rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
74993c4dae
selinux-policy/policy/modules/services/apache.if

1101 lines
28 KiB
Plaintext
Raw Normal View History

add most of apache
2005-09-29 20:59:00 +00:00
## <summary>Apache web server</summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
########################################
## <summary>
## Create a set of derived types for apache
## web content.
## </summary>
## <param name="prefix">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## The prefix to be used for deriving type names.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
#
add most of apache
2005-09-29 20:59:00 +00:00
template(`apache_content_template',`
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
attribute httpd_script_exec_type;
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
type httpd_t, httpd_suexec_t, httpd_log_t;
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
# allow write access to public file transfer
# services files.
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
gen_tunable(allow_httpd_$1_script_anon_write, false)
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
add most of apache
2005-09-29 20:59:00 +00:00
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t; # customizable;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
type httpd_$1_script_t;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
corecmd_shell_entry_type(httpd_$1_script_t)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
add most of apache
2005-09-29 20:59:00 +00:00
# The following three are the only areas that
# scripts can read, read/write, or append to
type httpd_$1_script_ro_t, httpdcontent; # customizable
files_type(httpd_$1_script_ro_t)
type httpd_$1_script_rw_t, httpdcontent; # customizable
files_type(httpd_$1_script_rw_t)
type httpd_$1_script_ra_t, httpdcontent; # customizable
files_type(httpd_$1_script_ra_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
add most of apache
2005-09-29 20:59:00 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t self:fifo_file rw_file_perms;
changed rules fixes
2005-11-10 21:37:54 +00:00
allow httpd_$1_script_t self:unix_stream_socket connectto;
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
add most of apache
2005-09-29 20:59:00 +00:00
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file })
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
add concept of executables, and update policies which really want this intead of entrypoints
2006-04-19 21:43:02 +00:00
corecmd_exec_all_executables(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
files_search_home(httpd_$1_script_t)
libs_use_ld_so(httpd_$1_script_t)
libs_use_shared_libs(httpd_$1_script_t)
libs_exec_ld_so(httpd_$1_script_t)
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
miscfiles_read_public_files(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
seutil_dontaudit_search_config(httpd_$1_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi && httpd_unified',`
patch from dan Tue, 06 Jun 2006 22:50:46 -0400
2006-06-07 17:43:10 +00:00
allow httpd_$1_script_t httpdcontent:file entrypoint;
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
can_exec(httpd_$1_script_t, httpdcontent)
add most of apache
2005-09-29 20:59:00 +00:00
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
add most of apache
2005-09-29 20:59:00 +00:00
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
tunable_policy(`httpd_enable_cgi',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
# apache runs the script:
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
add most of apache
2005-09-29 20:59:00 +00:00
patch from dan Tue, 24 Oct 2006 11:00:28 -0400
2006-10-31 21:01:48 +00:00
allow httpd_$1_script_t self:process { setsched signal_perms };
add most of apache
2005-09-29 20:59:00 +00:00
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
another slew of renaming
2006-02-02 21:08:12 +00:00
libs_read_lib_files(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
miscfiles_read_localization(httpd_$1_script_t)
')
first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
2006-04-12 15:04:28 +00:00
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
trunk: Unified labeled networking policy from Paul Moore. The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
2007-06-27 15:23:21 +00:00
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
2006-04-12 15:04:28 +00:00
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
add most of apache
2005-09-29 20:59:00 +00:00
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
add unlabeled association rules
2005-12-06 19:59:50 +00:00
trunk: Unified labeled networking policy from Paul Moore. The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
2007-06-27 15:23:21 +00:00
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_all_ports(httpd_$1_script_t)
packets for services
2006-05-30 19:46:34 +00:00
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
sysnet_read_config(httpd_$1_script_t)
')
deprecate module name as first parameter of optional_policy()
2006-03-24 16:13:54 +00:00
optional_policy(`
add most of apache
2005-09-29 20:59:00 +00:00
mta_send_mail(httpd_$1_script_t)
')
trunk: Database labeled networking update from KaiGai Kohei.
2008-07-25 04:07:09 +00:00
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_$1_script_t)
')
')
deprecate module name as first parameter of optional_policy()
2006-03-24 16:13:54 +00:00
optional_policy(`
add most of apache
2005-09-29 20:59:00 +00:00
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
trunk: add sepostgresql policy from kaigai kohei.
2008-06-10 15:33:18 +00:00
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
trunk: Database labeled networking update from KaiGai Kohei.
2008-07-25 04:07:09 +00:00
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_$1_script_t)
')
trunk: add sepostgresql policy from kaigai kohei.
