selinux-policy/apache.patch

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index cf3d50b..3ded83e 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -75,34 +75,6 @@ interface(`domain_base_type',`
 interface(`domain_type',`
 	# start with basic domain
 	domain_base_type($1)
-
-	ifdef(`distro_redhat',`
-		optional_policy(`
-			unconfined_use_fds($1)
-		')
-	')
-
-	# send init a sigchld and signull
-	optional_policy(`
-		init_sigchld($1)
-		init_signull($1)
-	')
-
-	# these seem questionable:
-
-	optional_policy(`
-		rpm_use_fds($1)
-		rpm_read_pipes($1)
-	')
-
-	optional_policy(`
-		selinux_dontaudit_getattr_fs($1)
-		selinux_dontaudit_read_fs($1)
-	')
-
-	optional_policy(`
-		seutil_dontaudit_read_config($1)
-	')
 ')
 
 ########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 00e20f7..db2a183 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -285,3 +285,30 @@ optional_policy(`
 # broken kernel
 dontaudit can_change_object_identity can_change_object_identity:key link;
 
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_use_fds(domain)
+	')
+')
+
+# send init a sigchld and signull
+optional_policy(`
+	init_sigchld(domain)
+	init_signull(domain)
+')
+
+# these seem questionable:
+
+optional_policy(`
+	rpm_use_fds(domain)
+	rpm_read_pipes(domain)
+')
+
+optional_policy(`
+	selinux_dontaudit_getattr_fs(domain)
+	selinux_dontaudit_read_fs(domain)
+')
+
+optional_policy(`
+	seutil_dontaudit_read_config(domain)
+')
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index e12bbc0..606323d 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -16,55 +16,43 @@ template(`apache_content_template',`
 		attribute httpd_exec_scripts, httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 		type httpd_sys_content_t;
+		attribute httpd_script_type, httpd_content_type;
 	')
 
 	#This type is for webpages
 	type httpd_$1_content_t; # customizable;
+	typeattribute httpd_$1_content_t httpd_content_type;
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 	files_type(httpd_$1_content_t)
 
 	# This type is used for .htaccess files
-	type httpd_$1_htaccess_t; # customizable;
+	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute httpd_$1_htaccess_t httpd_content_type;
 	files_type(httpd_$1_htaccess_t)
 
 	# Type that CGI scripts run as
-	type httpd_$1_script_t;
+	type httpd_$1_script_t,	httpd_script_type;
 	domain_type(httpd_$1_script_t)
 	role system_r types httpd_$1_script_t;
 
-	search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
-
 	# This type is used for executable scripts files
 	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-	corecmd_shell_entry_type(httpd_$1_script_t)
+	typeattribute httpd_$1_script_exec_t httpd_content_type;
 	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
 
 	type httpd_$1_rw_content_t; # customizable
+	typeattribute httpd_$1_rw_content_t httpd_content_type;
 	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
 	files_type(httpd_$1_rw_content_t)
 
-	type httpd_$1_ra_content_t; # customizable
+	type httpd_$1_ra_content_t, httpd_content_type; # customizable
+	typeattribute httpd_$1_ra_content_t httpd_content_type;
 	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
 	files_type(httpd_$1_ra_content_t)
 
-	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
-
-	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-
-	allow httpd_$1_script_t self:fifo_file rw_file_perms;
-	allow httpd_$1_script_t self:unix_stream_socket connectto;
-
-	allow httpd_$1_script_t httpd_t:fifo_file write;
-	# apache should set close-on-exec
-	apache_dontaudit_leaks(httpd_$1_script_t)
-
 	# Allow the script process to search the cgi directory, and users directory
 	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
 
-	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
-	logging_search_logs(httpd_$1_script_t)
-
 	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
 	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
 
