mod_fcgid/SOURCES/fastcgi-2.5.te

# This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.

policy_module(fastcgi, 0.2.6)

require {
	type devpts_t;
	type httpd_t;
	type httpd_log_t;
	type httpd_sys_content_t;
	type httpd_sys_content_ra_t;
	type httpd_sys_content_ro_t;
	type httpd_sys_content_rw_t;
	type httpd_sys_script_exec_t;
	type httpd_sys_script_ra_t;
	type httpd_sys_script_ro_t;
	type httpd_sys_script_rw_t;
	type httpd_sys_script_t;
	type httpd_tmp_t;
	type httpd_var_run_t;
};

# Type aliases for contexts used with older policy modules
typealias httpd_sys_content_t     alias httpd_fastcgi_content_t;
typealias httpd_sys_content_ra_t  alias httpd_fastcgi_content_ra_t;
typealias httpd_sys_content_ro_t  alias httpd_fastcgi_content_ro_t;
typealias httpd_sys_content_rw_t  alias httpd_fastcgi_content_rw_t;
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;

# ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================

# Allow web applications to call getpw* functions
auth_use_nsswitch(httpd_sys_script_t)

# Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Rules to do this are already in selinux-policy apart from dir setattr
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;

# PHP uploads a file to /tmp and then execs programs to action them
# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
import mod_fcgid-2.3.9-16.el8 2019-05-07 11:55:03 +00:00			`# This policy module provides support for mod_fcgid using the httpd system script domain.`
			`# It provides "allow" rules that will overlap to varying degrees with selinux-policy`
			`# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included`
			`# as updates for selinux-policy in Fedora 8, 9, and 10.`
			`#`
			`# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy`
			`#`
			`# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,`
			`# which is now an alias for httpd_sys_script_t.`

			`policy_module(fastcgi, 0.2.6)`

			`require {`
			`type devpts_t;`
			`type httpd_t;`
			`type httpd_log_t;`
			`type httpd_sys_content_t;`
			`type httpd_sys_content_ra_t;`
			`type httpd_sys_content_ro_t;`
			`type httpd_sys_content_rw_t;`
			`type httpd_sys_script_exec_t;`
			`type httpd_sys_script_ra_t;`
			`type httpd_sys_script_ro_t;`
			`type httpd_sys_script_rw_t;`
			`type httpd_sys_script_t;`
			`type httpd_tmp_t;`
			`type httpd_var_run_t;`
			`};`

			`# Type aliases for contexts used with older policy modules`
			`typealias httpd_sys_content_t alias httpd_fastcgi_content_t;`
			`typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;`
			`typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;`
			`typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;`
			`typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;`
			`typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;`
			`typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;`
			`typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;`
			`typealias httpd_sys_script_t alias httpd_fastcgi_script_t;`
			`typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;`

			`# ==========================================================`
			`# Re-use httpd_sys_script_t for mod_fcgid apps`
			`# ==========================================================`

			`# Allow web applications to call getpw* functions`
			`auth_use_nsswitch(httpd_sys_script_t)`

			`# Allow httpd to create and use files and sockets for communicating with mod_fcgid`
			`# Rules to do this are already in selinux-policy apart from dir setattr`
			`setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)`

			`# Allow FastCGI applications to listen for FastCGI requests on their`
			`# sockets and respond to them`
			`allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };`

			`# These are probably leaked file descriptors`
			`dontaudit httpd_t devpts_t:chr_file ioctl;`
			`dontaudit httpd_sys_script_t httpd_log_t:file ioctl;`

			`# PHP uploads a file to /tmp and then execs programs to action them`
			`# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans`
			`files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })`