1 policy_module(apache, 2.2.1)
5 # This policy will work with SUEXEC enabled as part of the Apache
6 # configuration. However, the user CGI scripts will run under the
7 # system_u:system_r:httpd_user_script_t.
9 # The user CGI scripts must be labeled with the httpd_user_script_exec_t
10 # type, and the directory containing the scripts should also be labeled
11 # with these types. This policy allows the user role to perform that
12 # relabeling. If it is desired that only admin role should be able to relabel
13 # the user CGI scripts, then relabel rule for user roles should be removed.
16 ########################################
21 selinux_genbool(httpd_bool_t)
25 ## Allow Apache to modify public files
26 ## used for public file transfer services. Directories/Files must
27 ## be labeled public_content_rw_t.
30 gen_tunable(allow_httpd_anon_write, false)
34 ## Allow Apache to use mod_auth_pam
37 gen_tunable(allow_httpd_mod_auth_pam, false)
41 ## Allow Apache to use mod_auth_ntlm_winbind
44 gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
48 ## Allow httpd scripts and modules execmem/execstack
51 gen_tunable(httpd_execmem, false)
55 ## Allow httpd daemon to change system limits
58 gen_tunable(httpd_setrlimit, false)
62 ## Allow httpd to use built in scripting (usually php)
65 gen_tunable(httpd_builtin_scripting, false)
69 ## Allow HTTPD scripts and modules to connect to the network using any TCP port.
72 gen_tunable(httpd_can_network_connect, false)
76 ## Allow HTTPD scripts and modules to connect to cobbler over the network.
79 gen_tunable(httpd_can_network_connect_cobbler, false)
83 ## Allow HTTPD scripts and modules to connect to databases over the network.
86 gen_tunable(httpd_can_network_connect_db, false)
90 ## Allow httpd to connect to memcache server
93 gen_tunable(httpd_can_network_memcache, false)
97 ## Allow httpd to act as a relay
100 gen_tunable(httpd_can_network_relay, false)
104 ## Allow http daemon to send mail
107 gen_tunable(httpd_can_sendmail, false)
111 ## Allow http daemon to check spam
114 gen_tunable(httpd_can_check_spam, false)
118 ## Allow Apache to communicate with avahi service via dbus
121 gen_tunable(httpd_dbus_avahi, false)
125 ## Allow httpd to execute cgi scripts
128 gen_tunable(httpd_enable_cgi, false)
132 ## Allow httpd to act as a FTP server by
133 ## listening on the ftp port.
136 gen_tunable(httpd_enable_ftp_server, false)
140 ## Allow httpd to act as a FTP client
141 ## connecting to the ftp port and ephemeral ports
144 gen_tunable(httpd_can_connect_ftp, false)
148 ## Allow httpd to connect to the ldap port
151 gen_tunable(httpd_can_connect_ldap, false)
155 ## Allow httpd to read home directories
158 gen_tunable(httpd_enable_homedirs, false)
162 ## Allow httpd to read user content
165 gen_tunable(httpd_read_user_content, false)
169 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
172 gen_tunable(httpd_ssi_exec, false)
176 ## Allow Apache to execute tmp content.
179 gen_tunable(httpd_tmp_exec, false)
183 ## Unify HTTPD to communicate with the terminal.
184 ## Needed for entering the passphrase for certificates at
188 gen_tunable(httpd_tty_comm, false)
192 ## Unify HTTPD handling of all content files.
195 gen_tunable(httpd_unified, false)
199 ## Allow httpd to access cifs file systems
202 gen_tunable(httpd_use_cifs, false)
206 ## Allow httpd to run gpg in gpg-web domain
209 gen_tunable(httpd_use_gpg, false)
213 ## Allow httpd to access nfs file systems
216 gen_tunable(httpd_use_nfs, false)
220 ## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
223 gen_tunable(allow_httpd_sys_script_anon_write, false)
225 attribute httpdcontent;
226 attribute httpd_user_content_type;
227 attribute httpd_content_type;
229 # domains that can exec all users scripts
230 attribute httpd_exec_scripts;
232 attribute httpd_script_type;
233 attribute httpd_script_exec_type;
234 attribute httpd_user_script_exec_type;
236 # user script domains
237 attribute httpd_script_domains;
241 init_daemon_domain(httpd_t, httpd_exec_t)
242 role system_r types httpd_t;
244 # httpd_cache_t is the type given to the /var/cache/httpd
245 # directory and the files under that directory
247 files_type(httpd_cache_t)
249 # httpd_config_t is the type given to the configuration files
251 files_config_file(httpd_config_t)
254 type httpd_helper_exec_t;
255 domain_type(httpd_helper_t)
256 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
257 role system_r types httpd_helper_t;
259 type httpd_initrc_exec_t;
260 init_script_file(httpd_initrc_exec_t)
262 type httpd_unit_file_t;
263 systemd_unit_file(httpd_unit_file_t)
266 files_lock_file(httpd_lock_t)
269 logging_log_file(httpd_log_t)
271 # httpd_modules_t is the type given to module files (libraries)
272 # that come with Apache /etc/httpd/modules and /usr/lib/apache
273 type httpd_modules_t;
274 files_type(httpd_modules_t)
277 type httpd_php_exec_t;
278 domain_type(httpd_php_t)
279 domain_entry_file(httpd_php_t, httpd_php_exec_t)
280 role system_r types httpd_php_t;
282 type httpd_php_tmp_t;
283 files_tmp_file(httpd_php_tmp_t)
285 type httpd_rotatelogs_t;
286 type httpd_rotatelogs_exec_t;
287 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
289 type httpd_squirrelmail_t;
290 files_type(httpd_squirrelmail_t)
292 # SUEXEC runs user scripts as their own user ID
293 type httpd_suexec_t; #, daemon;
294 type httpd_suexec_exec_t;