@@ -83,27 +71,6 @@ template(`apache_content_template',`
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 
-	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
-	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-
-	dev_read_rand(httpd_$1_script_t)
-	dev_read_urand(httpd_$1_script_t)
-
-	corecmd_exec_all_executables(httpd_$1_script_t)
-	application_exec_all(httpd_$1_script_t)
-
-	files_exec_etc_files(httpd_$1_script_t)
-	files_read_etc_files(httpd_$1_script_t)
-	files_search_home(httpd_$1_script_t)
-
-	libs_exec_ld_so(httpd_$1_script_t)
-	libs_exec_lib_files(httpd_$1_script_t)
-
-	miscfiles_read_fonts(httpd_$1_script_t)
-	miscfiles_read_public_files(httpd_$1_script_t)
-
-	seutil_dontaudit_search_config(httpd_$1_script_t)
-
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -111,19 +78,11 @@ template(`apache_content_template',`
 		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+		allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
 		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
 		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
 		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
 
-		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-
-		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-		allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
@@ -138,49 +97,6 @@ template(`apache_content_template',`
 
 		# apache runs the script:
 		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
-		allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
-
-		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
-
-		allow httpd_$1_script_t self:process { setsched signal_perms };
-		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
-		allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
-
-		allow httpd_$1_script_t httpd_t:fd use;
-		allow httpd_$1_script_t httpd_t:process sigchld;
-
-		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
-
-		kernel_read_system_state(httpd_$1_script_t)
-
-		dev_read_urand(httpd_$1_script_t)
-
-		fs_getattr_xattr_fs(httpd_$1_script_t)
-
-		files_read_etc_runtime_files(httpd_$1_script_t)
-		files_read_usr_files(httpd_$1_script_t)
-
-		libs_read_lib_files(httpd_$1_script_t)
-
-		miscfiles_read_localization(httpd_$1_script_t)
-		allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
-	')
-
-	optional_policy(`
-		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-			nis_use_ypbind_uncond(httpd_$1_script_t)
-		')
-	')
-
-	optional_policy(`
-		postgresql_unpriv_client(httpd_$1_script_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use(httpd_$1_script_t)
 	')
 ')
 
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index f165efd..adf2423 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
 
 attribute httpdcontent;
 attribute httpd_user_content_type;
+attribute httpd_content_type;
 
 # domains that can exec all users scripts
 attribute httpd_exec_scripts;
 
+attribute httpd_script_type;
 attribute httpd_script_exec_type;
 attribute httpd_user_script_exec_type;
 
@@ -293,6 +295,10 @@ files_tmp_file(httpd_suexec_tmp_t)
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
 
+optional_policy(`
+	postgresql_unpriv_client(httpd_sys_script_t)
+')
+
 typeattribute httpd_sys_content_t httpdcontent; # customizable
 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
@@ -1308,3 +1314,91 @@ systemd_passwd_agent_dev_template(httpd)
 domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 dontaudit httpd_passwd_t httpd_config_t:file read;
 
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_read_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
+seutil_dontaudit_search_config(httpd_script_type)
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
+
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
+
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+
+kernel_read_system_state(httpd_script_type)
+
+dev_read_urand(httpd_script_type)
+
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+files_read_usr_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+miscfiles_read_localization(httpd_script_type)
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+	nis_use_ypbind_uncond(httpd_script_type)
+')
+
+optional_policy(`
+	nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+	allow httpd_t httpd_content_type:dir search_dir_perms;
+	allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+	allow httpd_t httpd_content_type:dir list_dir_perms;
+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+	allow httpd_t httpd_content_type:dir list_dir_perms;
+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+
Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 14:53:27 +00:00			`diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if`
			`index cf3d50b..3ded83e 100644`
			`--- a/policy/modules/kernel/domain.if`
			`+++ b/policy/modules/kernel/domain.if`
			@@ -75,34 +75,6 @@ interface(`domain_base_type',`
			interface(`domain_type',`
			`# start with basic domain`
			`domain_base_type($1)`
			`-`
			- ifdef(`distro_redhat',`
			- optional_policy(`
			`- unconfined_use_fds($1)`
			`- ')`
			`- ')`
			`-`
			`- # send init a sigchld and signull`
			- optional_policy(`
			`- init_sigchld($1)`
			`- init_signull($1)`
			`- ')`
			`-`
			`- # these seem questionable:`
			`-`
			- optional_policy(`
			`- rpm_use_fds($1)`
			`- rpm_read_pipes($1)`
			`- ')`
			`-`
			- optional_policy(`
			`- selinux_dontaudit_getattr_fs($1)`
			`- selinux_dontaudit_read_fs($1)`
			`- ')`
			`-`
			- optional_policy(`
			`- seutil_dontaudit_read_config($1)`
			`- ')`
			`')`

