ## </desc> |
58 | gen_tunable(httpd_setrlimit, false) | |
59 | ||
56e1b3d2 | 60 | ## <desc> |
c5eae5f8 DG |
61 | ## <p> |
62 | ## Allow httpd to use built in scripting (usually php) | |
63 | ## </p> | |
56e1b3d2 | 64 | ## </desc> |
0bfccda4 | 65 | gen_tunable(httpd_builtin_scripting, false) |
56e1b3d2 CP |
66 | |
67 | ## <desc> | |
c5eae5f8 DG |
68 | ## <p> |
69 | ## Allow HTTPD scripts and modules to connect to the network using any TCP port. | |
70 | ## </p> | |
56e1b3d2 | 71 | ## </desc> |
0bfccda4 | 72 | gen_tunable(httpd_can_network_connect, false) |
56e1b3d2 | 73 | |
3eaa9939 | 74 | ## <desc> |
c5eae5f8 DG |
75 | ## <p> |
76 | ## Allow HTTPD scripts and modules to connect to cobbler over the network. | |
77 | ## </p> | |
3eaa9939 DW |
78 | ## </desc> |
79 | gen_tunable(httpd_can_network_connect_cobbler, false) | |
80 | ||
56e1b3d2 | 81 | ## <desc> |
c5eae5f8 DG |
82 | ## <p> |
83 | ## Allow HTTPD scripts and modules to connect to databases over the network. | |
84 | ## </p> | |
56e1b3d2 CP |
85 | ## </desc> |
86 | gen_tunable(httpd_can_network_connect_db, false) | |
87 | ||
ef98a374 | 88 | ## <desc> |
c5eae5f8 DG |
89 | ## <p> |
90 | ## Allow httpd to connect to memcache server | |
91 | ## </p> | |
ef98a374 DW |
92 | ## </desc> |
93 | gen_tunable(httpd_can_network_memcache, false) | |
94 | ||
56e1b3d2 | 95 | ## <desc> |
c5eae5f8 DG |
96 | ## <p> |
97 | ## Allow httpd to act as a relay | |
98 | ## </p> | |
56e1b3d2 CP |
99 | ## </desc> |
100 | gen_tunable(httpd_can_network_relay, false) | |
101 | ||
60def66b | 102 | ## <desc> |
c5eae5f8 DG |
103 | ## <p> |
104 | ## Allow http daemon to send mail | |
105 | ## </p> | |
60def66b CP |
106 | ## </desc> |
107 | gen_tunable(httpd_can_sendmail, false) | |
108 | ||
3eaa9939 | 109 | ## <desc> |
c5eae5f8 DG |
110 | ## <p> |
111 | ## Allow http daemon to check spam | |
112 | ## </p> | |
3eaa9939 DW |
113 | ## </desc> |
114 | gen_tunable(httpd_can_check_spam, false) | |
115 | ||
60def66b | 116 | ## <desc> |
c5eae5f8 DG |
117 | ## <p> |
118 | ## Allow Apache to communicate with avahi service via dbus | |
119 | ## </p> | |
60def66b CP |
120 | ## </desc> |
121 | gen_tunable(httpd_dbus_avahi, false) | |
122 | ||
56e1b3d2 | 123 | ## <desc> |
c5eae5f8 DG |
124 | ## <p> |
125 | ## Allow httpd to execute cgi scripts | |
126 | ## </p> | |
56e1b3d2 | 127 | ## </desc> |
0bfccda4 | 128 | gen_tunable(httpd_enable_cgi, false) |
56e1b3d2 CP |
129 | |
130 | ## <desc> | |
c5eae5f8 DG |
131 | ## <p> |
132 | ## Allow httpd to act as a FTP server by | |
133 | ## listening on the ftp port. | |
134 | ## </p> | |
56e1b3d2 | 135 | ## </desc> |
0bfccda4 | 136 | gen_tunable(httpd_enable_ftp_server, false) |
56e1b3d2 | 137 | |
a4787777 DW |
138 | ## <desc> |
139 | ## <p> | |
140 | ## Allow httpd to act as a FTP client | |
141 | ## connecting to the ftp port and ephemeral ports | |
142 | ## </p> | |
143 | ## </desc> | |
144 | gen_tunable(httpd_can_connect_ftp, false) | |
145 | ||
f6155fb6 MG |
146 | ## <desc> |
147 | ## <p> | |
148 | ## Allow httpd to connect to the ldap port | |
149 | ## </p> | |
150 | ## </desc> | |
151 | gen_tunable(httpd_can_connect_ldap, false) | |
152 | ||
56e1b3d2 | 153 | ## <desc> |
c5eae5f8 DG |
154 | ## <p> |
155 | ## Allow httpd to read home directories | |
156 | ## </p> | |
56e1b3d2 | 157 | ## </desc> |
0bfccda4 | 158 | gen_tunable(httpd_enable_homedirs, false) |
56e1b3d2 | 159 | |
3eaa9939 | 160 | ## <desc> |
c5eae5f8 DG |
161 | ## <p> |
162 | ## Allow httpd to read user content | |
163 | ## </p> | |
3eaa9939 DW |
164 | ## </desc> |
165 | gen_tunable(httpd_read_user_content, false) | |
166 | ||
56e1b3d2 | 167 | ## <desc> |
c5eae5f8 DG |
168 | ## <p> |
169 | ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. | |
170 | ## </p> | |
56e1b3d2 | 171 | ## </desc> |
0bfccda4 | 172 | gen_tunable(httpd_ssi_exec, false) |
56e1b3d2 | 173 | |
3eaa9939 | 174 | ## <desc> |
c5eae5f8 DG |
175 | ## <p> |
176 | ## Allow Apache to execute tmp content. | |
177 | ## </p> | |
3eaa9939 DW |
178 | ## </desc> |
179 | gen_tunable(httpd_tmp_exec, false) | |
180 | ||
56e1b3d2 | 181 | ## <desc> |
c5eae5f8 DG |
182 | ## <p> |
183 | ## Unify HTTPD to communicate with the terminal. | |
184 | ## Needed for entering the passphrase for certificates at | |
185 | ## the terminal. | |
186 | ## </p> | |
56e1b3d2 | 187 | ## </desc> |
0bfccda4 | 188 | gen_tunable(httpd_tty_comm, false) |
56e1b3d2 CP |
189 | |
190 | ## <desc> | |
c5eae5f8 DG |
191 | ## <p> |
192 | ## Unify HTTPD handling of all content files. | |
193 | ## </p> | |
56e1b3d2 | 194 | ## </desc> |
0bfccda4 | 195 | gen_tunable(httpd_unified, false) |
56e1b3d2 | 196 | |
60def66b | 197 | ## <desc> |
c5eae5f8 DG |
198 | ## <p> |
199 | ## Allow httpd to access cifs file systems | |
200 | ## </p> | |
60def66b CP |
201 | ## </desc> |
202 | gen_tunable(httpd_use_cifs, false) | |
203 | ||
204 | ## <desc> | |
c5eae5f8 DG |
205 | ## <p> |
206 | ## Allow httpd to run gpg in gpg-web domain | |
207 | ## </p> | |
60def66b CP |
208 | ## </desc> |
209 | gen_tunable(httpd_use_gpg, false) | |
210 | ||
211 | ## <desc> | |
c5eae5f8 DG |
212 | ## <p> |
213 | ## Allow httpd to access nfs file systems | |
214 | ## </p> | |
60def66b CP |
215 | ## </desc> |
216 | gen_tunable(httpd_use_nfs, false) | |
217 | ||
3eaa9939 | 218 | ## <desc> |
c5eae5f8 DG |
219 | ## <p> |
220 | ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. | |
221 | ## </p> | |
3eaa9939 DW |
222 | ## </desc> |
223 | gen_tunable(allow_httpd_sys_script_anon_write, false) | |
224 | ||
a996bdf4 | 225 | attribute httpdcontent; |
a334d291 | 226 | attribute httpd_user_content_type; |
14dcf129 | 227 | attribute httpd_content_type; |
a996bdf4 | 228 | |
e749cd12 CP |
229 | # domains that can exec all users scripts |
230 | attribute httpd_exec_scripts; | |
231 | ||
14dcf129 | 232 | attribute httpd_script_type; |
123a990b | 233 | attribute httpd_script_exec_type; |
a334d291 | 234 | attribute httpd_user_script_exec_type; |
123a990b | 235 | |
e749cd12 CP |
236 | # user script domains |
237 | attribute httpd_script_domains; | |
238 | ||
a996bdf4 CP |
239 | type httpd_t; |
240 | type httpd_exec_t; | |
0bfccda4 | 241 | init_daemon_domain(httpd_t, httpd_exec_t) |
e749cd12 | 242 | role system_r types httpd_t; |
a996bdf4 CP |
243 | |
244 | # httpd_cache_t is the type given to the /var/cache/httpd | |
245 | # directory and the files under that directory | |
246 | type httpd_cache_t; | |
247 | files_type(httpd_cache_t) | |
248 | ||
249 | # httpd_config_t is the type given to the configuration files | |
250 | type httpd_config_t; | |
5e4542af | 251 | files_config_file(httpd_config_t) |
a996bdf4 CP |
252 | |
253 | type httpd_helper_t; | |
a996bdf4 | 254 | type httpd_helper_exec_t; |
e749cd12 | 255 | domain_type(httpd_helper_t) |
0bfccda4 | 256 | domain_entry_file(httpd_helper_t, httpd_helper_exec_t) |
e749cd12 | 257 | role system_r types httpd_helper_t; |
a996bdf4 | 258 | |
83caba3e CP |
259 | type httpd_initrc_exec_t; |
260 | init_script_file(httpd_initrc_exec_t) | |
261 | ||
8149320e DW |
262 | type httpd_unit_file_t; |
263 | systemd_unit_file(httpd_unit_file_t) | |
eedf23b8 | 264 | |
a996bdf4 CP |
265 | type httpd_lock_t; |
266 | files_lock_file(httpd_lock_t) | |
