rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
5afc3d3589
selinux-policy/policy/modules/services/apache.if

1214 lines
29 KiB
Plaintext
Raw Normal View History

add most of apache
2005-09-29 20:59:00 +00:00
## <summary>Apache web server</summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
########################################
## <summary>
## Create a set of derived types for apache
## web content.
## </summary>
## <param name="prefix">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## The prefix to be used for deriving type names.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
#
add most of apache
2005-09-29 20:59:00 +00:00
template(`apache_content_template',`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
attribute httpd_script_exec_type;
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
type httpd_t, httpd_suexec_t, httpd_log_t;
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
# allow write access to public file transfer
# services files.
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
gen_tunable(allow_httpd_$1_script_anon_write, false)
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
add most of apache
2005-09-29 20:59:00 +00:00
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
add most of apache
2005-09-29 20:59:00 +00:00
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t; # customizable;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
type httpd_$1_script_t;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
corecmd_shell_entry_type(httpd_$1_script_t)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
add most of apache
2005-09-29 20:59:00 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
type httpd_$1_rw_content_t, httpdcontent; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
add most of apache
2005-09-29 20:59:00 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
type httpd_$1_ra_content_t, httpdcontent; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
add most of apache
2005-09-29 20:59:00 +00:00
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
add most of apache
2005-09-29 20:59:00 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t self:fifo_file rw_file_perms;
changed rules fixes
2005-11-10 21:37:54 +00:00
allow httpd_$1_script_t self:unix_stream_socket connectto;
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
add most of apache
2005-09-29 20:59:00 +00:00
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
add concept of executables, and update policies which really want this intead of entrypoints
2006-04-19 21:43:02 +00:00
corecmd_exec_all_executables(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
files_search_home(httpd_$1_script_t)
libs_exec_ld_so(httpd_$1_script_t)
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
miscfiles_read_public_files(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
seutil_dontaudit_search_config(httpd_$1_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi && httpd_unified',`
patch from dan Tue, 06 Jun 2006 22:50:46 -0400
2006-06-07 17:43:10 +00:00
allow httpd_$1_script_t httpdcontent:file entrypoint;
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
can_exec(httpd_$1_script_t, httpdcontent)
add most of apache
2005-09-29 20:59:00 +00:00
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
Whitespace fixes on Apache.
2010-04-05 18:05:05 +00:00
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
add most of apache
2005-09-29 20:59:00 +00:00
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
tunable_policy(`httpd_enable_cgi',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
# apache runs the script:
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
patch from dan Tue, 24 Oct 2006 11:00:28 -0400
2006-10-31 21:01:48 +00:00
allow httpd_$1_script_t self:process { setsched signal_perms };
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
another slew of renaming
2006-02-02 21:08:12 +00:00
libs_read_lib_files(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
miscfiles_read_localization(httpd_$1_script_t)
')
deprecate module name as first parameter of optional_policy()
2006-03-24 16:13:54 +00:00
optional_policy(`
add most of apache
2005-09-29 20:59:00 +00:00
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
trunk: add sepostgresql policy from kaigai kohei.
2008-06-10 15:33:18 +00:00
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
trunk: Database labeled networking update from KaiGai Kohei.
2008-07-25 04:07:09 +00:00
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_$1_script_t)
')
trunk: add sepostgresql policy from kaigai kohei.
2008-06-10 15:33:18 +00:00
')
deprecate module name as first parameter of optional_policy()
2006-03-24 16:13:54 +00:00
optional_policy(`
another slew of renaming
2006-02-02 21:08:12 +00:00
nscd_socket_use(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
')
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
########################################
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## <summary>
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
## Role access for apache
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </summary>
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
## <param name="role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
## Role allowed access
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
## User domain for the role
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
#
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
interface(`apache_role',`
fix last loadable module problems
2005-10-19 14:36:04 +00:00
gen_require(`
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
type httpd_user_ra_content_t, httpd_user_rw_content_t;
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
')
role $1 types httpd_user_script_t;
allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
')
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi && httpd_unified',`
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
domtrans_pattern($2, httpdcontent, httpd_user_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
')
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
interface(`apache_read_user_scripts',`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
gen_require(`
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
type httpd_user_script_exec_t;
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
allow $1 httpd_user_script_exec_t:dir list_dir_perms;
read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
interface(`apache_read_user_content',`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
gen_require(`
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
type httpd_user_content_t;
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
allow $1 httpd_user_content_t:dir list_dir_perms;
read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
add most of apache
2005-09-29 20:59:00 +00:00
########################################
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## Transition to apache.
add most of apache
2005-09-29 20:59:00 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
#
interface(`apache_domtrans',`
gen_require(`
type httpd_t, httpd_exec_t;
')
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_exec_t, httpd_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
#######################################
## <summary>
## Send a generic signal to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_signal',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signal;
')
add most of apache
2005-09-29 20:59:00 +00:00
########################################
## <summary>
## Send a null signal to apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
#
interface(`apache_signull',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signull;
')
add mailman
2005-10-11 15:36:53 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
interface(`apache_sigchld',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process sigchld;
')
########################################
## <summary>
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames.