295 domain_type(httpd_suexec_t)
296 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
297 role system_r types httpd_suexec_t;
299 type httpd_suexec_tmp_t;
300 files_tmp_file(httpd_suexec_tmp_t)
302 # setup the system domain for system CGI scripts
303 apache_content_template(sys)
306 postgresql_unpriv_client(httpd_sys_script_t)
309 typeattribute httpd_sys_content_t httpdcontent; # customizable
310 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
311 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
313 # Removal of fastcgi, will cause problems without the following
314 typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
315 typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
316 typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
317 typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
318 typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
321 files_tmp_file(httpd_tmp_t)
324 files_tmpfs_file(httpd_tmpfs_t)
326 apache_content_template(user)
327 ubac_constrained(httpd_user_script_t)
328 typeattribute httpd_user_content_t httpdcontent;
329 typeattribute httpd_user_rw_content_t httpdcontent;
330 typeattribute httpd_user_ra_content_t httpdcontent;
332 userdom_user_home_content(httpd_user_content_t)
333 userdom_user_home_content(httpd_user_htaccess_t)
334 userdom_user_home_content(httpd_user_script_exec_t)
335 userdom_user_home_content(httpd_user_ra_content_t)
336 userdom_user_home_content(httpd_user_rw_content_t)
337 typeattribute httpd_user_script_t httpd_script_domains;
338 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
339 typealias httpd_user_content_t alias httpd_unconfined_content_t;
340 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
341 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
342 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
343 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
344 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
345 typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
346 typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
347 typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
348 typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
349 typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
350 typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
351 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
352 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
354 # for apache2 memory mapped files
355 type httpd_var_lib_t;
356 files_type(httpd_var_lib_t)
358 type httpd_var_run_t;
359 files_pid_file(httpd_var_run_t)
361 # Removal of fastcgi, will cause problems without the following
362 typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
364 # File Type of squirrelmail attachments
365 type squirrelmail_spool_t;
366 files_tmp_file(squirrelmail_spool_t)
367 files_spool_file(squirrelmail_spool_t)
370 prelink_object_file(httpd_modules_t)
374 type httpd_passwd_exec_t;
375 application_domain(httpd_passwd_t, httpd_passwd_exec_t)
376 role system_r types httpd_passwd_t;
378 ########################################
380 # Apache server local policy
383 allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
384 dontaudit httpd_t self:capability { net_admin sys_tty_config };
385 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
386 allow httpd_t self:fd use;
387 allow httpd_t self:sock_file read_sock_file_perms;
388 allow httpd_t self:fifo_file rw_fifo_file_perms;
389 allow httpd_t self:shm create_shm_perms;
390 allow httpd_t self:sem create_sem_perms;
391 allow httpd_t self:msgq create_msgq_perms;
392 allow httpd_t self:msg { send receive };
393 allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
394 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
395 allow httpd_t self:tcp_socket create_stream_socket_perms;
396 allow httpd_t self:udp_socket create_socket_perms;
397 dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
399 # Allow httpd_t to put files in /var/cache/httpd etc
400 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
401 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
402 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
403 files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
405 # Allow the httpd_t to read the web servers config files
406 allow httpd_t httpd_config_t:dir list_dir_perms;
407 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
408 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
410 can_exec(httpd_t, httpd_exec_t)
412 allow httpd_t httpd_lock_t:file manage_file_perms;
413 files_lock_filetrans(httpd_t, httpd_lock_t, file)
415 allow httpd_t httpd_log_t:dir setattr;
416 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
417 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
418 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
419 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
420 # cjp: need to refine create interfaces to
421 # cut this back to add_name only
422 logging_log_filetrans(httpd_t, httpd_log_t, file)
424 allow httpd_t httpd_modules_t:dir list_dir_perms;
425 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
426 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
427 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
429 apache_domtrans_rotatelogs(httpd_t)
430 # Apache-httpd needs to be able to send signals to the log rotate procs.