267 | ||
268 | type httpd_log_t; | |
269 | logging_log_file(httpd_log_t) | |
270 | ||
20fa7032 | 271 | # httpd_modules_t is the type given to module files (libraries) |
a996bdf4 CP |
272 | # that come with Apache /etc/httpd/modules and /usr/lib/apache |
273 | type httpd_modules_t; | |
274 | files_type(httpd_modules_t) | |
275 | ||
276 | type httpd_php_t; | |
a996bdf4 | 277 | type httpd_php_exec_t; |
e749cd12 | 278 | domain_type(httpd_php_t) |
0bfccda4 | 279 | domain_entry_file(httpd_php_t, httpd_php_exec_t) |
e749cd12 | 280 | role system_r types httpd_php_t; |
a996bdf4 CP |
281 | |
282 | type httpd_php_tmp_t; | |
283 | files_tmp_file(httpd_php_tmp_t) | |
284 | ||
123a990b CP |
285 | type httpd_rotatelogs_t; |
286 | type httpd_rotatelogs_exec_t; | |
287 | init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) | |
288 | ||
a996bdf4 CP |
289 | type httpd_squirrelmail_t; |
290 | files_type(httpd_squirrelmail_t) | |
291 | ||
292 | # SUEXEC runs user scripts as their own user ID | |
293 | type httpd_suexec_t; #, daemon; | |
a996bdf4 | 294 | type httpd_suexec_exec_t; |
e749cd12 | 295 | domain_type(httpd_suexec_t) |
0bfccda4 | 296 | domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) |
e749cd12 | 297 | role system_r types httpd_suexec_t; |
a996bdf4 CP |
298 | |
299 | type httpd_suexec_tmp_t; | |
300 | files_tmp_file(httpd_suexec_tmp_t) | |
301 | ||
c2b18fa1 CP |
302 | # setup the system domain for system CGI scripts |
303 | apache_content_template(sys) | |
3eaa9939 | 304 | |
14dcf129 | 305 | optional_policy(` |
306 | postgresql_unpriv_client(httpd_sys_script_t) | |
307 | ') | |
308 | ||
3eaa9939 DW |
309 | typeattribute httpd_sys_content_t httpdcontent; # customizable |
310 | typeattribute httpd_sys_rw_content_t httpdcontent; # customizable | |
311 | typeattribute httpd_sys_ra_content_t httpdcontent; # customizable | |
c2b18fa1 | 312 | |
28fdb87a DG |
313 | # Removal of fastcgi, will cause problems without the following |
314 | typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; | |
315 | typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; | |
316 | typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; | |
317 | typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; | |
318 | typealias httpd_sys_script_t alias httpd_fastcgi_script_t; | |
319 | ||
a996bdf4 CP |
320 | type httpd_tmp_t; |
321 | files_tmp_file(httpd_tmp_t) | |
322 | ||
323 | type httpd_tmpfs_t; | |
324 | files_tmpfs_file(httpd_tmpfs_t) | |
325 | ||
296273a7 CP |
326 | apache_content_template(user) |
327 | ubac_constrained(httpd_user_script_t) | |
3eaa9939 DW |
328 | typeattribute httpd_user_content_t httpdcontent; |
329 | typeattribute httpd_user_rw_content_t httpdcontent; | |
330 | typeattribute httpd_user_ra_content_t httpdcontent; | |
331 | ||
296273a7 CP |
332 | userdom_user_home_content(httpd_user_content_t) |
333 | userdom_user_home_content(httpd_user_htaccess_t) | |
334 | userdom_user_home_content(httpd_user_script_exec_t) | |
83caba3e CP |
335 | userdom_user_home_content(httpd_user_ra_content_t) |
336 | userdom_user_home_content(httpd_user_rw_content_t) | |
296273a7 CP |
337 | typeattribute httpd_user_script_t httpd_script_domains; |
338 | typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; | |
3eaa9939 | 339 | typealias httpd_user_content_t alias httpd_unconfined_content_t; |
296273a7 | 340 | typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; |
83caba3e CP |
341 | typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; |
342 | typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; | |
296273a7 CP |
343 | typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; |
344 | typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; | |
345 | typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; | |
346 | typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; | |
347 | typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; | |
348 | typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; | |
83caba3e CP |
349 | typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; |
350 | typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; | |
351 | typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; | |
352 | typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; | |
296273a7 | 353 | |
a996bdf4 CP |
354 | # for apache2 memory mapped files |
355 | type httpd_var_lib_t; | |
356 | files_type(httpd_var_lib_t) | |
357 | ||
358 | type httpd_var_run_t; | |
359 | files_pid_file(httpd_var_run_t) | |
360 | ||
28fdb87a DG |
361 | # Removal of fastcgi, will cause problems without the following |
362 | typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; | |
363 | ||
a996bdf4 CP |
364 | # File Type of squirrelmail attachments |
365 | type squirrelmail_spool_t; | |
366 | files_tmp_file(squirrelmail_spool_t) | |
0059652b | 367 | files_spool_file(squirrelmail_spool_t) |
a996bdf4 | 368 | |
bb7170f6 | 369 | optional_policy(` |
2c243586 CP |
370 | prelink_object_file(httpd_modules_t) |
371 | ') | |
372 | ||
395df07f DW |
373 | type httpd_passwd_t; |
374 | type httpd_passwd_exec_t; | |
375 | application_domain(httpd_passwd_t, httpd_passwd_exec_t) | |
376 | role system_r types httpd_passwd_t; | |
377 | ||
a996bdf4 CP |
378 | ######################################## |
379 | # | |
380 | # Apache server local policy | |
381 | # | |
382 | ||
60def66b | 383 | allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; |
a996bdf4 CP |
384 | dontaudit httpd_t self:capability { net_admin sys_tty_config }; |
385 | allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
386 | allow httpd_t self:fd use; | |
c0868a7a CP |
387 | allow httpd_t self:sock_file read_sock_file_perms; |
388 | allow httpd_t self:fifo_file rw_fifo_file_perms; | |
a996bdf4 CP |
389 | allow httpd_t self:shm create_shm_perms; |
390 | allow httpd_t self:sem create_sem_perms; | |
391 | allow httpd_t self:msgq create_msgq_perms; | |
392 | allow httpd_t self:msg { send receive }; | |
e9a4084d CP |
393 | allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; |
394 | allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
33c7e6b4 | 395 | allow httpd_t self:tcp_socket create_stream_socket_perms; |
e9a4084d | 396 | allow httpd_t self:udp_socket create_socket_perms; |
55e9f0e7 | 397 | dontaudit httpd_t self:netlink_audit_socket create_socket_perms; |
a996bdf4 CP |
398 | |
399 | # Allow httpd_t to put files in /var/cache/httpd etc | |
0bfccda4 CP |
400 | manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
401 | manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) | |
402 | manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) | |
3eaa9939 | 403 | files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) |
a996bdf4 CP |
404 | |
405 | # Allow the httpd_t to read the web servers config files | |
c0868a7a | 406 | allow httpd_t httpd_config_t:dir list_dir_perms; |
0bfccda4 CP |
407 | read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
408 | read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) | |
a996bdf4 CP |
409 | |
410 | can_exec(httpd_t, httpd_exec_t) | |
411 | ||
c0868a7a | 412 | allow httpd_t httpd_lock_t:file manage_file_perms; |