			`########################################`
			`diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te`
			`index 00e20f7..db2a183 100644`
			`--- a/policy/modules/kernel/domain.te`
			`+++ b/policy/modules/kernel/domain.te`
			@@ -285,3 +285,30 @@ optional_policy(`
			`# broken kernel`
			`dontaudit can_change_object_identity can_change_object_identity:key link;`

			+ifdef(`distro_redhat',`
			+ optional_policy(`
			`+ unconfined_use_fds(domain)`
			`+ ')`
			`+')`
			`+`
			`+# send init a sigchld and signull`
			+optional_policy(`
			`+ init_sigchld(domain)`
			`+ init_signull(domain)`
			`+')`
			`+`
			`+# these seem questionable:`
			`+`
			+optional_policy(`
			`+ rpm_use_fds(domain)`
			`+ rpm_read_pipes(domain)`
			`+')`
			`+`
			+optional_policy(`
			`+ selinux_dontaudit_getattr_fs(domain)`
			`+ selinux_dontaudit_read_fs(domain)`
			`+')`
			`+`
			+optional_policy(`
			`+ seutil_dontaudit_read_config(domain)`
			`+')`
			`diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if`
			`index e12bbc0..606323d 100644`
			`--- a/policy/modules/services/apache.if`
			`+++ b/policy/modules/services/apache.if`
			@@ -16,55 +16,43 @@ template(`apache_content_template',`
			`attribute httpd_exec_scripts, httpd_script_exec_type;`
			`type httpd_t, httpd_suexec_t, httpd_log_t;`
			`type httpd_sys_content_t;`
			`+ attribute httpd_script_type, httpd_content_type;`
			`')`

			`#This type is for webpages`
			`type httpd_$1_content_t; # customizable;`
			`+ typeattribute httpd_$1_content_t httpd_content_type;`
			`typealias httpd_$1_content_t alias httpd_$1_script_ro_t;`
			`files_type(httpd_$1_content_t)`

			`# This type is used for .htaccess files`
			`- type httpd_$1_htaccess_t; # customizable;`
			`+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;`
			`+ typeattribute httpd_$1_htaccess_t httpd_content_type;`
			`files_type(httpd_$1_htaccess_t)`

			`# Type that CGI scripts run as`
			`- type httpd_$1_script_t;`
			`+ type httpd_$1_script_t, httpd_script_type;`
			`domain_type(httpd_$1_script_t)`
			`role system_r types httpd_$1_script_t;`

			`- search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)`
			`-`
			`# This type is used for executable scripts files`
			`type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;`
			`- corecmd_shell_entry_type(httpd_$1_script_t)`
			`+ typeattribute httpd_$1_script_exec_t httpd_content_type;`
			`domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)`

			`type httpd_$1_rw_content_t; # customizable`
			`+ typeattribute httpd_$1_rw_content_t httpd_content_type;`
			`typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };`
			`files_type(httpd_$1_rw_content_t)`

			`- type httpd_$1_ra_content_t; # customizable`
			`+ type httpd_$1_ra_content_t, httpd_content_type; # customizable`
			`+ typeattribute httpd_$1_ra_content_t httpd_content_type;`
			`typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };`
			`files_type(httpd_$1_ra_content_t)`

			`- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)`
			`-`
			`- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;`
			`- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;`
			`-`
			`- allow httpd_$1_script_t self:fifo_file rw_file_perms;`
			`- allow httpd_$1_script_t self:unix_stream_socket connectto;`
			`-`
			`- allow httpd_$1_script_t httpd_t:fifo_file write;`
			`- # apache should set close-on-exec`
			`- apache_dontaudit_leaks(httpd_$1_script_t)`
			`-`
			`# Allow the script process to search the cgi directory, and users directory`
			`allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;`