2006-03-02 23:41:11 +00:00
interface(`apache_use_fds',`
add mailman
2005-10-11 15:36:53 +00:00
gen_require(`
type httpd_t;
')
allow $1 httpd_t:fd use;
')
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
########################################
## <summary>
## Do not audit attempts to read and write Apache
## unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain to not audit.
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_fifo_file',`
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
########################################
## <summary>
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_stream_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## TCP sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_tcp_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:tcp_socket { read write };
')
add openca, bug 1660
2006-05-02 17:42:41 +00:00
########################################
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
## <summary>
## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
#
interface(`apache_manage_all_content',`
gen_require(`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
attribute httpdcontent, httpd_script_exec_type;
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpdcontent, httpdcontent)
manage_files_pattern($1, httpdcontent, httpdcontent)
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
')
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
########################################
## <summary>
## Allow domain to set the attributes
## of the APACHE cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_setattr_cache_dirs',`
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:dir setattr;
')
########################################
## <summary>
## Allow the specified domain to list
## Apache cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_list_cache',`
gen_require(`
type httpd_cache_t;
')
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
')
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
########################################
add openca, bug 1660
2006-05-02 17:42:41 +00:00
## <summary>
## Allow the specified domain to read
## and write Apache cache files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_rw_cache_files',`
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:file rw_file_perms;
')
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
########################################
## <summary>
## Allow the specified domain to delete
## Apache cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_delete_cache_files',`
gen_require(`
type httpd_cache_t;
')
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
')
add most of apache
2005-09-29 20:59:00 +00:00
########################################
## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add most of apache
2005-09-29 20:59:00 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add most of apache
2005-09-29 20:59:00 +00:00
#
interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_config_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
more apache work
2005-10-05 21:17:22 +00:00
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
manage_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
more apache work
2005-10-05 21:17:22 +00:00
########################################
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Execute the Apache helper program with
## a domain transition.
more apache work
2005-10-05 21:17:22 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-05 21:17:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-05 21:17:22 +00:00
## </param>
#
more apache work
2005-10-12 16:23:22 +00:00
interface(`apache_domtrans_helper',`
more apache work
2005-10-05 21:17:22 +00:00
gen_require(`
more apache work
2005-10-12 16:23:22 +00:00
type httpd_helper_t, httpd_helper_exec_t;
more apache work
2005-10-05 21:17:22 +00:00
')
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
more apache work
2005-10-12 16:23:22 +00:00
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition, and allow the
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
## specified role the Apache helper domain.
more apache work
2005-10-12 16:23:22 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
## <param name="role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
## Role allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
more apache work
2005-10-12 16:23:22 +00:00
#
interface(`apache_run_helper',`
gen_require(`
type httpd_helper_t;
')
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
more apache work
2005-10-05 21:17:22 +00:00
')
add mailman
2005-10-11 15:36:53 +00:00
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
########################################
## <summary>
## Allow the specified domain to read
## apache log files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
#
interface(`apache_read_log',`
gen_require(`
type httpd_log_t;
')
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
logging_search_logs($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_log_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
########################################
## <summary>
## Allow the specified domain to append
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_log_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
append_files_pattern($1, httpd_log_t, httpd_log_t)
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
')
add mailman
2005-10-11 15:36:53 +00:00
########################################
## <summary>
## Do not audit attempts to append to the
## Apache logs.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
interface(`apache_dontaudit_append_log',`
gen_require(`
type httpd_log_t;
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
dontaudit $1 httpd_log_t:file { getattr append };
add mailman
2005-10-11 15:36:53 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
manage_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
clean up some hacks
2005-11-15 18:47:20 +00:00
########################################
## <summary>
## Do not audit attempts to search Apache
## module directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
clean up some hacks
2005-11-15 18:47:20 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
clean up some hacks
2005-11-15 18:47:20 +00:00
## </param>
#
interface(`apache_dontaudit_search_modules',`
gen_require(`
type httpd_modules_t;
')
fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out.