0bfccda4 | 413 | files_lock_filetrans(httpd_t, httpd_lock_t, file) |
a996bdf4 | 414 | |
c0868a7a | 415 | allow httpd_t httpd_log_t:dir setattr; |
0bfccda4 CP |
416 | create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
417 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
418 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
419 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
c2b18fa1 CP |
420 | # cjp: need to refine create interfaces to |
421 | # cut this back to add_name only | |
0bfccda4 | 422 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
a996bdf4 | 423 | |
c0868a7a | 424 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
0bfccda4 CP |
425 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) |
426 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | |
60def66b | 427 | read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) |
a996bdf4 | 428 | |
d6d16b97 CP |
429 | apache_domtrans_rotatelogs(httpd_t) |
430 | # Apache-httpd needs to be able to send signals to the log rotate procs. | |
431 | allow httpd_t httpd_rotatelogs_t:process signal_perms; | |
432 | ||
0bfccda4 CP |
433 | manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
434 | manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) | |
435 | manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) | |
a996bdf4 | 436 | |
0b36a214 | 437 | allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
725926c5 | 438 | |
c0868a7a | 439 | allow httpd_t httpd_sys_content_t:dir list_dir_perms; |
0bfccda4 CP |
440 | read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) |
441 | read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) | |
3d37bca1 | 442 | |
60def66b CP |
443 | allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; |
444 | ||
0bfccda4 CP |
445 | manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
446 | manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) | |
6d5f4f28 | 447 | manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
60def66b | 448 | manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) |
6d5f4f28 | 449 | files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) |
a996bdf4 | 450 | |
0bfccda4 CP |
451 | manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) |
452 | manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
453 | manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
454 | manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
455 | manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) | |
20fa7032 | 456 | fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
a996bdf4 | 457 | |
0bfccda4 CP |
458 | manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
459 | files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) | |
a996bdf4 | 460 | |
60def66b CP |
461 | setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) |
462 | manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) | |
0bfccda4 CP |
463 | manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) |
464 | manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) | |
60def66b | 465 | files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) |
a996bdf4 | 466 | |
0bfccda4 CP |
467 | manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) |
468 | manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
469 | manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
a996bdf4 | 470 | |
445522dc | 471 | kernel_read_kernel_sysctls(httpd_t) |
a996bdf4 CP |
472 | # for modules that want to access /proc/meminfo |
473 | kernel_read_system_state(httpd_t) | |
ae082fdc | 474 | kernel_read_network_state(httpd_t) |
2e02954a | 475 | kernel_read_network_state(httpd_t) |
3eaa9939 | 476 | kernel_search_network_sysctl(httpd_t) |
a996bdf4 | 477 | |
19006686 CP |
478 | corenet_all_recvfrom_unlabeled(httpd_t) |
479 | corenet_all_recvfrom_netlabel(httpd_t) | |
668b3093 CP |
480 | corenet_tcp_sendrecv_generic_if(httpd_t) |
481 | corenet_udp_sendrecv_generic_if(httpd_t) | |
c1262146 CP |
482 | corenet_tcp_sendrecv_generic_node(httpd_t) |
483 | corenet_udp_sendrecv_generic_node(httpd_t) | |
a996bdf4 CP |
484 | corenet_tcp_sendrecv_all_ports(httpd_t) |
485 | corenet_udp_sendrecv_all_ports(httpd_t) | |
c1262146 | 486 | corenet_tcp_bind_generic_node(httpd_t) |
3eaa9939 | 487 | corenet_udp_bind_generic_node(httpd_t) |
a996bdf4 CP |
488 | corenet_tcp_bind_http_port(httpd_t) |
489 | corenet_tcp_bind_http_cache_port(httpd_t) | |
3eaa9939 | 490 | corenet_tcp_bind_ntop_port(httpd_t) |
a57cacf8 | 491 | corenet_tcp_bind_jboss_management_port(httpd_t) |
968ace93 | 492 | corenet_sendrecv_http_server_packets(httpd_t) |
2e02954a | 493 | corenet_tcp_bind_puppet_port(httpd_t) |
d6d16b97 | 494 | # Signal self for shutdown |
6f358681 | 495 | #corenet_tcp_connect_http_port(httpd_t) |
a996bdf4 CP |
496 | |
497 | dev_read_sysfs(httpd_t) | |
498 | dev_read_rand(httpd_t) | |
499 | dev_read_urand(httpd_t) | |
c2b18fa1 | 500 | dev_rw_crypto(httpd_t) |
a996bdf4 CP |
501 | |
502 | fs_getattr_all_fs(httpd_t) | |
503 | fs_search_auto_mountpoints(httpd_t) | |
3eaa9939 DW |
504 | fs_read_iso9660_files(httpd_t) |
505 | fs_read_anon_inodefs_files(httpd_t) | |
a996bdf4 | 506 | |
77f6e2cd CP |
507 | auth_use_nsswitch(httpd_t) |
508 | ||
3eaa9939 | 509 | application_exec_all(httpd_t) |
a996bdf4 | 510 | |
15722ec9 | 511 | domain_use_interactive_fds(httpd_t) |
a996bdf4 | 512 | |
60def66b | 513 | files_dontaudit_getattr_all_pids(httpd_t) |
a996bdf4 CP |
514 | files_read_usr_files(httpd_t) |
515 | files_list_mnt(httpd_t) | |
516 | files_search_spool(httpd_t) | |
ac84f68a | 517 | files_read_var_symlinks(httpd_t) |
a996bdf4 CP |
518 | files_read_var_lib_files(httpd_t) |
519 | files_search_home(httpd_t) | |
520 | files_getattr_home_dir(httpd_t) | |
521 | # for modules that want to access /etc/mtab | |
522 | files_read_etc_runtime_files(httpd_t) | |
523 | # Allow httpd_t to have access to files such as nisswitch.conf | |
524 | files_read_etc_files(httpd_t) | |
6e99a6cf CP |
525 | # for tomcat |
526 | files_read_var_lib_symlinks(httpd_t) | |
a996bdf4 | 527 | |
d6d16b97 | 528 | fs_search_auto_mountpoints(httpd_sys_script_t) |
3eaa9939 DW |
529 | # php uploads a file to /tmp and then execs programs to acton them |
530 | manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) | |
531 | manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) | |
27b4213b | 532 | manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) |
bfa36011 | 533 | manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) |
27b4213b | 534 | manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) |
3eaa9939 | 535 | files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) |
d6d16b97 | 536 | |
1815bad1 | 537 | libs_read_lib_files(httpd_t) |
a996bdf4 | 538 | |
2e02954a DW |
539 | ifdef(`hide_broken_symptoms',` |
540 | libs_exec_lib_files(httpd_t) | |
541 | ') | |
542 | ||
a996bdf4 CP |
543 | logging_send_syslog_msg(httpd_t) |
544 | ||
545 | miscfiles_read_localization(httpd_t) | |
546 | miscfiles_read_fonts(httpd_t) | |
6e99a6cf | 547 | miscfiles_read_public_files(httpd_t) |
83406219 | 548 | miscfiles_read_generic_certs(httpd_t) |
8c068e04 | 549 | miscfiles_read_tetex_data(httpd_t) |
a996bdf4 CP |
550 | |