431 allow httpd_t httpd_rotatelogs_t:process signal_perms;
433 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
434 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
435 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
437 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
439 allow httpd_t httpd_sys_content_t:dir list_dir_perms;
440 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
441 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
443 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
445 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
446 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
447 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
448 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
449 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
451 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
452 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
453 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
454 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
455 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
456 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
458 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
459 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
461 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
462 manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
463 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
464 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
465 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
467 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
468 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
469 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
471 kernel_read_kernel_sysctls(httpd_t)
472 # for modules that want to access /proc/meminfo
473 kernel_read_system_state(httpd_t)
474 kernel_read_network_state(httpd_t)
475 kernel_read_network_state(httpd_t)
476 kernel_search_network_sysctl(httpd_t)
478 corenet_all_recvfrom_unlabeled(httpd_t)
479 corenet_all_recvfrom_netlabel(httpd_t)
480 corenet_tcp_sendrecv_generic_if(httpd_t)
481 corenet_udp_sendrecv_generic_if(httpd_t)
482 corenet_tcp_sendrecv_generic_node(httpd_t)
483 corenet_udp_sendrecv_generic_node(httpd_t)
484 corenet_tcp_sendrecv_all_ports(httpd_t)
485 corenet_udp_sendrecv_all_ports(httpd_t)
486 corenet_tcp_bind_generic_node(httpd_t)
487 corenet_udp_bind_generic_node(httpd_t)
488 corenet_tcp_bind_http_port(httpd_t)
489 corenet_tcp_bind_http_cache_port(httpd_t)
490 corenet_tcp_bind_ntop_port(httpd_t)
491 corenet_tcp_bind_jboss_management_port(httpd_t)
492 corenet_sendrecv_http_server_packets(httpd_t)
493 corenet_tcp_bind_puppet_port(httpd_t)
494 # Signal self for shutdown
495 #corenet_tcp_connect_http_port(httpd_t)
497 dev_read_sysfs(httpd_t)
498 dev_read_rand(httpd_t)
499 dev_read_urand(httpd_t)
500 dev_rw_crypto(httpd_t)
502 fs_getattr_all_fs(httpd_t)
503 fs_search_auto_mountpoints(httpd_t)
504 fs_read_iso9660_files(httpd_t)
505 fs_read_anon_inodefs_files(httpd_t)
507 auth_use_nsswitch(httpd_t)
509 application_exec_all(httpd_t)
511 domain_use_interactive_fds(httpd_t)
513 files_dontaudit_getattr_all_pids(httpd_t)
514 files_read_usr_files(httpd_t)
515 files_list_mnt(httpd_t)
516 files_search_spool(httpd_t)
517 files_read_var_symlinks(httpd_t)
518 files_read_var_lib_files(httpd_t)
519 files_search_home(httpd_t)
520 files_getattr_home_dir(httpd_t)
521 # for modules that want to access /etc/mtab
522 files_read_etc_runtime_files(httpd_t)
523 # Allow httpd_t to have access to files such as nisswitch.conf
524 files_read_etc_files(httpd_t)
526 files_read_var_lib_symlinks(httpd_t)
528 fs_search_auto_mountpoints(httpd_sys_script_t)
529 # php uploads a file to /tmp and then execs programs to acton them
530 manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
531 manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
532 manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
533 manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
534 manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
535 files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
537 libs_read_lib_files(httpd_t)
539 ifdef(`hide_broken_symptoms',`
540 libs_exec_lib_files(httpd_t)
543 logging_send_syslog_msg(httpd_t)
545 miscfiles_read_localization(httpd_t)
546 miscfiles_read_fonts(httpd_t)
547 miscfiles_read_public_files(httpd_t)
548 miscfiles_read_generic_certs(httpd_t)
549 miscfiles_read_tetex_data(httpd_t)
551 seutil_dontaudit_search_config(httpd_t)
553 userdom_use_unpriv_users_fds(httpd_t)
555 tunable_policy(`httpd_setrlimit',`
556 allow httpd_t self:process setrlimit;
557 allow httpd_t self:capability sys_resource;
560 tunable_policy(`allow_httpd_anon_write',`
561 miscfiles_manage_public_files(httpd_t)