2008-06-10 15:33:18 +00:00
')
deprecate module name as first parameter of optional_policy()
2006-03-24 16:13:54 +00:00
optional_policy(`
another slew of renaming
2006-02-02 21:08:12 +00:00
nscd_socket_use(httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
')
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
#######################################
## <summary>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## The per role template for the apache module.
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </summary>
## <desc>
## <p>
## This template creates types used for web pages
## and web cgi to be used from the user home directory.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
## <param name="user_domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## The type of the user domain.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
## <param name="user_role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## The role associated with the user domain.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## </param>
#
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
template(`apache_per_role_template', `
fix last loadable module problems
2005-10-19 14:36:04 +00:00
gen_require(`
attribute httpdcontent, httpd_script_domains;
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
attribute httpd_exec_scripts, httpd_user_content_type;
attribute httpd_user_script_exec_type;
fix last loadable module problems
2005-10-19 14:36:04 +00:00
type httpd_t, httpd_suexec_t, httpd_log_t;
')
add most of apache
2005-09-29 20:59:00 +00:00
apache_content_template($1)
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
typeattribute httpd_$1_content_t httpd_user_content_type;
typeattribute httpd_$1_script_ra_t httpd_user_content_type;
typeattribute httpd_$1_script_rw_t httpd_user_content_type;
typeattribute httpd_$1_script_ro_t httpd_user_content_type;
typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
fix http_script_domains, it was incorrectly applied to the content type rather than the script domain. bug #24.
2007-04-02 13:20:55 +00:00
typeattribute httpd_$1_script_t httpd_script_domains;
another round of renaming
2006-02-21 18:40:44 +00:00
userdom_user_home_content($1,httpd_$1_content_t)
add most of apache
2005-09-29 20:59:00 +00:00
role $3 types httpd_$1_script_t;
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
')
add most of apache
2005-09-29 20:59:00 +00:00
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
add most of apache
2005-09-29 20:59:00 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
another round of renaming
2006-02-21 18:40:44 +00:00
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
')
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_scripts',`
gen_require(`
type httpd_$1_script_exec_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_content',`
gen_require(`
type httpd_$1_content_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $2 httpd_$1_content_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
add most of apache
2005-09-29 20:59:00 +00:00
########################################
## <summary>
add some docs, do some reordering
2005-10-12 21:25:16 +00:00
## Transition to apache.
add most of apache
2005-09-29 20:59:00 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add most of apache
2005-09-29 20:59:00 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
#
interface(`apache_domtrans',`
gen_require(`
type httpd_t, httpd_exec_t;
')
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_exec_t, httpd_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
########################################
## <summary>
## Send a null signal to apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
#
interface(`apache_signull',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signull;
')
add mailman
2005-10-11 15:36:53 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
interface(`apache_sigchld',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process sigchld;
')
########################################
## <summary>
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames.
2006-03-02 23:41:11 +00:00
interface(`apache_use_fds',`
add mailman
2005-10-11 15:36:53 +00:00
gen_require(`
type httpd_t;
')
allow $1 httpd_t:fd use;
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
########################################
## <summary>
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_stream_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## TCP sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_tcp_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:tcp_socket { read write };
')
add openca, bug 1660
2006-05-02 17:42:41 +00:00
########################################
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
## <summary>
## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
#
interface(`apache_manage_all_content',`
gen_require(`
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
attribute httpdcontent, httpd_script_exec_type;
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpdcontent, httpdcontent)
manage_files_pattern($1, httpdcontent, httpdcontent)
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
add apache_manage_all_content, bug 1602
2006-05-10 20:24:40 +00:00
')
########################################
add openca, bug 1660
2006-05-02 17:42:41 +00:00
## <summary>
## Allow the specified domain to read
## and write Apache cache files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_rw_cache_files',`
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:file rw_file_perms;
')
add most of apache
2005-09-29 20:59:00 +00:00
########################################
## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add most of apache
2005-09-29 20:59:00 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add most of apache
2005-09-29 20:59:00 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add most of apache
2005-09-29 20:59:00 +00:00
#
interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_config_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
add most of apache
2005-09-29 20:59:00 +00:00
')
more apache work
2005-10-05 21:17:22 +00:00
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
manage_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
more apache work
2005-10-05 21:17:22 +00:00
########################################
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Execute the Apache helper program with
## a domain transition.
more apache work
2005-10-05 21:17:22 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-05 21:17:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-05 21:17:22 +00:00
## </param>
#
more apache work
2005-10-12 16:23:22 +00:00
interface(`apache_domtrans_helper',`
more apache work
2005-10-05 21:17:22 +00:00
gen_require(`
more apache work
2005-10-12 16:23:22 +00:00
type httpd_helper_t, httpd_helper_exec_t;
more apache work
2005-10-05 21:17:22 +00:00
')
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
corecmd_search_bin($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
more apache work
2005-10-12 16:23:22 +00:00
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition, and allow the
## specified role the dmidecode domain.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
## <param name="role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## The role to be allowed the dmidecode domain.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
## <param name="terminal">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## The type of the terminal allow the dmidecode domain to use.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
more apache work
2005-10-12 16:23:22 +00:00
#
interface(`apache_run_helper',`
gen_require(`
type httpd_helper_t;
')
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
allow httpd_helper_t $3:chr_file rw_term_perms;
more apache work
2005-10-05 21:17:22 +00:00
')
add mailman
2005-10-11 15:36:53 +00:00
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
########################################
## <summary>
## Allow the specified domain to read
## apache log files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
#
interface(`apache_read_log',`
gen_require(`
type httpd_log_t;
')
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
logging_search_logs($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_log_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
########################################
## <summary>
## Allow the specified domain to append
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_log_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
append_files_pattern($1, httpd_log_t, httpd_log_t)
add nagios, bug 1531
2006-04-06 15:03:23 +00:00
')
add mailman
2005-10-11 15:36:53 +00:00
########################################
## <summary>
## Do not audit attempts to append to the
## Apache logs.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add mailman
2005-10-11 15:36:53 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add mailman
2005-10-11 15:36:53 +00:00
## </param>
#
interface(`apache_dontaudit_append_log',`
gen_require(`
type httpd_log_t;
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
dontaudit $1 httpd_log_t:file { getattr append };
add mailman
2005-10-11 15:36:53 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
manage_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
clean up some hacks
2005-11-15 18:47:20 +00:00
########################################
## <summary>
## Do not audit attempts to search Apache
## module directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
clean up some hacks
2005-11-15 18:47:20 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
clean up some hacks
2005-11-15 18:47:20 +00:00
## </param>
#
interface(`apache_dontaudit_search_modules',`
gen_require(`
type httpd_modules_t;
')
fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out.