551 | seutil_dontaudit_search_config(httpd_t) | |
552 | ||
103fe280 | 553 | userdom_use_unpriv_users_fds(httpd_t) |
a996bdf4 | 554 | |
3eaa9939 DW |
555 | tunable_policy(`httpd_setrlimit',` |
556 | allow httpd_t self:process setrlimit; | |
0c28fe6e | 557 | allow httpd_t self:capability sys_resource; |
3eaa9939 DW |
558 | ') |
559 | ||
6e99a6cf CP |
560 | tunable_policy(`allow_httpd_anon_write',` |
561 | miscfiles_manage_public_files(httpd_t) | |
20fa7032 | 562 | ') |
6e99a6cf | 563 | |
123a990b CP |
564 | # |
565 | # We need optionals to be able to be within booleans to make this work | |
566 | # | |
567 | tunable_policy(`allow_httpd_mod_auth_pam',` | |
3eaa9939 DW |
568 | auth_domtrans_chkpwd(httpd_t) |
569 | logging_send_audit_msgs(httpd_t) | |
570 | ') | |
571 | ||
3eaa9939 | 572 | optional_policy(` |
c5eae5f8 | 573 | tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` |
3eaa9939 | 574 | samba_domtrans_winbind_helper(httpd_t) |
c5eae5f8 | 575 | ') |
123a990b CP |
576 | ') |
577 | ||
6e99a6cf | 578 | tunable_policy(`httpd_can_network_connect',` |
6e99a6cf | 579 | corenet_tcp_connect_all_ports(httpd_t) |
6e99a6cf CP |
580 | ') |
581 | ||
9b26005b | 582 | tunable_policy(`httpd_can_network_connect_db',` |
ec7dfab4 | 583 | corenet_tcp_connect_firebird_port(httpd_t) |
9b26005b DG |
584 | corenet_tcp_connect_mssql_port(httpd_t) |
585 | corenet_sendrecv_mssql_client_packets(httpd_t) | |
f1686cd5 MG |
586 | corenet_tcp_connect_oracle_port(httpd_t) |
587 | corenet_sendrecv_oracle_client_packets(httpd_t) | |
9b26005b DG |
588 | ') |
589 | ||
ef98a374 DW |
590 | tunable_policy(`httpd_can_network_memcache',` |
591 | corenet_tcp_connect_memcache_port(httpd_t) | |
592 | ') | |
593 | ||
bb437244 CP |
594 | tunable_policy(`httpd_can_network_relay',` |
595 | # allow httpd to work as a relay | |
596 | corenet_tcp_connect_gopher_port(httpd_t) | |
597 | corenet_tcp_connect_ftp_port(httpd_t) | |
598 | corenet_tcp_connect_http_port(httpd_t) | |
599 | corenet_tcp_connect_http_cache_port(httpd_t) | |
3eaa9939 | 600 | corenet_tcp_connect_squid_port(httpd_t) |
60def66b | 601 | corenet_tcp_connect_memcache_port(httpd_t) |
141cffdd CP |
602 | corenet_sendrecv_gopher_client_packets(httpd_t) |
603 | corenet_sendrecv_ftp_client_packets(httpd_t) | |
604 | corenet_sendrecv_http_client_packets(httpd_t) | |
605 | corenet_sendrecv_http_cache_client_packets(httpd_t) | |
3eaa9939 | 606 | corenet_sendrecv_squid_client_packets(httpd_t) |
4943b049 | 607 | corenet_tcp_connect_all_ephemeral_ports(httpd_t) |
3eaa9939 DW |
608 | ') |
609 | ||
f6bcb24b DG |
610 | tunable_policy(`httpd_execmem',` |
611 | allow httpd_t self:process { execmem execstack }; | |
612 | allow httpd_sys_script_t self:process { execmem execstack }; | |
613 | allow httpd_suexec_t self:process { execmem execstack }; | |
614 | ') | |
615 | ||
3eaa9939 DW |
616 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
617 | allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; | |
618 | filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) | |
619 | can_exec(httpd_sys_script_t, httpd_sys_content_t) | |
bb437244 CP |
620 | ') |
621 | ||
3eaa9939 DW |
622 | tunable_policy(`allow_httpd_sys_script_anon_write',` |
623 | miscfiles_manage_public_files(httpd_sys_script_t) | |
c5eae5f8 | 624 | ') |
3eaa9939 | 625 | |
60def66b CP |
626 | tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` |
627 | fs_nfs_domtrans(httpd_t, httpd_sys_script_t) | |
628 | ') | |
629 | ||
630 | tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` | |
631 | fs_cifs_domtrans(httpd_t, httpd_sys_script_t) | |
632 | ') | |
633 | ||
6e99a6cf | 634 | tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
c0868a7a | 635 | domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) |
3eaa9939 DW |
636 | filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) |
637 | manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
638 | manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
639 | manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) | |
6e99a6cf | 640 | |
0bfccda4 CP |
641 | manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) |
642 | manage_files_pattern(httpd_t, httpdcontent, httpdcontent) | |
643 | manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) | |
6e99a6cf CP |
644 | ') |
645 | ||
e6b51a26 | 646 | tunable_policy(`httpd_can_connect_ftp',` |
a4787777 | 647 | corenet_tcp_connect_ftp_port(httpd_t) |
e6b51a26 | 648 | corenet_tcp_connect_all_ephemeral_ports(httpd_t) |
a4787777 DW |
649 | ') |
650 | ||
f6155fb6 MG |
651 | tunable_policy(`httpd_can_connect_ldap',` |
652 | corenet_tcp_connect_ldap_port(httpd_t) | |
653 | ') | |
654 | ||
bea7b454 CP |
655 | tunable_policy(`httpd_enable_ftp_server',` |
656 | corenet_tcp_bind_ftp_port(httpd_t) | |
e6b51a26 | 657 | corenet_tcp_bind_all_ephemeral_ports(httpd_t) |
bea7b454 CP |
658 | ') |
659 | ||
3eaa9939 | 660 | tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` |
c5eae5f8 | 661 | can_exec(httpd_t, httpd_tmp_t) |
3eaa9939 DW |
662 | ') |
663 | ||
664 | tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` | |
c5eae5f8 | 665 | can_exec(httpd_sys_script_t, httpd_tmp_t) |
3eaa9939 DW |
666 | ') |
667 | ||
a996bdf4 | 668 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
ff3a735f | 669 | fs_list_auto_mountpoints(httpd_t) |
a996bdf4 CP |
670 | fs_read_nfs_files(httpd_t) |
671 | fs_read_nfs_symlinks(httpd_t) | |
672 | ') | |
673 | ||
3eaa9939 | 674 | tunable_policy(`httpd_use_nfs',` |
ff3a735f | 675 | fs_list_auto_mountpoints(httpd_t) |
3eaa9939 DW |
676 | fs_manage_nfs_dirs(httpd_t) |
677 | fs_manage_nfs_files(httpd_t) | |
678 | fs_manage_nfs_symlinks(httpd_t) | |
679 | ') | |
680 | ||
a996bdf4 CP |
681 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` |
682 | fs_read_cifs_files(httpd_t) | |
683 | fs_read_cifs_symlinks(httpd_t) | |
684 | ') | |
685 | ||
60def66b CP |
686 | tunable_policy(`httpd_can_sendmail',` |
687 | # allow httpd to connect to mail servers | |
688 | corenet_tcp_connect_smtp_port(httpd_t) | |
689 | corenet_sendrecv_smtp_client_packets(httpd_t) | |
3eaa9939 DW |
690 | corenet_tcp_connect_pop_port(httpd_t) |
691 | corenet_sendrecv_pop_client_packets(httpd_t) | |
60def66b | 692 | mta_send_mail(httpd_t) |
3eaa9939 DW |
693 | mta_signal_system_mail(httpd_t) |
694 | ') | |
695 | ||
696 | tunable_policy(`httpd_use_cifs',` | |
697 | fs_manage_cifs_dirs(httpd_t) | |
698 | fs_manage_cifs_files(httpd_t) | |
699 | fs_manage_cifs_symlinks(httpd_t) | |
60def66b CP |
700 | ') |
701 | ||
e749cd12 | 702 | tunable_policy(`httpd_ssi_exec',` |
3f67f722 | 703 | corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) |
e749cd12 CP |
704 | allow httpd_sys_script_t httpd_t:fd use; |
705 | allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; | |
706 | allow httpd_sys_script_t httpd_t:process sigchld; | |
707 | ') | |
708 | ||
6e99a6cf CP |
709 | # When the admin starts the server, the server wants to access |
710 | # the TTY or PTY associated with the session. The httpd appears | |
711 | # to run correctly without this permission, so the permission | |
20fa7032 | 712 | # are dontaudited here. |
6e99a6cf | 713 | tunable_policy(`httpd_tty_comm',` |
af2d8802 MG |