565 # We need optionals to be able to be within booleans to make this work
567 tunable_policy(`allow_httpd_mod_auth_pam',`
568 auth_domtrans_chkpwd(httpd_t)
569 logging_send_audit_msgs(httpd_t)
573 tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
574 samba_domtrans_winbind_helper(httpd_t)
578 tunable_policy(`httpd_can_network_connect',`
579 corenet_tcp_connect_all_ports(httpd_t)
582 tunable_policy(`httpd_can_network_connect_db',`
583 corenet_tcp_connect_firebird_port(httpd_t)
584 corenet_tcp_connect_mssql_port(httpd_t)
585 corenet_sendrecv_mssql_client_packets(httpd_t)
586 corenet_tcp_connect_oracle_port(httpd_t)
587 corenet_sendrecv_oracle_client_packets(httpd_t)
590 tunable_policy(`httpd_can_network_memcache',`
591 corenet_tcp_connect_memcache_port(httpd_t)
594 tunable_policy(`httpd_can_network_relay',`
595 # allow httpd to work as a relay
596 corenet_tcp_connect_gopher_port(httpd_t)
597 corenet_tcp_connect_ftp_port(httpd_t)
598 corenet_tcp_connect_http_port(httpd_t)
599 corenet_tcp_connect_http_cache_port(httpd_t)
600 corenet_tcp_connect_squid_port(httpd_t)
601 corenet_tcp_connect_memcache_port(httpd_t)
602 corenet_sendrecv_gopher_client_packets(httpd_t)
603 corenet_sendrecv_ftp_client_packets(httpd_t)
604 corenet_sendrecv_http_client_packets(httpd_t)
605 corenet_sendrecv_http_cache_client_packets(httpd_t)
606 corenet_sendrecv_squid_client_packets(httpd_t)
607 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
610 tunable_policy(`httpd_execmem',`
611 allow httpd_t self:process { execmem execstack };
612 allow httpd_sys_script_t self:process { execmem execstack };
613 allow httpd_suexec_t self:process { execmem execstack };
616 tunable_policy(`httpd_enable_cgi && httpd_unified',`
617 allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
618 filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
619 can_exec(httpd_sys_script_t, httpd_sys_content_t)
622 tunable_policy(`allow_httpd_sys_script_anon_write',`
623 miscfiles_manage_public_files(httpd_sys_script_t)
626 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
627 fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
630 tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
631 fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
634 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
635 domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
636 filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
637 manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
638 manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
639 manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
641 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
642 manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
643 manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
646 tunable_policy(`httpd_can_connect_ftp',`
647 corenet_tcp_connect_ftp_port(httpd_t)
648 corenet_tcp_connect_all_ephemeral_ports(httpd_t)
651 tunable_policy(`httpd_can_connect_ldap',`
652 corenet_tcp_connect_ldap_port(httpd_t)
655 tunable_policy(`httpd_enable_ftp_server',`
656 corenet_tcp_bind_ftp_port(httpd_t)
657 corenet_tcp_bind_all_ephemeral_ports(httpd_t)
660 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
661 can_exec(httpd_t, httpd_tmp_t)
664 tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
665 can_exec(httpd_sys_script_t, httpd_tmp_t)
668 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
669 fs_list_auto_mountpoints(httpd_t)
670 fs_read_nfs_files(httpd_t)
671 fs_read_nfs_symlinks(httpd_t)
674 tunable_policy(`httpd_use_nfs',`
675 fs_list_auto_mountpoints(httpd_t)
676 fs_manage_nfs_dirs(httpd_t)
677 fs_manage_nfs_files(httpd_t)
678 fs_manage_nfs_symlinks(httpd_t)
681 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
682 fs_read_cifs_files(httpd_t)
683 fs_read_cifs_symlinks(httpd_t)
686 tunable_policy(`httpd_can_sendmail',`
687 # allow httpd to connect to mail servers
688 corenet_tcp_connect_smtp_port(httpd_t)
689 corenet_sendrecv_smtp_client_packets(httpd_t)
690 corenet_tcp_connect_pop_port(httpd_t)
691 corenet_sendrecv_pop_client_packets(httpd_t)
692 mta_send_mail(httpd_t)
693 mta_signal_system_mail(httpd_t)
696 tunable_policy(`httpd_use_cifs',`
697 fs_manage_cifs_dirs(httpd_t)
698 fs_manage_cifs_files(httpd_t)
699 fs_manage_cifs_symlinks(httpd_t)
702 tunable_policy(`httpd_ssi_exec',`
703 corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
704 allow httpd_sys_script_t httpd_t:fd use;
705 allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
706 allow httpd_sys_script_t httpd_t:process sigchld;
709 # When the admin starts the server, the server wants to access
710 # the TTY or PTY associated with the session. The httpd appears
711 # to run correctly without this permission, so the permission
712 # are dontaudited here.
713 tunable_policy(`httpd_tty_comm',`
714 userdom_use_inherited_user_terminals(httpd_t)
715 userdom_use_inherited_user_terminals(httpd_suexec_t)
717 userdom_dontaudit_use_user_terminals(httpd_t)
718 userdom_dontaudit_use_user_terminals(httpd_suexec_t)
722 # Support for ABRT retrace server
724 abrt_manage_spool_retrace(httpd_t)
725 abrt_domtrans_retrace_worker(httpd_t)
726 abrt_read_config(httpd_t)
730 calamaris_read_www_files(httpd_t)
734 ccs_read_config(httpd_t)
738 cobbler_list_config(httpd_t)
739 cobbler_read_config(httpd_t)
740 cobbler_read_lib_files(httpd_t)
742 tunable_policy(`httpd_can_network_connect_cobbler',`
743 corenet_tcp_connect_cobbler_port(httpd_t)
748 cron_system_entry(httpd_t, httpd_exec_t)
752 cvs_read_data(httpd_t)
756 daemontools_service_domain(httpd_t, httpd_exec_t)
760 dirsrv_manage_config(httpd_t)
761 dirsrv_manage_log(httpd_t)
762 dirsrv_manage_var_run(httpd_t)
763 dirsrv_read_share(httpd_t)
764 dirsrv_signal(httpd_t)
765 dirsrv_signull(httpd_t)
766 dirsrvadmin_manage_config(httpd_t)
767 dirsrvadmin_manage_tmp(httpd_t)
768 dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
772 dbus_system_bus_client(httpd_t)
774 tunable_policy(`httpd_dbus_avahi',`
775 avahi_dbus_chat(httpd_t)
780 git_read_generic_system_content_files(httpd_t)
781 gitosis_read_lib_files(httpd_t)
785 tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
786 gpg_domtrans_web(httpd_t)
791 kerberos_keytab_template(httpd, httpd_t)
795 mailman_signal_cgi(httpd_t)
796 mailman_domtrans_cgi(httpd_t)
797 mailman_read_data_files(httpd_t)
798 # should have separate types for public and private archives
799 mailman_search_data(httpd_t)
800 mailman_read_archive(httpd_t)
804 mediawiki_read_tmp_files(httpd_t)
805 mediawiki_delete_tmp_files(httpd_t)
809 # Allow httpd to work with mysql
810 mysql_read_config(httpd_t)
811 mysql_stream_connect(httpd_t)
812 mysql_rw_db_sockets(httpd_t)
814 tunable_policy(`httpd_can_network_connect_db',`
815 mysql_tcp_connect(httpd_t)
820 nagios_read_config(httpd_t)
821 nagios_read_log(httpd_t)
825 openca_domtrans(httpd_t)
826 openca_signal(httpd_t)
827 openca_sigstop(httpd_t)
832 passenger_domtrans(httpd_t)
833 passenger_manage_pid_content(httpd_t)
834 passenger_read_lib_files(httpd_t)
838 puppet_read_lib(httpd_t)
842 rpc_search_nfs_state_data(httpd_t)
846 # Allow httpd to work with postgresql
847 postgresql_stream_connect(httpd_t)
848 postgresql_unpriv_client(httpd_t)
850 tunable_policy(`httpd_can_network_connect_db',`
851 postgresql_tcp_connect(httpd_t)
856 seutil_sigchld_newrole(httpd_t)
860 smokeping_read_lib_files(httpd_t)
864 files_dontaudit_rw_usr_dirs(httpd_t)
865 snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
866 snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
870 udev_read_db(httpd_t)
874 yam_read_content(httpd_t)
878 zarafa_manage_lib_files(httpd_t)
879 zarafa_stream_connect_server(httpd_t)
880 zarafa_search_config(httpd_t)
883 ########################################
885 # Apache helper local policy
888 domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
890 allow httpd_helper_t httpd_config_t:file read_file_perms;
892 allow httpd_helper_t httpd_log_t:file append_file_perms;
894 logging_send_syslog_msg(httpd_helper_t)
896 userdom_use_inherited_user_terminals(httpd_helper_t)
898 tunable_policy(`httpd_tty_comm',`
899 userdom_use_inherited_user_terminals(httpd_helper_t)
902 ########################################
904 # Apache PHP script local policy
907 allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
908 allow httpd_php_t self:fd use;
909 allow httpd_php_t self:fifo_file rw_fifo_file_perms;
910 allow httpd_php_t self:sock_file read_sock_file_perms;
911 allow httpd_php_t self:unix_dgram_socket create_socket_perms;
912 allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
913 allow httpd_php_t self:unix_dgram_socket sendto;
914 allow httpd_php_t self:unix_stream_socket connectto;
915 allow httpd_php_t self:shm create_shm_perms;
916 allow httpd_php_t self:sem create_sem_perms;
917 allow httpd_php_t self:msgq create_msgq_perms;
918 allow httpd_php_t self:msg { send receive };
920 domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
922 # allow php to read and append to apache logfiles
923 allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
925 manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
926 manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
927 files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
929 fs_search_auto_mountpoints(httpd_php_t)
931 auth_use_nsswitch(httpd_php_t)
933 libs_exec_lib_files(httpd_php_t)
935 userdom_use_unpriv_users_fds(httpd_php_t)
937 tunable_policy(`httpd_can_network_connect_db',`
938 corenet_tcp_connect_firebird_port(httpd_php_t)
939 corenet_tcp_connect_mssql_port(httpd_php_t)
940 corenet_sendrecv_mssql_client_packets(httpd_php_t)
941 corenet_tcp_connect_oracle_port(httpd_php_t)
942 corenet_sendrecv_oracle_client_packets(httpd_php_t)
946 mysql_stream_connect(httpd_php_t)
947 mysql_rw_db_sockets(httpd_php_t)
948 mysql_read_config(httpd_php_t)
950 tunable_policy(`httpd_can_network_connect_db',`
951 mysql_tcp_connect(httpd_php_t)
956 postgresql_stream_connect(httpd_php_t)
957 postgresql_unpriv_client(httpd_php_t)
