107 lines
3.3 KiB
Plaintext
107 lines
3.3 KiB
Plaintext
policy_module(fastcgi, 0.1.7)
|
|
|
|
type httpd_fastcgi_sock_t;
|
|
files_type(httpd_fastcgi_sock_t)
|
|
|
|
require {
|
|
type devpts_t;
|
|
type httpd_t;
|
|
type httpd_config_t;
|
|
type httpd_log_t;
|
|
type httpd_sys_script_exec_t;
|
|
type httpd_sys_content_t;
|
|
};
|
|
|
|
# ==========================================================
|
|
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
|
|
# ==========================================================
|
|
|
|
apache_content_template(fastcgi)
|
|
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow FastCGI applications to make outbound SMTP connections
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_fastcgi_can_sendmail,false)
|
|
|
|
tunable_policy(`httpd_fastcgi_can_sendmail',`
|
|
corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
|
|
corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
|
|
')
|
|
|
|
# Allow FastCGI applications to do DNS lookups
|
|
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
|
|
|
|
# Allow FastCGI applications to live alongside regular CGI apps
|
|
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
|
|
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
|
|
|
|
# Allow FastCGI applications to read the routing table
|
|
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
|
|
|
# Allow httpd to create and use sockets for communicating with mod_fcgid
|
|
allow httpd_t httpd_fastcgi_sock_t:dir { rw_dir_perms setattr };
|
|
allow httpd_t httpd_fastcgi_sock_t:sock_file { create_file_perms };
|
|
|
|
# Allow httpd to read httpd_fastcgi_content_t
|
|
# (shouldn't this be in the content template?)
|
|
allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;
|
|
allow httpd_t httpd_fastcgi_content_t:file r_file_perms;
|
|
allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };
|
|
|
|
# Allow FastCGI applications to listen for FastCGI requests on their
|
|
# sockets and respond to them
|
|
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
|
|
|
# FastCGI application doing something to the httpd error log
|
|
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
|
|
|
# Not sure what this is doing (happens when fastcgi scripts start)
|
|
dontaudit httpd_t devpts_t:chr_file ioctl;
|
|
|
|
# ======================================================
|
|
# Equivalent policy cribbed from httpd_sys_script_t
|
|
# ======================================================
|
|
|
|
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
|
|
|
|
fs_search_auto_mountpoints(httpd_fastcgi_script_t)
|
|
|
|
files_search_var_lib(httpd_fastcgi_script_t)
|
|
files_search_spool(httpd_fastcgi_script_t)
|
|
|
|
# Should we add a boolean?
|
|
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
|
|
')
|
|
|
|
ifdef(`targeted_policy',`
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(httpd_fastcgi_script_t)
|
|
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_fastcgi_script_t)
|
|
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_fastcgi_script_t)
|
|
mysql_rw_db_sockets(httpd_fastcgi_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_domtrans_clamscan(httpd_fastcgi_script_t)
|
|
')
|
|
|