714 | userdom_use_inherited_user_terminals(httpd_t) |
715 | userdom_use_inherited_user_terminals(httpd_suexec_t) | |
6e99a6cf | 716 | ',` |
296273a7 | 717 | userdom_dontaudit_use_user_terminals(httpd_t) |
3eaa9939 | 718 | userdom_dontaudit_use_user_terminals(httpd_suexec_t) |
a996bdf4 CP |
719 | ') |
720 | ||
6795d321 MG |
721 | optional_policy(` |
722 | # Support for ABRT retrace server | |
723 | # mod_wsgi | |
9dd53ce4 | 724 | abrt_manage_spool_retrace(httpd_t) |
6795d321 MG |
725 | abrt_domtrans_retrace_worker(httpd_t) |
726 | abrt_read_config(httpd_t) | |
727 | ') | |
728 | ||
bb7170f6 | 729 | optional_policy(` |
99c902f3 CP |
730 | calamaris_read_www_files(httpd_t) |
731 | ') | |
732 | ||
60def66b CP |
733 | optional_policy(` |
734 | ccs_read_config(httpd_t) | |
735 | ') | |
736 | ||
1031ee6f | 737 | optional_policy(` |
3eaa9939 DW |
738 | cobbler_list_config(httpd_t) |
739 | cobbler_read_config(httpd_t) | |
2968e068 | 740 | cobbler_read_lib_files(httpd_t) |
3eaa9939 DW |
741 | |
742 | tunable_policy(`httpd_can_network_connect_cobbler',` | |
743 | corenet_tcp_connect_cobbler_port(httpd_t) | |
744 | ') | |
1031ee6f DG |
745 | ') |
746 | ||
350b6ab7 CP |
747 | optional_policy(` |
748 | cron_system_entry(httpd_t, httpd_exec_t) | |
749 | ') | |
750 | ||
60def66b CP |
751 | optional_policy(` |
752 | cvs_read_data(httpd_t) | |
753 | ') | |
754 | ||
bb7170f6 | 755 | optional_policy(` |
44d5d93f CP |
756 | daemontools_service_domain(httpd_t, httpd_exec_t) |
757 | ') | |
758 | ||
ab29591c DW |
759 | optional_policy(` |
760 | dirsrv_manage_config(httpd_t) | |
761 | dirsrv_manage_log(httpd_t) | |
762 | dirsrv_manage_var_run(httpd_t) | |
763 | dirsrv_read_share(httpd_t) | |
764 | dirsrv_signal(httpd_t) | |
765 | dirsrv_signull(httpd_t) | |
766 | dirsrvadmin_manage_config(httpd_t) | |
767 | dirsrvadmin_manage_tmp(httpd_t) | |
d248b945 | 768 | dirsrvadmin_domtrans_unconfined_script_t(httpd_t) |
ab29591c DW |
769 | ') |
770 | ||
3eaa9939 | 771 | optional_policy(` |
60def66b CP |
772 | dbus_system_bus_client(httpd_t) |
773 | ||
774 | tunable_policy(`httpd_dbus_avahi',` | |
775 | avahi_dbus_chat(httpd_t) | |
776 | ') | |
777 | ') | |
778 | ||
779 | optional_policy(` | |
780 | tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` | |
3eaa9939 | 781 | gpg_domtrans_web(httpd_t) |
60def66b CP |
782 | ') |
783 | ') | |
784 | ||
bb7170f6 | 785 | optional_policy(` |
83caba3e | 786 | kerberos_keytab_template(httpd, httpd_t) |
a996bdf4 CP |
787 | ') |
788 | ||
bb7170f6 | 789 | optional_policy(` |
799a0b43 CP |
790 | mailman_signal_cgi(httpd_t) |
791 | mailman_domtrans_cgi(httpd_t) | |
60def66b | 792 | mailman_read_data_files(httpd_t) |
799a0b43 | 793 | # should have separate types for public and private archives |
0500e01f | 794 | mailman_search_data(httpd_t) |
799a0b43 CP |
795 | mailman_read_archive(httpd_t) |
796 | ') | |
797 | ||
0def274b MG |
798 | optional_policy(` |
799 | mediawiki_read_tmp_files(httpd_t) | |
800 | mediawiki_delete_tmp_files(httpd_t) | |
801 | ') | |
802 | ||
bb7170f6 | 803 | optional_policy(` |
0b6acad1 | 804 | # Allow httpd to work with mysql |
3eaa9939 | 805 | mysql_read_config(httpd_t) |
a996bdf4 | 806 | mysql_stream_connect(httpd_t) |
1815bad1 | 807 | mysql_rw_db_sockets(httpd_t) |
0b6acad1 CP |
808 | |
809 | tunable_policy(`httpd_can_network_connect_db',` | |
dc1920b2 | 810 | mysql_tcp_connect(httpd_t) |
0b6acad1 | 811 | ') |
a996bdf4 CP |
812 | ') |
813 | ||
f1e604bb CP |
814 | optional_policy(` |
815 | nagios_read_config(httpd_t) | |
3eaa9939 | 816 | nagios_read_log(httpd_t) |
f1e604bb CP |
817 | ') |
818 | ||
5bd9fd7b CP |
819 | optional_policy(` |
820 | openca_domtrans(httpd_t) | |
821 | openca_signal(httpd_t) | |
822 | openca_sigstop(httpd_t) | |
823 | openca_kill(httpd_t) | |
824 | ') | |
825 | ||
d7de04f8 | 826 | optional_policy(` |
c5eae5f8 DG |
827 | passenger_domtrans(httpd_t) |
828 | passenger_manage_pid_content(httpd_t) | |
829 | passenger_read_lib_files(httpd_t) | |
d7de04f8 MG |
830 | ') |
831 | ||
2e02954a DW |
832 | optional_policy(` |
833 | puppet_read_lib(httpd_t) | |
834 | ') | |
835 | ||
3eaa9939 DW |
836 | optional_policy(` |
837 | rpc_search_nfs_state_data(httpd_t) | |
838 | ') | |
839 | ||
bb7170f6 | 840 | optional_policy(` |
725926c5 | 841 | # Allow httpd to work with postgresql |
1815bad1 | 842 | postgresql_stream_connect(httpd_t) |
e8cb08ae | 843 | postgresql_unpriv_client(httpd_t) |
0b6acad1 CP |
844 | |
845 | tunable_policy(`httpd_can_network_connect_db',` | |
846 | postgresql_tcp_connect(httpd_t) | |
847 | ') | |
725926c5 CP |
848 | ') |
849 | ||
bb7170f6 | 850 | optional_policy(` |
a996bdf4 CP |
851 | seutil_sigchld_newrole(httpd_t) |
852 | ') | |
853 | ||
6b19be33 | 854 | optional_policy(` |
ddd1ccaa | 855 | smokeping_read_lib_files(httpd_t) |
3eaa9939 DW |
856 | ') |
857 | ||
858 | optional_policy(` | |
859 | files_dontaudit_rw_usr_dirs(httpd_t) | |
6b19be33 CP |
860 | snmp_dontaudit_read_snmp_var_lib_files(httpd_t) |
861 | snmp_dontaudit_write_snmp_var_lib_files(httpd_t) | |
862 | ') | |
863 | ||
bb7170f6 | 864 | optional_policy(` |
a996bdf4 CP |
865 | udev_read_db(httpd_t) |
866 | ') | |
867 | ||
f30e6ea8 CP |
868 | optional_policy(` |
869 | yam_read_content(httpd_t) | |
870 | ') | |
871 | ||
3eaa9939 | 872 | optional_policy(` |
5243a989 | 873 | zarafa_manage_lib_files(httpd_t) |
3eaa9939 | 874 | zarafa_stream_connect_server(httpd_t) |
d889c6bb | 875 | zarafa_search_config(httpd_t) |
3eaa9939 DW |
876 | ') |
877 | ||
a996bdf4 CP |
878 | ######################################## |
879 | # | |
880 | # Apache helper local policy | |
881 | # | |
882 | ||
c0868a7a | 883 | domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) |
a996bdf4 | 884 | |
0b36a214 | 885 | allow httpd_helper_t httpd_config_t:file read_file_perms; |
a996bdf4 | 886 | |
0b36a214 | 887 | allow httpd_helper_t httpd_log_t:file append_file_perms; |
a996bdf4 | 888 | |
e749cd12 CP |
889 | logging_send_syslog_msg(httpd_helper_t) |
890 | ||
af2d8802 | 891 | userdom_use_inherited_user_terminals(httpd_helper_t) |
aba9c7a3 | 892 | |
3eaa9939 | 893 | tunable_policy(`httpd_tty_comm',` |
af2d8802 | 894 | userdom_use_inherited_user_terminals(httpd_helper_t) |
3eaa9939 DW |
895 | ') |
896 | ||
a996bdf4 CP |
897 | ######################################## |
898 | # | |
899 | # Apache PHP script local policy | |
900 | # | |
901 | ||
902 | allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
903 | allow httpd_php_t self:fd use; | |
c0868a7a CP |
904 | allow httpd_php_t self:fifo_file rw_fifo_file_perms; |
905 | allow httpd_php_t self:sock_file read_sock_file_perms; | |
a996bdf4 CP |
906 | allow httpd_php_t self:unix_dgram_socket create_socket_perms; |
907 | allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; | |
908 | allow httpd_php_t self:unix_dgram_socket sendto; | |
909 | allow httpd_php_t self:unix_stream_socket connectto; | |
910 | allow httpd_php_t self:shm create_shm_perms; | |
911 | allow httpd_php_t self:sem create_sem_perms; | |
912 | allow httpd_php_t self:msgq create_msgq_perms; | |
913 | allow httpd_php_t self:msg { send receive }; | |
914 | ||
c0868a7a | 915 | domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) |
a996bdf4 CP |