			`- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)`
			`- logging_search_logs(httpd_$1_script_t)`
			`-`
			`can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)`
			`allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;`

			@@ -83,27 +71,6 @@ template(`apache_content_template',`
			`manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)`
			`manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)`

			`- kernel_dontaudit_search_sysctl(httpd_$1_script_t)`
			`- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)`
			`-`
			`- dev_read_rand(httpd_$1_script_t)`
			`- dev_read_urand(httpd_$1_script_t)`
			`-`
			`- corecmd_exec_all_executables(httpd_$1_script_t)`
			`- application_exec_all(httpd_$1_script_t)`
			`-`
			`- files_exec_etc_files(httpd_$1_script_t)`
			`- files_read_etc_files(httpd_$1_script_t)`
			`- files_search_home(httpd_$1_script_t)`
			`-`
			`- libs_exec_ld_so(httpd_$1_script_t)`
			`- libs_exec_lib_files(httpd_$1_script_t)`
			`-`
			`- miscfiles_read_fonts(httpd_$1_script_t)`
			`- miscfiles_read_public_files(httpd_$1_script_t)`
			`-`
			`- seutil_dontaudit_search_config(httpd_$1_script_t)`
			`-`
			`# Allow the web server to run scripts and serve pages`
			tunable_policy(`httpd_builtin_scripting',`
			`manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)`
			@@ -111,19 +78,11 @@ template(`apache_content_template',`
			`manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)`
			`rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)`

			`- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };`
			`+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };`
			`read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)`
			`append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)`
			`read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)`

			`- allow httpd_t httpd_$1_content_t:dir list_dir_perms;`
			`- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)`
			`- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)`
			`-`
			`- allow httpd_t httpd_$1_content_t:dir list_dir_perms;`
			`- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)`
			`- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)`
			`- allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;`
			`')`

			tunable_policy(`httpd_enable_cgi',`
			@@ -138,49 +97,6 @@ template(`apache_content_template',`

			`# apache runs the script:`
			`domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)`
			`-`
			`- allow httpd_t httpd_$1_script_exec_t:file read_file_perms;`
			`- allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;`
			`-`
			`- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };`
			`- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;`
			`-`
			`- allow httpd_$1_script_t self:process { setsched signal_perms };`
			`- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;`
			`- allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;`
			`-`
			`- allow httpd_$1_script_t httpd_t:fd use;`
			`- allow httpd_$1_script_t httpd_t:process sigchld;`
			`-`
			`- dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };`
			`-`
			`- kernel_read_system_state(httpd_$1_script_t)`
			`-`
			`- dev_read_urand(httpd_$1_script_t)`
			`-`
			`- fs_getattr_xattr_fs(httpd_$1_script_t)`
			`-`
			`- files_read_etc_runtime_files(httpd_$1_script_t)`
			`- files_read_usr_files(httpd_$1_script_t)`
			`-`
			`- libs_read_lib_files(httpd_$1_script_t)`
			`-`
			`- miscfiles_read_localization(httpd_$1_script_t)`
			`- allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;`
			`- ')`
			`-`
			- optional_policy(`
			- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			`- nis_use_ypbind_uncond(httpd_$1_script_t)`
			`- ')`
			`- ')`
			`-`
			- optional_policy(`
			`- postgresql_unpriv_client(httpd_$1_script_t)`
			`- ')`
			`-`
			- optional_policy(`
			`- nscd_socket_use(httpd_$1_script_t)`
			`')`
			`')`

			`diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te`
			`index f165efd..adf2423 100644`
			`--- a/policy/modules/services/apache.te`
			`+++ b/policy/modules/services/apache.te`
			`@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)`

			`attribute httpdcontent;`
			`attribute httpd_user_content_type;`
			`+attribute httpd_content_type;`

			`# domains that can exec all users scripts`
			`attribute httpd_exec_scripts;`

			`+attribute httpd_script_type;`
			`attribute httpd_script_exec_type;`
			`attribute httpd_user_script_exec_type;`