959 tunable_policy(`httpd_can_network_connect_db',`
960 postgresql_tcp_connect(httpd_php_t)
964 ########################################
966 # Apache suexec local policy
969 allow httpd_suexec_t self:capability { setuid setgid };
970 allow httpd_suexec_t self:process signal_perms;
972 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
973 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
975 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
977 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
978 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
979 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
981 allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
983 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
984 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
985 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
987 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
989 read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
990 read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
991 read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
993 kernel_read_kernel_sysctls(httpd_suexec_t)
994 kernel_list_proc(httpd_suexec_t)
995 kernel_read_proc_symlinks(httpd_suexec_t)
997 dev_read_urand(httpd_suexec_t)
999 fs_read_iso9660_files(httpd_suexec_t)
1000 fs_search_auto_mountpoints(httpd_suexec_t)
1002 application_exec_all(httpd_suexec_t)
1004 files_read_etc_files(httpd_suexec_t)
1005 files_read_usr_files(httpd_suexec_t)
1006 files_dontaudit_search_pids(httpd_suexec_t)
1007 files_search_home(httpd_suexec_t)
1009 auth_use_nsswitch(httpd_suexec_t)
1011 logging_search_logs(httpd_suexec_t)
1012 logging_send_syslog_msg(httpd_suexec_t)
1014 miscfiles_read_localization(httpd_suexec_t)
1015 miscfiles_read_public_files(httpd_suexec_t)
1017 tunable_policy(`httpd_can_network_connect',`
1018 allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
1019 allow httpd_suexec_t self:udp_socket create_socket_perms;
1021 corenet_all_recvfrom_unlabeled(httpd_suexec_t)
1022 corenet_all_recvfrom_netlabel(httpd_suexec_t)
1023 corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
1024 corenet_udp_sendrecv_generic_if(httpd_suexec_t)
1025 corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
1026 corenet_udp_sendrecv_generic_node(httpd_suexec_t)
1027 corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
1028 corenet_udp_sendrecv_all_ports(httpd_suexec_t)
1029 corenet_tcp_connect_all_ports(httpd_suexec_t)
1030 corenet_sendrecv_all_client_packets(httpd_suexec_t)
1033 tunable_policy(`httpd_can_network_connect_db',`
1034 corenet_tcp_connect_firebird_port(httpd_suexec_t)
1035 corenet_tcp_connect_mssql_port(httpd_suexec_t)
1036 corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
1037 corenet_tcp_connect_oracle_port(httpd_suexec_t)
1038 corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
1041 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
1043 tunable_policy(`httpd_can_sendmail',`
1044 mta_send_mail(httpd_suexec_t)
1047 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1048 allow httpd_sys_script_t httpdcontent:file entrypoint;
1049 domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
1050 manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1051 manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1052 manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1053 manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
1056 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1057 fs_list_auto_mountpoints(httpd_suexec_t)
1058 fs_read_nfs_files(httpd_suexec_t)
1059 fs_read_nfs_symlinks(httpd_suexec_t)
1060 fs_exec_nfs_files(httpd_suexec_t)
1063 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1064 fs_read_cifs_files(httpd_suexec_t)
1065 fs_read_cifs_symlinks(httpd_suexec_t)
1066 fs_exec_cifs_files(httpd_suexec_t)
1070 mailman_domtrans_cgi(httpd_suexec_t)
1074 mta_stub(httpd_suexec_t)
1076 # apache should set close-on-exec
1077 dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
1081 mysql_stream_connect(httpd_suexec_t)
1082 mysql_rw_db_sockets(httpd_suexec_t)
1083 mysql_read_config(httpd_suexec_t)
1085 tunable_policy(`httpd_can_network_connect_db',`
1086 mysql_tcp_connect(httpd_suexec_t)
1091 postgresql_stream_connect(httpd_suexec_t)
1092 postgresql_unpriv_client(httpd_suexec_t)
1094 tunable_policy(`httpd_can_network_connect_db',`
1095 postgresql_tcp_connect(httpd_suexec_t)
1099 ########################################
1101 # Apache system script local policy
1104 allow httpd_sys_script_t self:process getsched;
1106 allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
1107 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
1109 dontaudit httpd_sys_script_t httpd_config_t:dir search;
1111 allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
1113 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
1114 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1115 read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
1117 kernel_read_kernel_sysctls(httpd_sys_script_t)
1119 files_read_var_symlinks(httpd_sys_script_t)
1120 files_search_var_lib(httpd_sys_script_t)
1121 files_search_spool(httpd_sys_script_t)
1123 logging_inherit_append_all_logs(httpd_sys_script_t)
1125 # Should we add a boolean?