916 | |
917 | # allow php to read and append to apache logfiles | |
c0868a7a | 918 | allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; |
a996bdf4 | 919 | |
0bfccda4 CP |
920 | manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) |
921 | manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) | |
103fe280 | 922 | files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) |
a996bdf4 CP |
923 | |
924 | fs_search_auto_mountpoints(httpd_php_t) | |
925 | ||
60def66b CP |
926 | auth_use_nsswitch(httpd_php_t) |
927 | ||
a996bdf4 | 928 | libs_exec_lib_files(httpd_php_t) |
a996bdf4 | 929 | |
103fe280 | 930 | userdom_use_unpriv_users_fds(httpd_php_t) |
a996bdf4 | 931 | |
60def66b | 932 | tunable_policy(`httpd_can_network_connect_db',` |
ec7dfab4 | 933 | corenet_tcp_connect_firebird_port(httpd_php_t) |
9b26005b DG |
934 | corenet_tcp_connect_mssql_port(httpd_php_t) |
935 | corenet_sendrecv_mssql_client_packets(httpd_php_t) | |
f1686cd5 MG |
936 | corenet_tcp_connect_oracle_port(httpd_php_t) |
937 | corenet_sendrecv_oracle_client_packets(httpd_php_t) | |
a996bdf4 CP |
938 | ') |
939 | ||
bb7170f6 | 940 | optional_policy(` |
60def66b | 941 | mysql_stream_connect(httpd_php_t) |
9b26005b | 942 | mysql_rw_db_sockets(httpd_php_t) |
60def66b | 943 | mysql_read_config(httpd_php_t) |
9b26005b DG |
944 | |
945 | tunable_policy(`httpd_can_network_connect_db',` | |
946 | mysql_tcp_connect(httpd_php_t) | |
947 | ') | |
a996bdf4 CP |
948 | ') |
949 | ||
5fe7de9e CP |
950 | optional_policy(` |
951 | postgresql_stream_connect(httpd_php_t) | |
9b26005b DG |
952 | postgresql_unpriv_client(httpd_php_t) |
953 | ||
954 | tunable_policy(`httpd_can_network_connect_db',` | |
955 | postgresql_tcp_connect(httpd_php_t) | |
956 | ') | |
5fe7de9e CP |
957 | ') |
958 | ||
a996bdf4 CP |
959 | ######################################## |
960 | # | |
961 | # Apache suexec local policy | |
962 | # | |
963 | ||
964 | allow httpd_suexec_t self:capability { setuid setgid }; | |
965 | allow httpd_suexec_t self:process signal_perms; | |
5b6698f7 MG |
966 | |
967 | allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; | |
a996bdf4 CP |
968 | allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; |
969 | ||
56e1b3d2 | 970 | domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
a996bdf4 | 971 | |
0bfccda4 CP |
972 | create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) |
973 | append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) | |
974 | read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) | |
c0868a7a | 975 | |
60def66b | 976 | allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; |
a996bdf4 | 977 | |
0bfccda4 CP |
978 | manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) |
979 | manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) | |
103fe280 | 980 | files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) |
a996bdf4 | 981 | |
3eaa9939 DW |
982 | can_exec(httpd_suexec_t, httpd_sys_script_exec_t) |
983 | ||
f6bcb24b DG |
984 | read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) |
985 | read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) | |
986 | read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
987 | ||
445522dc | 988 | kernel_read_kernel_sysctls(httpd_suexec_t) |
a996bdf4 CP |
989 | kernel_list_proc(httpd_suexec_t) |
990 | kernel_read_proc_symlinks(httpd_suexec_t) | |
991 | ||
992 | dev_read_urand(httpd_suexec_t) | |
993 | ||
3eaa9939 | 994 | fs_read_iso9660_files(httpd_suexec_t) |
a996bdf4 CP |
995 | fs_search_auto_mountpoints(httpd_suexec_t) |
996 | ||
3eaa9939 | 997 | application_exec_all(httpd_suexec_t) |
a996bdf4 CP |
998 | |
999 | files_read_etc_files(httpd_suexec_t) | |
1000 | files_read_usr_files(httpd_suexec_t) | |
6e99a6cf | 1001 | files_dontaudit_search_pids(httpd_suexec_t) |
725926c5 | 1002 | files_search_home(httpd_suexec_t) |
a996bdf4 | 1003 | |
c0cf6e0a CP |
1004 | auth_use_nsswitch(httpd_suexec_t) |
1005 | ||
a996bdf4 CP |
1006 | logging_search_logs(httpd_suexec_t) |
1007 | logging_send_syslog_msg(httpd_suexec_t) | |
1008 | ||
1009 | miscfiles_read_localization(httpd_suexec_t) | |
60def66b | 1010 | miscfiles_read_public_files(httpd_suexec_t) |
a996bdf4 CP |
1011 | |
1012 | tunable_policy(`httpd_can_network_connect',` | |
1013 | allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; | |
1014 | allow httpd_suexec_t self:udp_socket create_socket_perms; | |
1015 | ||
19006686 CP |
1016 | corenet_all_recvfrom_unlabeled(httpd_suexec_t) |
1017 | corenet_all_recvfrom_netlabel(httpd_suexec_t) | |
668b3093 CP |
1018 | corenet_tcp_sendrecv_generic_if(httpd_suexec_t) |
1019 | corenet_udp_sendrecv_generic_if(httpd_suexec_t) | |
c1262146 CP |
1020 | corenet_tcp_sendrecv_generic_node(httpd_suexec_t) |
1021 | corenet_udp_sendrecv_generic_node(httpd_suexec_t) | |
a996bdf4 CP |
1022 | corenet_tcp_sendrecv_all_ports(httpd_suexec_t) |
1023 | corenet_udp_sendrecv_all_ports(httpd_suexec_t) | |
a996bdf4 | 1024 | corenet_tcp_connect_all_ports(httpd_suexec_t) |
141cffdd | 1025 | corenet_sendrecv_all_client_packets(httpd_suexec_t) |
a996bdf4 CP |
1026 | ') |
1027 | ||
9b26005b | 1028 | tunable_policy(`httpd_can_network_connect_db',` |
ec7dfab4 | 1029 | corenet_tcp_connect_firebird_port(httpd_suexec_t) |
9b26005b DG |
1030 | corenet_tcp_connect_mssql_port(httpd_suexec_t) |
1031 | corenet_sendrecv_mssql_client_packets(httpd_suexec_t) | |
f1686cd5 MG |
1032 | corenet_tcp_connect_oracle_port(httpd_suexec_t) |
1033 | corenet_sendrecv_oracle_client_packets(httpd_suexec_t) | |
9b26005b DG |
1034 | ') |
1035 | ||
3eaa9939 | 1036 | domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) |
f6bcb24b | 1037 | |
5b6698f7 MG |
1038 | tunable_policy(`httpd_can_sendmail',` |
1039 | mta_send_mail(httpd_suexec_t) | |
1040 | ') | |
1041 | ||
6e99a6cf | 1042 | tunable_policy(`httpd_enable_cgi && httpd_unified',` |
60def66b | 1043 | allow httpd_sys_script_t httpdcontent:file entrypoint; |
c0868a7a | 1044 | domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) |
3eaa9939 DW |
1045 | manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) |
1046 | manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
1047 | manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
1048 | manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) | |
1049 | ') | |
c5eae5f8 | 1050 | |
a996bdf4 | 1051 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
182abff9 | 1052 | fs_list_auto_mountpoints(httpd_suexec_t) |
a996bdf4 CP |
1053 | fs_read_nfs_files(httpd_suexec_t) |
1054 | fs_read_nfs_symlinks(httpd_suexec_t) | |
4d851fe9 | 1055 | fs_exec_nfs_files(httpd_suexec_t) |
a996bdf4 CP |
1056 | ') |
1057 | ||
1058 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` | |
1059 | fs_read_cifs_files(httpd_suexec_t) | |
1060 | fs_read_cifs_symlinks(httpd_suexec_t) | |
4d851fe9 | 1061 | fs_exec_cifs_files(httpd_suexec_t) |
a996bdf4 CP |
1062 | ') |
1063 | ||
bb7170f6 | 1064 | optional_policy(` |
799a0b43 CP |
1065 | mailman_domtrans_cgi(httpd_suexec_t) |
1066 | ') | |
1067 | ||
bb7170f6 | 1068 | optional_policy(` |
725926c5 CP |
1069 | mta_stub(httpd_suexec_t) |
1070 | ||
1071 | # apache should set close-on-exec | |
1072 | dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; | |
