mod_fcgid/fastcgi-2.5.te

# This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.

policy_module(fastcgi, 0.2.6)

require {
	type devpts_t;
	type httpd_t;
	type httpd_config_t;
	type httpd_log_t;
	type httpd_sys_content_t;
	type httpd_sys_content_ra_t;
	type httpd_sys_content_ro_t;
	type httpd_sys_content_rw_t;
	type httpd_sys_script_exec_t;
	type httpd_sys_script_ra_t;
	type httpd_sys_script_ro_t;
	type httpd_sys_script_rw_t;
	type httpd_sys_script_t;
	type httpd_tmp_t;
	type httpd_var_run_t;
};

# Type aliases for contexts used with older policy modules
typealias httpd_sys_content_t     alias httpd_fastcgi_content_t;
typealias httpd_sys_content_ra_t  alias httpd_fastcgi_content_ra_t;
typealias httpd_sys_content_ro_t  alias httpd_fastcgi_content_ro_t;
typealias httpd_sys_content_rw_t  alias httpd_fastcgi_content_rw_t;
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;


# ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================

# Included in selinux-policy 2.6.4 (F7)
#kernel_read_kernel_sysctls(httpd_sys_script_t)

# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_sys_script_t)

# Allow FastCGI applications to read the routing table
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)

# Allow httpd to read httpd_sys_content_t
# Included in selinux-policy 2.6.4 (F7)
#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;

# ======================================================
# Rules cribbed from recent httpd_sys_script_t policy
# ======================================================

# Included in selinux-policy 2.6.4 (F7)
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
#
#fs_search_auto_mountpoints(httpd_sys_script_t)

# PHP uploads a file to /tmp and then execs programs to action them
# Included in selinux-policy 2.6.4 (F7) apart from filetrans
#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })

# Included in selinux-policy 2.6.4 (F7)
#files_search_var_lib(httpd_sys_script_t)
#files_search_spool(httpd_sys_script_t)

# Should we add a boolean?
# Included in selinux-policy 2.6.4 (F7)
#apache_domtrans_rotatelogs(httpd_sys_script_t)

# Included in selinux-policy 2.6.4 (F7)
#ifdef(`distro_redhat',`
#	allow httpd_sys_script_t httpd_log_t:file { getattr append };
#')
#
#ifdef(`targeted_policy',`
#	tunable_policy(`httpd_enable_homedirs',`
#		userdom_search_generic_user_home_dirs(httpd_sys_script_t)
#	')
#')
#
#tunable_policy(`httpd_use_nfs', `
#	fs_read_nfs_files(httpd_sys_script_t)
#	fs_read_nfs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
#	fs_read_nfs_files(httpd_sys_script_t)
#	fs_read_nfs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_use_cifs', `
#	fs_read_cifs_files(httpd_sys_script_t)
#	fs_read_cifs_symlinks(httpd_sys_script_t)
#')
#
#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
#	fs_read_cifs_files(httpd_sys_script_t)
#	fs_read_cifs_symlinks(httpd_sys_script_t)
#')
#
#optional_policy(`
#	mysql_stream_connect(httpd_sys_script_t)
#	mysql_rw_db_sockets(httpd_sys_script_t)
#')
#
#optional_policy(`
#	clamav_domtrans_clamscan(httpd_sys_script_t)
#')
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# This policy module provides support for mod_fcgid using the httpd system script domain.`
			`# It provides "allow" rules that will overlap to varying degrees with selinux-policy`
			`# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included`
			`# as updates for selinux-policy in Fedora 8, 9, and 10.`
			`#`
			`# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,`
			`# which is now an alias for httpd_sys_script_t.`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`policy_module(fastcgi, 0.2.6)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`require {`
			`type devpts_t;`
			`type httpd_t;`
			`type httpd_config_t;`
			`type httpd_log_t;`
			`type httpd_sys_content_t;`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`type httpd_sys_content_ra_t;`
			`type httpd_sys_content_ro_t;`
			`type httpd_sys_content_rw_t;`
			`type httpd_sys_script_exec_t;`
			`type httpd_sys_script_ra_t;`
			`type httpd_sys_script_ro_t;`
			`type httpd_sys_script_rw_t;`
			`type httpd_sys_script_t;`
Update SELinux policy to support file transition to httpd_tmp_t for temporary files 2008-01-03 18:17:11 +00:00			`type httpd_tmp_t;`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`type httpd_var_run_t;`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00			`};`

Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Type aliases for contexts used with older policy modules`
			`typealias httpd_sys_content_t alias httpd_fastcgi_content_t;`
			`typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;`
			`typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;`
			`typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;`
			`typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;`
			`typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;`
			`typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;`
			`typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;`
			`typealias httpd_sys_script_t alias httpd_fastcgi_script_t;`
			`typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00

Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# ==========================================================`
			`# Re-use httpd_sys_script_t for mod_fcgid apps`
			`# ==========================================================`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7)`
			`#kernel_read_kernel_sysctls(httpd_sys_script_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`# Allow FastCGI applications to do DNS lookups`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`sysnet_dns_name_resolve(httpd_sys_script_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`# Allow FastCGI applications to read the routing table`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`# Allow httpd to create and use files and sockets for communicating with mod_fcgid`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7) apart from dir setattr`
			`#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)`
			`#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)`
			`setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Allow httpd to read httpd_sys_content_t`
			`# Included in selinux-policy 2.6.4 (F7)`
			`#allow httpd_t httpd_sys_content_t:dir list_dir_perms;`
			`#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)`
			`#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`# Allow FastCGI applications to listen for FastCGI requests on their`
			`# sockets and respond to them`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Update SELinux policy to fix occasional failures on restarts (move shared memory file into /var/run/mod_fcgid directory) 2008-01-14 11:46:12 +00:00			`# These are probably leaked file descriptors`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00			`dontaudit httpd_t devpts_t:chr_file ioctl;`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`dontaudit httpd_sys_script_t httpd_log_t:file ioctl;`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`# ======================================================`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Rules cribbed from recent httpd_sys_script_t policy`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00			`# ======================================================`

Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7)`
			`#dontaudit httpd_sys_script_t httpd_config_t:dir search;`
			`#`
			`#fs_search_auto_mountpoints(httpd_sys_script_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
Update SELinux policy to support file transition to httpd_tmp_t for temporary files 2008-01-03 18:17:11 +00:00			`# PHP uploads a file to /tmp and then execs programs to action them`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7) apart from filetrans`
			`#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)`
			`#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)`
			`files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })`
Update SELinux policy to support file transition to httpd_tmp_t for temporary files 2008-01-03 18:17:11 +00:00
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7)`
			`#files_search_var_lib(httpd_sys_script_t)`
			`#files_search_spool(httpd_sys_script_t)`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00
			`# Should we add a boolean?`
Merge fastcgi SELinux policy with system script policy 2008-10-22 10:31:34 +00:00			`# Included in selinux-policy 2.6.4 (F7)`
			`#apache_domtrans_rotatelogs(httpd_sys_script_t)`

			`# Included in selinux-policy 2.6.4 (F7)`
			#ifdef(`distro_redhat',`
			`# allow httpd_sys_script_t httpd_log_t:file { getattr append };`
			`#')`
			`#`
			#ifdef(`targeted_policy',`
			# tunable_policy(`httpd_enable_homedirs',`
			`# userdom_search_generic_user_home_dirs(httpd_sys_script_t)`
			`# ')`
			`#')`
			`#`
			#tunable_policy(`httpd_use_nfs', `
			`# fs_read_nfs_files(httpd_sys_script_t)`
			`# fs_read_nfs_symlinks(httpd_sys_script_t)`
			`#')`
			`#`
			#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
			`# fs_read_nfs_files(httpd_sys_script_t)`
			`# fs_read_nfs_symlinks(httpd_sys_script_t)`
			`#')`
			`#`
			#tunable_policy(`httpd_use_cifs', `
			`# fs_read_cifs_files(httpd_sys_script_t)`
			`# fs_read_cifs_symlinks(httpd_sys_script_t)`
			`#')`
			`#`
			#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
			`# fs_read_cifs_files(httpd_sys_script_t)`
			`# fs_read_cifs_symlinks(httpd_sys_script_t)`
			`#')`
			`#`
			#optional_policy(`
			`# mysql_stream_connect(httpd_sys_script_t)`
			`# mysql_rw_db_sockets(httpd_sys_script_t)`
			`#')`
			`#`
			#optional_policy(`
			`# clamav_domtrans_clamscan(httpd_sys_script_t)`
			`#')`
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM 2007-06-15 16:56:23 +00:00