129 lines
4.6 KiB
Plaintext
129 lines
4.6 KiB
Plaintext
policy_module(fastcgi, 0.1.10)
|
|
|
|
# This policy module provides support for mod_fcgid using the httpd system script domain.
|
|
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
|
|
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
|
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
|
#
|
|
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
|
# which is now an alias for httpd_sys_script_t.
|
|
|
|
require {
|
|
type devpts_t;
|
|
type httpd_t;
|
|
#type httpd_config_t;
|
|
type httpd_log_t;
|
|
type httpd_sys_content_t;
|
|
type httpd_sys_content_ra_t;
|
|
type httpd_sys_content_ro_t;
|
|
type httpd_sys_content_rw_t;
|
|
type httpd_sys_script_exec_t;
|
|
type httpd_sys_script_ra_t;
|
|
type httpd_sys_script_ro_t;
|
|
type httpd_sys_script_rw_t;
|
|
type httpd_sys_script_t;
|
|
type httpd_tmp_t;
|
|
type httpd_var_run_t;
|
|
};
|
|
|
|
# Type aliases for contexts used with older policy modules
|
|
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
|
typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
|
|
typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
|
|
typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
|
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
|
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
|
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
|
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
|
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
|
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
|
|
|
# ==========================================================
|
|
# Re-use httpd_sys_script_t for mod_fcgid apps
|
|
# ==========================================================
|
|
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#kernel_read_kernel_sysctls(httpd_sys_script_t)
|
|
|
|
# Allow FastCGI applications to do DNS lookups
|
|
sysnet_dns_name_resolve(httpd_sys_script_t)
|
|
|
|
# Allow FastCGI applications to read the routing table
|
|
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
|
|
|
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
|
# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
|
|
#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
|
|
#allow httpd_t httpd_var_run_t:file { create_file_perms };
|
|
#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
|
|
allow httpd_t httpd_var_run_t:dir setattr;
|
|
|
|
# Allow httpd to read httpd_sys_content_t
|
|
# (shouldn't this be in the content template?)
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
|
|
#allow httpd_t httpd_sys_content_t:file r_file_perms;
|
|
#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
|
|
|
|
# Allow FastCGI applications to listen for FastCGI requests on their
|
|
# sockets and respond to them
|
|
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
|
|
|
# These are probably leaked file descriptors
|
|
dontaudit httpd_t devpts_t:chr_file ioctl;
|
|
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
|
|
|
# ======================================================
|
|
# Rules cribbed from recent httpd_sys_script_t policy
|
|
# ======================================================
|
|
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
|
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
|
|
|
# PHP uploads a file to /tmp and then execs programs to action them
|
|
allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
|
|
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#files_search_var_lib(httpd_sys_script_t)
|
|
#files_search_spool(httpd_sys_script_t)
|
|
|
|
# Should we add a boolean?
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#apache_domtrans_rotatelogs(httpd_sys_script_t)
|
|
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#ifdef(`distro_redhat',`
|
|
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
|
#')
|
|
#
|
|
#ifdef(`targeted_policy',`
|
|
# tunable_policy(`httpd_enable_homedirs',`
|
|
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
|
# ')
|
|
#')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(httpd_sys_script_t)
|
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_sys_script_t)
|
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
# Included in selinux-policy 2.3.7 (FC5)
|
|
#optional_policy(`
|
|
# mysql_stream_connect(httpd_sys_script_t)
|
|
# mysql_rw_db_sockets(httpd_sys_script_t)
|
|
#')
|
|
#
|
|
#optional_policy(`
|
|
# clamav_domtrans_clamscan(httpd_sys_script_t)
|
|
#')
|
|
|