2006-11-28 15:47:47 +00:00
dontaudit $1 httpd_modules_t:dir search_dir_perms;
clean up some hacks
2005-11-15 18:47:20 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
########################################
## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
#
interface(`apache_list_modules',`
gen_require(`
type httpd_modules_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_modules_t:dir list_dir_perms;
more apache work
2005-10-12 16:23:22 +00:00
')
add certwatch
2006-01-18 19:09:48 +00:00
########################################
## <summary>
## Allow the specified domain to execute
## apache modules.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add certwatch
2006-01-18 19:09:48 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add certwatch
2006-01-18 19:09:48 +00:00
## </param>
#
interface(`apache_exec_modules',`
gen_require(`
type httpd_modules_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_modules_t:dir list_dir_perms;
allow $1 httpd_modules_t:lnk_file read_file_perms;
add certwatch
2006-01-18 19:09:48 +00:00
can_exec($1,httpd_modules_t)
')
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
########################################
## <summary>
## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
2006-06-21 18:25:06 +00:00
')
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
########################################
## <summary>
## Allow the specified domain to manage
## apache system content files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15
2005-10-13 20:59:36 +00:00
type httpd_sys_content_t;
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
files_search_var($1)
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
add in last bits of webalizer
2005-10-12 17:22:25 +00:00
')
more apache work
2005-10-12 16:23:22 +00:00
########################################
## <summary>
## Execute all web scripts in the system
## script domain.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
more apache work
2005-10-12 16:23:22 +00:00
')
')
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
########################################
## <summary>
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
another slew of renaming
2006-02-02 21:08:12 +00:00
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
gen_require(`
type httpd_sys_script_t;
')
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_domtrans_all_scripts',`
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
## <param name="role">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## The role to be allowed the script domains.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
# cjp: this is missing the terminal since scripts
# do not output to the terminal
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
')
########################################
## <summary>
## Allow the specified domain to read
## apache squirrelmail data.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_read_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr read };
')
########################################
## <summary>
## Allow the specified domain to append
## apache squirrelmail data.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
wrap up almost all of apache
2005-10-17 17:55:38 +00:00
## </param>
#
interface(`apache_append_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr append };
')
fix several modular build problems
2005-11-29 21:27:15 +00:00
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
########################################
## <summary>
add calamaris, bug 1518
2006-03-21 20:12:24 +00:00
## Search apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
## <summary>
## Read apache system content.
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_read_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_sys_content_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
patch from dan Thu, 23 Feb 2006 14:26:05 -0500
2006-02-27 16:23:39 +00:00
')
trunk: add 3rd party interface for apache cgi.
2007-07-26 19:48:40 +00:00
########################################
## <summary>
## Search apache system CGI directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_scripts',`
gen_require(`
type httpd_sys_content_t, httpd_sys_script_exec_t;
')
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
')
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
########################################
## <summary>
## Create, read, write, and delete all user web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
gen_require(`
attribute httpd_user_content_type, httpd_user_script_exec_type;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
trunk: add infrastructure for managing user web content.
2007-10-18 19:23:33 +00:00
')
fix several modular build problems
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## </param>
#
interface(`apache_search_sys_script_state',`
gen_require(`
type httpd_sys_script_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 httpd_sys_script_t:dir search_dir_perms;
fix several modular build problems
2005-11-29 21:27:15 +00:00
')
trunk: add 3rd party interface for apache cgi.
2007-07-26 19:48:40 +00:00
########################################
## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
## <p>
## Execute CGI in the specified domain.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain run the cgi script in.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## Type of the executable to enter the cgi domain.
## </summary>
## </param>
#
interface(`apache_cgi_domain',`
gen_require(`
type httpd_t, httpd_sys_script_exec_t;
')
domtrans_pattern(httpd_t, $2, $1)
apache_search_sys_scripts($1)
allow httpd_t $1:process signal;
')
Reference in New Issue Copy Permalink