1126 apache_domtrans_rotatelogs(httpd_sys_script_t)
1128 auth_use_nsswitch(httpd_sys_script_t)
1130 ifdef(`distro_redhat',`
1131 allow httpd_sys_script_t httpd_log_t:file append_file_perms;
1134 tunable_policy(`httpd_can_sendmail',`
1135 mta_send_mail(httpd_sys_script_t)
1139 tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
1140 spamassassin_domtrans_client(httpd_t)
1144 tunable_policy(`httpd_can_network_connect_db',`
1145 corenet_tcp_connect_firebird_port(httpd_sys_script_t)
1146 corenet_tcp_connect_mssql_port(httpd_sys_script_t)
1147 corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
1148 corenet_tcp_connect_oracle_port(httpd_sys_script_t)
1149 corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
1152 fs_cifs_entry_type(httpd_sys_script_t)
1153 fs_read_iso9660_files(httpd_sys_script_t)
1154 fs_nfs_entry_type(httpd_sys_script_t)
1156 tunable_policy(`httpd_use_nfs',`
1157 fs_list_auto_mountpoints(httpd_sys_script_t)
1158 fs_manage_nfs_dirs(httpd_sys_script_t)
1159 fs_manage_nfs_files(httpd_sys_script_t)
1160 fs_manage_nfs_symlinks(httpd_sys_script_t)
1161 fs_exec_nfs_files(httpd_sys_script_t)
1163 fs_list_auto_mountpoints(httpd_suexec_t)
1164 fs_manage_nfs_dirs(httpd_suexec_t)
1165 fs_manage_nfs_files(httpd_suexec_t)
1166 fs_manage_nfs_symlinks(httpd_suexec_t)
1167 fs_exec_nfs_files(httpd_suexec_t)
1170 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
1171 allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
1172 allow httpd_sys_script_t self:udp_socket create_socket_perms;
1174 corenet_tcp_bind_generic_node(httpd_sys_script_t)
1175 corenet_udp_bind_generic_node(httpd_sys_script_t)
1176 corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
1177 corenet_all_recvfrom_netlabel(httpd_sys_script_t)
1178 corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
1179 corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
1180 corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
1181 corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
1182 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
1183 corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
1184 corenet_tcp_connect_all_ports(httpd_sys_script_t)
1185 corenet_sendrecv_all_client_packets(httpd_sys_script_t)
1188 tunable_policy(`httpd_enable_homedirs',`
1189 userdom_search_user_home_dirs(httpd_sys_script_t)
1192 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
1193 fs_list_auto_mountpoints(httpd_sys_script_t)
1194 fs_read_nfs_files(httpd_sys_script_t)
1195 fs_read_nfs_symlinks(httpd_sys_script_t)
1198 tunable_policy(`httpd_read_user_content',`
1199 userdom_read_user_home_content_files(httpd_sys_script_t)
1202 tunable_policy(`httpd_use_cifs',`
1203 fs_manage_cifs_dirs(httpd_sys_script_t)
1204 fs_manage_cifs_files(httpd_sys_script_t)
1205 fs_manage_cifs_symlinks(httpd_sys_script_t)
1206 fs_manage_cifs_dirs(httpd_suexec_t)
1207 fs_manage_cifs_files(httpd_suexec_t)
1208 fs_manage_cifs_symlinks(httpd_suexec_t)
1209 fs_exec_cifs_files(httpd_suexec_t)
1212 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
1213 fs_read_cifs_files(httpd_sys_script_t)
1214 fs_read_cifs_symlinks(httpd_sys_script_t)
1218 clamav_domtrans_clamscan(httpd_sys_script_t)
1222 mysql_stream_connect(httpd_sys_script_t)
1223 mysql_rw_db_sockets(httpd_sys_script_t)
1224 mysql_read_config(httpd_sys_script_t)
1226 tunable_policy(`httpd_can_network_connect_db',`
1227 mysql_tcp_connect(httpd_sys_script_t)
1232 postgresql_stream_connect(httpd_sys_script_t)
1233 postgresql_unpriv_client(httpd_sys_script_t)
1235 tunable_policy(`httpd_can_network_connect_db',`
1236 postgresql_tcp_connect(httpd_sys_script_t)
1240 ########################################
1242 # httpd_rotatelogs local policy
1245 allow httpd_rotatelogs_t self:capability dac_override;
1247 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
1249 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
1250 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
1251 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
1253 files_read_etc_files(httpd_rotatelogs_t)
1255 logging_search_logs(httpd_rotatelogs_t)
1257 miscfiles_read_localization(httpd_rotatelogs_t)
1259 ########################################
1261 # Unconfined script local policy
1265 type httpd_unconfined_script_t;
1266 type httpd_unconfined_script_exec_t;
1267 domain_type(httpd_unconfined_script_t)
1268 domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
1269 domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
1270 unconfined_domain(httpd_unconfined_script_t)
1272 role system_r types httpd_unconfined_script_t;
1273 allow httpd_t httpd_unconfined_script_t:process signal_perms;