1073 | ') | |
1074 | ||
3eaa9939 DW |
1075 | optional_policy(` |
1076 | mysql_stream_connect(httpd_suexec_t) | |
1077 | mysql_rw_db_sockets(httpd_suexec_t) | |
1078 | mysql_read_config(httpd_suexec_t) | |
9b26005b DG |
1079 | |
1080 | tunable_policy(`httpd_can_network_connect_db',` | |
1081 | mysql_tcp_connect(httpd_suexec_t) | |
1082 | ') | |
1083 | ') | |
1084 | ||
1085 | optional_policy(` | |
1086 | postgresql_stream_connect(httpd_suexec_t) | |
1087 | postgresql_unpriv_client(httpd_suexec_t) | |
1088 | ||
1089 | tunable_policy(`httpd_can_network_connect_db',` | |
1090 | postgresql_tcp_connect(httpd_suexec_t) | |
1091 | ') | |
3eaa9939 DW |
1092 | ') |
1093 | ||
a996bdf4 CP |
1094 | ######################################## |
1095 | # | |
1096 | # Apache system script local policy | |
1097 | # | |
1098 | ||
60def66b CP |
1099 | allow httpd_sys_script_t self:process getsched; |
1100 | ||
1101 | allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; | |
6e99a6cf CP |
1102 | allow httpd_sys_script_t httpd_t:tcp_socket { read write }; |
1103 | ||
1104 | dontaudit httpd_sys_script_t httpd_config_t:dir search; | |
1105 | ||
0b36a214 | 1106 | allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; |
6e99a6cf | 1107 | |
c0868a7a | 1108 | allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; |
0bfccda4 CP |
1109 | read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) |
1110 | read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) | |
6e99a6cf | 1111 | |
445522dc | 1112 | kernel_read_kernel_sysctls(httpd_sys_script_t) |
6e99a6cf | 1113 | |
ac84f68a | 1114 | files_read_var_symlinks(httpd_sys_script_t) |
6e99a6cf CP |
1115 | files_search_var_lib(httpd_sys_script_t) |
1116 | files_search_spool(httpd_sys_script_t) | |
1117 | ||
3eaa9939 DW |
1118 | logging_inherit_append_all_logs(httpd_sys_script_t) |
1119 | ||
123a990b CP |
1120 | # Should we add a boolean? |
1121 | apache_domtrans_rotatelogs(httpd_sys_script_t) | |
1122 | ||
3eaa9939 DW |
1123 | auth_use_nsswitch(httpd_sys_script_t) |
1124 | ||
6e99a6cf | 1125 | ifdef(`distro_redhat',` |
0b36a214 | 1126 | allow httpd_sys_script_t httpd_log_t:file append_file_perms; |
6e99a6cf CP |
1127 | ') |
1128 | ||
60def66b CP |
1129 | tunable_policy(`httpd_can_sendmail',` |
1130 | mta_send_mail(httpd_sys_script_t) | |
1131 | ') | |
1132 | ||
3eaa9939 | 1133 | optional_policy(` |
c5eae5f8 DG |
1134 | tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` |
1135 | spamassassin_domtrans_client(httpd_t) | |
1136 | ') | |
3eaa9939 DW |
1137 | ') |
1138 | ||
9b26005b | 1139 | tunable_policy(`httpd_can_network_connect_db',` |
ec7dfab4 | 1140 | corenet_tcp_connect_firebird_port(httpd_sys_script_t) |
9b26005b DG |
1141 | corenet_tcp_connect_mssql_port(httpd_sys_script_t) |
1142 | corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) | |
f1686cd5 MG |
1143 | corenet_tcp_connect_oracle_port(httpd_sys_script_t) |
1144 | corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) | |
9b26005b DG |
1145 | ') |
1146 | ||
f6bcb24b DG |
1147 | fs_cifs_entry_type(httpd_sys_script_t) |
1148 | fs_read_iso9660_files(httpd_sys_script_t) | |
1149 | fs_nfs_entry_type(httpd_sys_script_t) | |
1150 | ||
3eaa9939 | 1151 | tunable_policy(`httpd_use_nfs',` |
182abff9 | 1152 | fs_list_auto_mountpoints(httpd_sys_script_t) |
3eaa9939 DW |
1153 | fs_manage_nfs_dirs(httpd_sys_script_t) |
1154 | fs_manage_nfs_files(httpd_sys_script_t) | |
1155 | fs_manage_nfs_symlinks(httpd_sys_script_t) | |
1156 | fs_exec_nfs_files(httpd_sys_script_t) | |
1157 | ||
182abff9 | 1158 | fs_list_auto_mountpoints(httpd_suexec_t) |
3eaa9939 DW |
1159 | fs_manage_nfs_dirs(httpd_suexec_t) |
1160 | fs_manage_nfs_files(httpd_suexec_t) | |
1161 | fs_manage_nfs_symlinks(httpd_suexec_t) | |
1162 | fs_exec_nfs_files(httpd_suexec_t) | |
1163 | ') | |
1164 | ||
60def66b CP |
1165 | tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` |
1166 | allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; | |
1167 | allow httpd_sys_script_t self:udp_socket create_socket_perms; | |
1168 | ||
a90706ef | 1169 | corenet_tcp_bind_generic_node(httpd_sys_script_t) |
8e6c3bd1 | 1170 | corenet_udp_bind_generic_node(httpd_sys_script_t) |
60def66b CP |
1171 | corenet_all_recvfrom_unlabeled(httpd_sys_script_t) |
1172 | corenet_all_recvfrom_netlabel(httpd_sys_script_t) | |
a90706ef DW |
1173 | corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) |
1174 | corenet_udp_sendrecv_generic_if(httpd_sys_script_t) | |
1175 | corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) | |
1176 | corenet_udp_sendrecv_generic_node(httpd_sys_script_t) | |
60def66b CP |
1177 | corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) |
1178 | corenet_udp_sendrecv_all_ports(httpd_sys_script_t) | |
1179 | corenet_tcp_connect_all_ports(httpd_sys_script_t) | |
1180 | corenet_sendrecv_all_client_packets(httpd_sys_script_t) | |
1181 | ') | |
1182 | ||
e311e23a | 1183 | tunable_policy(`httpd_enable_homedirs',` |
c53b75bd | 1184 | userdom_search_user_home_dirs(httpd_sys_script_t) |
e311e23a CP |
1185 | ') |
1186 | ||
d6d16b97 | 1187 | tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` |
182abff9 | 1188 | fs_list_auto_mountpoints(httpd_sys_script_t) |
d6d16b97 CP |
1189 | fs_read_nfs_files(httpd_sys_script_t) |
1190 | fs_read_nfs_symlinks(httpd_sys_script_t) | |
1191 | ') | |
1192 | ||
c53b75bd DG |
1193 | tunable_policy(`httpd_read_user_content',` |
1194 | userdom_read_user_home_content_files(httpd_sys_script_t) | |
1195 | ') | |
1196 | ||
3eaa9939 DW |
1197 | tunable_policy(`httpd_use_cifs',` |
1198 | fs_manage_cifs_dirs(httpd_sys_script_t) | |
1199 | fs_manage_cifs_files(httpd_sys_script_t) | |
1200 | fs_manage_cifs_symlinks(httpd_sys_script_t) | |
1201 | fs_manage_cifs_dirs(httpd_suexec_t) | |
1202 | fs_manage_cifs_files(httpd_suexec_t) | |
1203 | fs_manage_cifs_symlinks(httpd_suexec_t) | |
1204 | fs_exec_cifs_files(httpd_suexec_t) | |
1205 | ') | |
1206 | ||
d6d16b97 CP |
1207 | tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` |
1208 | fs_read_cifs_files(httpd_sys_script_t) | |
1209 | fs_read_cifs_symlinks(httpd_sys_script_t) | |
1210 | ') | |
1211 | ||
165b42d2 CP |
1212 | optional_policy(` |
1213 | clamav_domtrans_clamscan(httpd_sys_script_t) | |
1214 | ') | |
1215 | ||
bb7170f6 | 1216 | optional_policy(` |
6e99a6cf | 1217 | mysql_stream_connect(httpd_sys_script_t) |
1815bad1 | 1218 | mysql_rw_db_sockets(httpd_sys_script_t) |
3eaa9939 | 1219 | mysql_read_config(httpd_sys_script_t) |
9b26005b DG |
1220 | |
1221 | tunable_policy(`httpd_can_network_connect_db',` | |
1222 | mysql_tcp_connect(httpd_sys_script_t) | |
1223 | ') | |
6e99a6cf CP |
1224 | ') |
1225 | ||
5fe7de9e CP |
1226 | optional_policy(` |
1227 | postgresql_stream_connect(httpd_sys_script_t) | |
9b26005b DG |
1228 | postgresql_unpriv_client(httpd_sys_script_t) |
1229 | ||
1230 | tunable_policy(`httpd_can_network_connect_db',` | |
1231 | postgresql_tcp_connect(httpd_sys_script_t) | |
1232 | ') | |
5fe7de9e CP |
1233 | ') |
1234 | ||
123a990b CP |
1235 | ######################################## |
1236 | # | |
1237 | # httpd_rotatelogs local policy | |
1238 | # | |
1239 | ||
60def66b CP |
