mod_fcgid/fastcgi-2.5.te

policy_module(fastcgi, 0.2.0)

type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)

require {
	type devpts_t;
	type httpd_t;
	type httpd_config_t;
	type httpd_log_t;
	type httpd_sys_script_exec_t;
	type httpd_sys_content_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

## <desc>
## <p>
## Allow FastCGI applications to write to public content 
## </p>
## </desc>
gen_tunable(allow_httpd_fastcgi_script_anon_write,false)

## <desc>
## <p>
## Allow FastCGI applications to make outbound SMTP connections
## </p>
## </desc>
gen_tunable(httpd_fastcgi_can_sendmail,false)

tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
	miscfiles_manage_public_files(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_fastcgi_can_sendmail',`
	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
')

# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };

# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow httpd to create and use sockets for communicating with mod_fcgid
manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
allow httpd_t httpd_fastcgi_sock_t:dir { setattr };

# Allow httpd to read httpd_fastcgi_content_t
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================

dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;

fs_search_auto_mountpoints(httpd_fastcgi_script_t)

files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)

# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)

ifdef(`distro_redhat',`
	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')

ifdef(`targeted_policy',`
	tunable_policy(`httpd_enable_homedirs',`
		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
	')
')

tunable_policy(`httpd_use_nfs', `
	fs_read_nfs_files(httpd_fastcgi_script_t)
	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_read_nfs_files(httpd_fastcgi_script_t)
	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_use_cifs', `
	fs_read_cifs_files(httpd_fastcgi_script_t)
	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_read_cifs_files(httpd_fastcgi_script_t)
	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')

optional_policy(`
	mysql_stream_connect(httpd_fastcgi_script_t)
	mysql_rw_db_sockets(httpd_fastcgi_script_t)
')

optional_policy(`
	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
')