			`@@ -293,6 +295,10 @@ files_tmp_file(httpd_suexec_tmp_t)`
			`# setup the system domain for system CGI scripts`
			`apache_content_template(sys)`

			+optional_policy(`
			`+ postgresql_unpriv_client(httpd_sys_script_t)`
			`+')`
			`+`
			`typeattribute httpd_sys_content_t httpdcontent; # customizable`
			`typeattribute httpd_sys_rw_content_t httpdcontent; # customizable`
			`typeattribute httpd_sys_ra_content_t httpdcontent; # customizable`
			`@@ -1308,3 +1314,91 @@ systemd_passwd_agent_dev_template(httpd)`
			`domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)`
			`dontaudit httpd_passwd_t httpd_config_t:file read;`

			`+`
			`+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)`
			`+corecmd_shell_entry_type(httpd_script_type)`
			`+`
			`+allow httpd_script_type self:fifo_file rw_file_perms;`
			`+allow httpd_script_type self:unix_stream_socket connectto;`
			`+`
			`+allow httpd_script_type httpd_t:fifo_file write;`
			`+# apache should set close-on-exec`
			`+apache_dontaudit_leaks(httpd_script_type)`
			`+`
			`+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)`
			`+logging_search_logs(httpd_script_type)`
			`+`
			`+kernel_dontaudit_search_sysctl(httpd_script_type)`
			`+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)`
			`+`
			`+dev_read_rand(httpd_script_type)`
			`+dev_read_urand(httpd_script_type)`
			`+`
			`+corecmd_exec_all_executables(httpd_script_type)`
			`+application_exec_all(httpd_script_type)`
			`+`
			`+files_exec_etc_files(httpd_script_type)`
			`+files_read_etc_files(httpd_script_type)`
			`+files_search_home(httpd_script_type)`
			`+`
			`+libs_exec_ld_so(httpd_script_type)`
			`+libs_exec_lib_files(httpd_script_type)`
			`+`
			`+miscfiles_read_fonts(httpd_script_type)`
			`+miscfiles_read_public_files(httpd_script_type)`
			`+`
			`+seutil_dontaudit_search_config(httpd_script_type)`
			`+allow httpd_t httpd_script_type:unix_stream_socket connectto;`
			`+`
			`+allow httpd_t httpd_script_exec_type:file read_file_perms;`
			`+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;`
			`+allow httpd_t httpd_script_type:process { signal sigkill sigstop };`
			`+allow httpd_t httpd_script_exec_type:dir list_dir_perms;`
			`+`
			`+allow httpd_script_type self:process { setsched signal_perms };`
			`+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;`
			`+allow httpd_script_type self:unix_dgram_socket create_socket_perms;`
			`+`
			`+allow httpd_script_type httpd_t:fd use;`
			`+allow httpd_script_type httpd_t:process sigchld;`
			`+`
			`+dontaudit httpd_script_type httpd_t:tcp_socket { read write };`
			`+`
			`+kernel_read_system_state(httpd_script_type)`
			`+`
			`+dev_read_urand(httpd_script_type)`
			`+`
			`+fs_getattr_xattr_fs(httpd_script_type)`
			`+`
			`+files_read_etc_runtime_files(httpd_script_type)`
			`+files_read_usr_files(httpd_script_type)`
			`+`
			`+libs_read_lib_files(httpd_script_type)`
			`+`
			`+miscfiles_read_localization(httpd_script_type)`
			`+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;`
			`+`
			+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			`+ nis_use_ypbind_uncond(httpd_script_type)`
			`+')`
			`+`
			+optional_policy(`
			`+ nscd_socket_use(httpd_script_type)`
			`+')`
			`+`
			`+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)`
			`+`
			+tunable_policy(`httpd_builtin_scripting',`
			`+ allow httpd_t httpd_content_type:dir search_dir_perms;`
			`+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;`
			`+`
			`+ allow httpd_t httpd_content_type:dir list_dir_perms;`
			`+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)`
			`+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)`
			`+`
			`+ allow httpd_t httpd_content_type:dir list_dir_perms;`
			`+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)`
			`+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)`
			`+')`
			`+`
			`+`