1240 | allow httpd_rotatelogs_t self:capability dac_override; |
1241 | ||
0bfccda4 | 1242 | manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) |
123a990b CP |
1243 | |
1244 | kernel_read_kernel_sysctls(httpd_rotatelogs_t) | |
1245 | kernel_dontaudit_list_proc(httpd_rotatelogs_t) | |
1246 | kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) | |
1247 | ||
1248 | files_read_etc_files(httpd_rotatelogs_t) | |
1249 | ||
d6d16b97 CP |
1250 | logging_search_logs(httpd_rotatelogs_t) |
1251 | ||
123a990b | 1252 | miscfiles_read_localization(httpd_rotatelogs_t) |
296273a7 | 1253 | |
60def66b CP |
1254 | ######################################## |
1255 | # | |
1256 | # Unconfined script local policy | |
1257 | # | |
1258 | ||
1259 | optional_policy(` | |
1260 | type httpd_unconfined_script_t; | |
1261 | type httpd_unconfined_script_exec_t; | |
1262 | domain_type(httpd_unconfined_script_t) | |
1263 | domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) | |
1264 | domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) | |
1265 | unconfined_domain(httpd_unconfined_script_t) | |
1266 | ||
1267 | role system_r types httpd_unconfined_script_t; | |
1268 | allow httpd_t httpd_unconfined_script_t:process signal_perms; | |
1269 | ') | |
1270 | ||
296273a7 CP |
1271 | ######################################## |
1272 | # | |
1273 | # User content local policy | |
1274 | # | |
1275 | ||
1276 | tunable_policy(`httpd_enable_cgi && httpd_unified',` | |
1277 | allow httpd_user_script_t httpdcontent:file entrypoint; | |
3eaa9939 DW |
1278 | manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) |
1279 | manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) | |
1280 | manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
1281 | manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) | |
296273a7 CP |
1282 | ') |
1283 | ||
1284 | # allow accessing files/dirs below the users home dir | |
1285 | tunable_policy(`httpd_enable_homedirs',` | |
3eaa9939 DW |
1286 | userdom_search_user_home_content(httpd_t) |
1287 | userdom_search_user_home_content(httpd_suexec_t) | |
1288 | userdom_search_user_home_content(httpd_user_script_t) | |
296273a7 | 1289 | ') |
3eaa9939 DW |
1290 | |
1291 | tunable_policy(`httpd_read_user_content',` | |
bbdbce34 | 1292 | userdom_read_user_home_content_files(httpd_t) |
3eaa9939 | 1293 | userdom_read_user_home_content_files(httpd_suexec_t) |
f6bcb24b | 1294 | userdom_read_user_home_content_files(httpd_user_script_t) |
3eaa9939 | 1295 | ') |
395df07f DW |
1296 | |
1297 | ######################################## | |
1298 | # | |
1299 | # httpd_passwd local policy | |
1300 | # | |
1301 | ||
1302 | allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; | |
1303 | allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; | |
1304 | allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; | |
1305 | ||
1306 | domain_use_interactive_fds(httpd_passwd_t) | |
1307 | ||
1308 | files_read_etc_files(httpd_passwd_t) | |
1309 | ||
1310 | miscfiles_read_localization(httpd_passwd_t) | |
1311 | ||
1312 | corecmd_exec_bin(httpd_passwd_t) | |
1313 | ||
1314 | kernel_read_system_state(httpd_passwd_t) | |
1315 | ||
1316 | dev_read_urand(httpd_passwd_t) | |
1317 | ||
d9cc16b3 | 1318 | systemd_manage_passwd_run(httpd_t) |
d40a9795 | 1319 | #systemd_passwd_agent_dev_template(httpd) |
395df07f DW |
1320 | |
1321 | domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) | |
1322 | dontaudit httpd_passwd_t httpd_config_t:file read; | |
1323 | ||
14dcf129 | 1324 | |
1325 | search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) | |
1326 | corecmd_shell_entry_type(httpd_script_type) | |
1327 | ||
1328 | allow httpd_script_type self:fifo_file rw_file_perms; | |
1329 | allow httpd_script_type self:unix_stream_socket connectto; | |
1330 | ||
1331 | allow httpd_script_type httpd_t:fifo_file write; | |
1332 | # apache should set close-on-exec | |
1333 | apache_dontaudit_leaks(httpd_script_type) | |
1334 | ||
1335 | append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) | |
1336 | logging_search_logs(httpd_script_type) | |
1337 | ||
1338 | kernel_dontaudit_search_sysctl(httpd_script_type) | |
1339 | kernel_dontaudit_search_kernel_sysctl(httpd_script_type) | |
1340 | ||
1341 | dev_read_rand(httpd_script_type) | |
1342 | dev_read_urand(httpd_script_type) | |
1343 | ||
1344 | corecmd_exec_all_executables(httpd_script_type) | |
1345 | application_exec_all(httpd_script_type) | |
1346 | ||
1347 | files_exec_etc_files(httpd_script_type) | |
1348 | files_read_etc_files(httpd_script_type) | |
1349 | files_search_home(httpd_script_type) | |
1350 | ||
1351 | libs_exec_ld_so(httpd_script_type) | |
1352 | libs_exec_lib_files(httpd_script_type) | |
1353 | ||
1354 | miscfiles_read_fonts(httpd_script_type) | |
1355 | miscfiles_read_public_files(httpd_script_type) | |
1356 | ||
1357 | seutil_dontaudit_search_config(httpd_script_type) | |
1358 | allow httpd_t httpd_script_type:unix_stream_socket connectto; | |
1359 | ||
1360 | allow httpd_t httpd_script_exec_type:file read_file_perms; | |
1361 | allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; | |
1362 | allow httpd_t httpd_script_type:process { signal sigkill sigstop }; | |
1363 | allow httpd_t httpd_script_exec_type:dir list_dir_perms; | |
1364 | ||
1365 | allow httpd_script_type self:process { setsched signal_perms }; | |
1366 | allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; | |
1367 | allow httpd_script_type self:unix_dgram_socket create_socket_perms; | |
1368 | ||
1369 | allow httpd_script_type httpd_t:fd use; | |
1370 | allow httpd_script_type httpd_t:process sigchld; | |
1371 | ||
1372 | dontaudit httpd_script_type httpd_t:tcp_socket { read write }; | |
1373 | ||
1374 | kernel_read_system_state(httpd_script_type) | |
1375 | ||
1376 | dev_read_urand(httpd_script_type) | |
1377 | ||
1378 | fs_getattr_xattr_fs(httpd_script_type) | |
1379 | ||
1380 | files_read_etc_runtime_files(httpd_script_type) | |
1381 | files_read_usr_files(httpd_script_type) | |
1382 | ||
1383 | libs_read_lib_files(httpd_script_type) | |
1384 | ||
1385 | miscfiles_read_localization(httpd_script_type) | |
1386 | allow httpd_script_type httpd_sys_content_t:dir search_dir_perms; | |
1387 | ||
1388 | tunable_policy(`httpd_enable_cgi && allow_ypbind',` | |
1389 | nis_use_ypbind_uncond(httpd_script_type) | |
1390 | ') | |
1391 | ||
1392 | optional_policy(` | |
1393 | nscd_socket_use(httpd_script_type) | |
1394 | ') | |
1395 | ||
1396 | read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) | |
1397 | ||
1398 | tunable_policy(`httpd_builtin_scripting',` | |
1399 | allow httpd_t httpd_content_type:dir search_dir_perms; | |
1400 | allow httpd_suexec_t httpd_content_type:dir search_dir_perms; | |
1401 | ||
1402 | allow httpd_t httpd_content_type:dir list_dir_perms; | |
1403 | read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) | |
1404 | read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) | |
1405 | ||
1406 | allow httpd_t httpd_content_type:dir list_dir_perms; | |
1407 | read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) | |
1408 | read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) | |
1409 | ') |