mod_fcgid/fastcgi.te

policy_module(fastcgi, 0.1.9)

type httpd_fastcgi_var_run_t;
files_type(httpd_fastcgi_var_run_t)

require {
	type devpts_t;
	type httpd_t;
	type httpd_config_t;
	type httpd_log_t;
	type httpd_sys_script_exec_t;
	type httpd_sys_content_t;
	type httpd_tmp_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

## <desc>
## <p>
## Allow FastCGI applications to make outbound SMTP connections
## </p>
## </desc>
gen_tunable(httpd_fastcgi_can_sendmail,false)

tunable_policy(`httpd_fastcgi_can_sendmail',`
	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
')

# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };

# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow httpd to create and use files and sockets for communicating with mod_fcgid
allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };
allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };
allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };

# Allow httpd to read httpd_fastcgi_content_t
# (shouldn't this be in the content template?)
allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;
allow httpd_t httpd_fastcgi_content_t:file r_file_perms;
allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================

dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;

fs_search_auto_mountpoints(httpd_fastcgi_script_t)

# PHP uploads a file to /tmp and then execs programs to action them
allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms;
allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })

files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)

# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)

ifdef(`distro_redhat',`
	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')

ifdef(`targeted_policy',`
	tunable_policy(`httpd_enable_homedirs',`
		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
	')
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_read_nfs_files(httpd_fastcgi_script_t)
	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_read_cifs_files(httpd_fastcgi_script_t)
	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')

optional_policy(`
	mysql_stream_connect(httpd_fastcgi_script_t)
	mysql_rw_db_sockets(httpd_fastcgi_script_t)
')

optional_policy(`
	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
')
Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`policy_module(fastcgi, 0.1.9)`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00
Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`type httpd_fastcgi_var_run_t;`
			`files_type(httpd_fastcgi_var_run_t)`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00
			`require {`
			`type devpts_t;`
			`type httpd_t;`
			`type httpd_config_t;`
			`type httpd_log_t;`
			`type httpd_sys_script_exec_t;`
			`type httpd_sys_content_t;`
Update SELinux policy to support file transition to httpd_tmp_t for temporary files 2008-01-03 18:17:11 +00:00			`type httpd_tmp_t;`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			`};`

			`# ==========================================================`
			`# Create and use httpd_fastcgi_script_t for mod_fcgid apps`
			`# ==========================================================`

			`apache_content_template(fastcgi)`
			`kernel_read_kernel_sysctls(httpd_fastcgi_script_t)`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`## <desc>`
			`## <p>`
			`## Allow FastCGI applications to make outbound SMTP connections`
			`## </p>`
			`## </desc>`
			`gen_tunable(httpd_fastcgi_can_sendmail,false)`

			tunable_policy(`httpd_fastcgi_can_sendmail',`
			`corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)`
			`corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)`
			`')`

auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			`# Allow FastCGI applications to do DNS lookups`
			`sysnet_dns_name_resolve(httpd_fastcgi_script_t)`

			`# Allow FastCGI applications to live alongside regular CGI apps`
			`allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };`
			`allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };`

			`# Allow FastCGI applications to read the routing table`
			`allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };`

Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`# Allow httpd to create and use files and sockets for communicating with mod_fcgid`
			`allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };`
			`allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };`
			`allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00
			`# Allow httpd to read httpd_fastcgi_content_t`
			`# (shouldn't this be in the content template?)`
			`allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;`
			`allow httpd_t httpd_fastcgi_content_t:file r_file_perms;`
			`allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };`

			`# Allow FastCGI applications to listen for FastCGI requests on their`
			`# sockets and respond to them`
			`allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };`

Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`# These are probably leaked file descriptors`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			`dontaudit httpd_t devpts_t:chr_file ioctl;`
Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00
			`# ======================================================`
			`# Equivalent policy cribbed from httpd_sys_script_t`
			`# ======================================================`

			`dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`fs_search_auto_mountpoints(httpd_fastcgi_script_t)`

Update SELinux policy to support file transition to httpd_tmp_t for temporary files 2008-01-03 18:17:11 +00:00			`# PHP uploads a file to /tmp and then execs programs to action them`
			`allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms;`
			`allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms;`
			`files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })`

auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			`files_search_var_lib(httpd_fastcgi_script_t)`
			`files_search_spool(httpd_fastcgi_script_t)`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`# Should we add a boolean?`
			`apache_domtrans_rotatelogs(httpd_fastcgi_script_t)`

auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			ifdef(`distro_redhat',`
			`allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };`
			`')`

			ifdef(`targeted_policy',`
			tunable_policy(`httpd_enable_homedirs',`
			`userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)`
			`')`
			`')`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
			`fs_read_nfs_files(httpd_fastcgi_script_t)`
			`fs_read_nfs_symlinks(httpd_fastcgi_script_t)`
			`')`

			tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
			`fs_read_cifs_files(httpd_fastcgi_script_t)`
			`fs_read_cifs_symlinks(httpd_fastcgi_script_t)`
			`')`

auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			optional_policy(`
			`mysql_stream_connect(httpd_fastcgi_script_t)`
			`mysql_rw_db_sockets(httpd_fastcgi_script_t)`
			`')`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			optional_policy(`
			`clamav_domtrans_clamscan(httpd_fastcgi_script_t)`
			`')`