1276 ########################################
1278 # User content local policy
1281 tunable_policy(`httpd_enable_cgi && httpd_unified',`
1282 allow httpd_user_script_t httpdcontent:file entrypoint;
1283 manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1284 manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
1285 manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1286 manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
1289 # allow accessing files/dirs below the users home dir
1290 tunable_policy(`httpd_enable_homedirs',`
1291 userdom_search_user_home_content(httpd_t)
1292 userdom_search_user_home_content(httpd_suexec_t)
1293 userdom_search_user_home_content(httpd_user_script_t)
1296 tunable_policy(`httpd_read_user_content',`
1297 userdom_read_user_home_content_files(httpd_t)
1298 userdom_read_user_home_content_files(httpd_suexec_t)
1299 userdom_read_user_home_content_files(httpd_user_script_t)
1302 ########################################
1304 # httpd_passwd local policy
1307 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
1308 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
1309 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
1311 domain_use_interactive_fds(httpd_passwd_t)
1313 files_read_etc_files(httpd_passwd_t)
1315 miscfiles_read_localization(httpd_passwd_t)
1317 corecmd_exec_bin(httpd_passwd_t)
1319 kernel_read_system_state(httpd_passwd_t)
1321 dev_read_urand(httpd_passwd_t)
1323 systemd_manage_passwd_run(httpd_t)
1324 #systemd_passwd_agent_dev_template(httpd)
1326 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
1327 dontaudit httpd_passwd_t httpd_config_t:file read;
1330 search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
1331 corecmd_shell_entry_type(httpd_script_type)
1333 allow httpd_script_type self:fifo_file rw_file_perms;
1334 allow httpd_script_type self:unix_stream_socket connectto;
1336 allow httpd_script_type httpd_t:fifo_file write;
1337 # apache should set close-on-exec
1338 apache_dontaudit_leaks(httpd_script_type)
1340 append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
1341 logging_search_logs(httpd_script_type)
1343 kernel_dontaudit_search_sysctl(httpd_script_type)
1344 kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
1346 dev_read_rand(httpd_script_type)
1347 dev_read_urand(httpd_script_type)
1349 corecmd_exec_all_executables(httpd_script_type)
1350 application_exec_all(httpd_script_type)
1352 files_exec_etc_files(httpd_script_type)
1353 files_read_etc_files(httpd_script_type)
1354 files_search_home(httpd_script_type)
1356 libs_exec_ld_so(httpd_script_type)
1357 libs_exec_lib_files(httpd_script_type)
1359 miscfiles_read_fonts(httpd_script_type)
1360 miscfiles_read_public_files(httpd_script_type)
1362 seutil_dontaudit_search_config(httpd_script_type)
1363 allow httpd_t httpd_script_type:unix_stream_socket connectto;
1365 allow httpd_t httpd_script_exec_type:file read_file_perms;
1366 allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
1367 allow httpd_t httpd_script_type:process { signal sigkill sigstop };
1368 allow httpd_t httpd_script_exec_type:dir list_dir_perms;
1370 allow httpd_script_type self:process { setsched signal_perms };
1371 allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
1372 allow httpd_script_type self:unix_dgram_socket create_socket_perms;
1374 allow httpd_script_type httpd_t:fd use;
1375 allow httpd_script_type httpd_t:process sigchld;
1377 dontaudit httpd_script_type httpd_t:tcp_socket { read write };
1379 kernel_read_system_state(httpd_script_type)
1381 dev_read_urand(httpd_script_type)
1383 fs_getattr_xattr_fs(httpd_script_type)
1385 files_read_etc_runtime_files(httpd_script_type)
1386 files_read_usr_files(httpd_script_type)
1388 libs_read_lib_files(httpd_script_type)
1390 miscfiles_read_localization(httpd_script_type)
1391 allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
1393 tunable_policy(`httpd_enable_cgi && allow_ypbind',`
1394 nis_use_ypbind_uncond(httpd_script_type)
1398 nscd_socket_use(httpd_script_type)
1401 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1403 tunable_policy(`httpd_builtin_scripting',`
1404 allow httpd_t httpd_content_type:dir search_dir_perms;
1405 allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
1407 allow httpd_t httpd_content_type:dir list_dir_perms;
1408 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1409 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1411 allow httpd_t httpd_content_type:dir list_dir_perms;
1412 read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
1413 read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)