2006-11-28 15:47:47 +00:00
dontaudit $1 httpd_modules_t:dir search_dir_perms;
clean up some hacks
2005-11-15 18:47:20 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
########################################
## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
#
interface(`apache_list_modules',`
gen_require(`
type httpd_modules_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_modules_t:dir list_dir_perms;
more apache work
2005-10-12 16:23:22 +00:00
')
add certwatch
2006-01-18 19:09:48 +00:00
########################################
## <summary>
## Allow the specified domain to execute
## apache modules.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add certwatch
2006-01-18 19:09:48 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add certwatch
2006-01-18 19:09:48 +00:00
## </param>
#
interface(`apache_exec_modules',`
gen_require(`
type httpd_modules_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_modules_t:dir list_dir_perms;
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
can_exec($1, httpd_modules_t)
add certwatch
2006-01-18 19:09:48 +00:00
')
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
## </summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-01-05 15:26:14 +00:00
########################################
## <summary>
## Allow the specified domain to list
## apache system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_list_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## apache system content files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15
2005-10-13 20:59:36 +00:00
type httpd_sys_content_t;
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
files_search_var($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
########################################
## <summary>
## Execute all web scripts in the system
## script domain.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
more apache work
2005-10-12 16:23:22 +00:00
')
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
########################################
## <summary>
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_sys_script_t;
')
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_domtrans_all_scripts',`
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed to transition.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
## <param name="role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Docs standardizing on the role portion of run interfaces. Additional docs cleanup.
2010-08-03 13:20:22 +00:00
## Role allowed access..
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
')
########################################
## <summary>
## Allow the specified domain to read
## apache squirrelmail data.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_read_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
trunk: more open perm fixes.
2008-10-20 16:10:42 +00:00
allow $1 httpd_squirrelmail_t:file read_file_perms;
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
')
########################################
## <summary>
## Allow the specified domain to append
## apache squirrelmail data.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_append_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
trunk: more open perm fixes.
2008-10-20 16:10:42 +00:00
allow $1 httpd_squirrelmail_t:file append_file_perms;
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
')
fix several modular build problems
2005-11-29 21:27:15 +00:00
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
########################################
## <summary>
add calamaris, bug 1518
2006-03-21 20:12:24 +00:00
## Search apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
## <summary>
## Read apache system content.
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
## </summary>
## <param name="domain">
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed access.
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
## </summary>
## </param>
#
interface(`apache_read_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_sys_content_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
')
trunk: add 3rd party interface for apache cgi.
2007-07-26 19:48:40 +00:00
########################################
## <summary>
## Search apache system CGI directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_scripts',`
gen_require(`
type httpd_sys_content_t, httpd_sys_script_exec_t;
')
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
')
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
########################################
## <summary>
## Create, read, write, and delete all user web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
gen_require(`
attribute httpd_user_content_type, httpd_user_script_exec_type;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
')
fix several modular build problems
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## </param>
#
interface(`apache_search_sys_script_state',`
gen_require(`
type httpd_sys_script_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_sys_script_t:dir search_dir_perms;
fix several modular build problems
2005-11-29 21:27:15 +00:00
')
trunk: add 3rd party interface for apache cgi.
2007-07-26 19:48:40 +00:00
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
########################################
## <summary>
## Allow the specified domain to read
## apache tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_tmp_files',`
gen_require(`
Fix requires for apache tmp interfaces. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 13:22:42 +00:00
type httpd_tmp_t;
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
')
files_search_tmp($1)
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
########################################
## <summary>
Whitespace fixes on Apache.
2010-04-05 18:05:05 +00:00
## Dontaudit attempts to write
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
## apache tmp files.
## </summary>
## <param name="domain">
## <summary>
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 13:03:19 +00:00
## Domain to not audit.
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
## </summary>
## </param>
#
interface(`apache_dontaudit_write_tmp_files',`
gen_require(`
Fix requires for apache tmp interfaces. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 13:22:42 +00:00
type httpd_tmp_t;
Second part of Apache patch from Dan Walsh.
2010-04-05 14:57:52 +00:00
')
dontaudit $1 httpd_tmp_t:file write_file_perms;
')
trunk: add 3rd party interface for apache cgi.
2007-07-26 19:48:40 +00:00
########################################
## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
## <p>
## Execute CGI in the specified domain.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain run the cgi script in.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## Type of the executable to enter the cgi domain.
## </summary>
## </param>
#
interface(`apache_cgi_domain',`
gen_require(`
type httpd_t, httpd_sys_script_exec_t;
')
domtrans_pattern(httpd_t, $2, $1)
apache_search_sys_scripts($1)
allow httpd_t $1:process signal;
')
pull in apache_admin() from fedora
2009-07-28 17:24:08 +00:00
########################################
## <summary>
## All of the rules required to administrate an apache environment
## </summary>
## <param name="prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_admin',`
gen_require(`
attribute httpdcontent;
attribute httpd_script_exec_type;
type httpd_t, httpd_config_t, httpd_log_t;
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
type httpd_initrc_exec_t;
pull in apache_admin() from fedora
2009-07-28 17:24:08 +00:00
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
ps_process_pattern($1, httpd_t)
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 12:17:50 +00:00
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
allow $2 system_r;
pull in apache_admin() from fedora
2009-07-28 17:24:08 +00:00
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
files_search_etc($1)
admin_pattern($1, httpd_config_t)
logging_search_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
admin_pattern($1, httpd_lock_t)
files_lock_filetrans($1, httpd_lock_t, file)
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
read_lnk_files_pattern($1, httpd_t, httpd_t)
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
')
Reference in New Issue Copy Permalink