Second part of Apache patch from Dan Walsh.
This commit is contained in:
parent
83caba3eb9
commit
60def66b13
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork, 1.13.9)
|
||||
policy_module(corenetwork, 1.13.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -138,6 +138,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
|
||||
network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
|
@ -5164,6 +5164,25 @@ interface(`files_rw_generic_pids',`
|
||||
rw_files_pattern($1, var_run_t, var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes of
|
||||
## daemon runtime data files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_pids',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
')
|
||||
|
||||
dontaudit $1 pidfile:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write to daemon runtime data files.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files, 1.12.4)
|
||||
policy_module(files, 1.12.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -49,10 +49,11 @@ template(`apache_content_template',`
|
||||
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
||||
files_type(httpd_$1_ra_content_t)
|
||||
|
||||
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
|
||||
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
|
||||
|
||||
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
|
||||
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
|
||||
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
@ -69,7 +70,7 @@ template(`apache_content_template',`
|
||||
logging_search_logs(httpd_$1_script_t)
|
||||
|
||||
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
@ -173,50 +174,6 @@ template(`apache_content_template',`
|
||||
miscfiles_read_localization(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_tcp_connect_all_ports(httpd_$1_script_t)
|
||||
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
@ -355,6 +312,24 @@ interface(`apache_domtrans',`
|
||||
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Send a generic signal to apache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_signal',`
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a null signal to apache.
|
||||
@ -409,6 +384,25 @@ interface(`apache_use_fds',`
|
||||
allow $1 httpd_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write Apache
|
||||
## unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_dontaudit_rw_fifo_file',`
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
')
|
||||
|
||||
dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write Apache
|
||||
@ -472,6 +466,44 @@ interface(`apache_manage_all_content',`
|
||||
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to set the attributes
|
||||
## of the APACHE cache directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_setattr_cache_dirs',`
|
||||
gen_require(`
|
||||
type httpd_cache_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_cache_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to list
|
||||
## Apache cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_list_cache',`
|
||||
gen_require(`
|
||||
type httpd_cache_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
@ -491,6 +523,25 @@ interface(`apache_rw_cache_files',`
|
||||
allow $1 httpd_cache_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to delete
|
||||
## Apache cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_delete_cache_files',`
|
||||
gen_require(`
|
||||
type httpd_cache_t;
|
||||
')
|
||||
|
||||
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
@ -560,7 +611,7 @@ interface(`apache_domtrans_helper',`
|
||||
## <summary>
|
||||
## Execute the Apache helper program with
|
||||
## a domain transition, and allow the
|
||||
## specified role the dmidecode domain.
|
||||
## specified role the Apache helper domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -569,7 +620,7 @@ interface(`apache_domtrans_helper',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the dmidecode domain.
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
@ -1015,6 +1066,45 @@ interface(`apache_search_sys_script_state',`
|
||||
allow $1 httpd_sys_script_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
## apache tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_read_tmp_files',`
|
||||
gen_require(`
|
||||
type httpd_config_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit attempts to write
|
||||
## apache tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_dontaudit_write_tmp_files',`
|
||||
gen_require(`
|
||||
type httpd_config_t;
|
||||
')
|
||||
|
||||
dontaudit $1 httpd_tmp_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute CGI in the specified domain.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache, 2.1.1)
|
||||
policy_module(apache, 2.1.2)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -63,6 +63,20 @@ gen_tunable(httpd_can_network_connect_db, false)
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_network_relay, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow http daemon to send mail
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_sendmail, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to communicate with avahi service via dbus
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_dbus_avahi, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd cgi support
|
||||
@ -108,6 +122,27 @@ gen_tunable(httpd_tty_comm, false)
|
||||
## </desc>
|
||||
gen_tunable(httpd_unified, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd to access cifs file systems
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_use_cifs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd to run gpg
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_use_gpg, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd to access nfs file systems
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_use_nfs, false)
|
||||
|
||||
attribute httpdcontent;
|
||||
attribute httpd_user_content_type;
|
||||
|
||||
@ -232,7 +267,7 @@ optional_policy(`
|
||||
# Apache server local policy
|
||||
#
|
||||
|
||||
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
|
||||
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@ -274,6 +309,7 @@ logging_log_filetrans(httpd_t, httpd_log_t, file)
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@ -289,9 +325,12 @@ allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
||||
|
||||
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
|
||||
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
||||
@ -303,9 +342,11 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_fil
|
||||
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
||||
|
||||
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
|
||||
|
||||
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@ -346,6 +387,7 @@ corecmd_exec_shell(httpd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
files_dontaudit_getattr_all_pids(httpd_t)
|
||||
files_read_usr_files(httpd_t)
|
||||
files_list_mnt(httpd_t)
|
||||
files_search_spool(httpd_t)
|
||||
@ -374,8 +416,6 @@ seutil_dontaudit_search_config(httpd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
mta_send_mail(httpd_t)
|
||||
|
||||
tunable_policy(`allow_httpd_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_t)
|
||||
')
|
||||
@ -399,12 +439,21 @@ tunable_policy(`httpd_can_network_relay',`
|
||||
corenet_tcp_connect_ftp_port(httpd_t)
|
||||
corenet_tcp_connect_http_port(httpd_t)
|
||||
corenet_tcp_connect_http_cache_port(httpd_t)
|
||||
corenet_tcp_connect_memcache_port(httpd_t)
|
||||
corenet_sendrecv_gopher_client_packets(httpd_t)
|
||||
corenet_sendrecv_ftp_client_packets(httpd_t)
|
||||
corenet_sendrecv_http_client_packets(httpd_t)
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
|
||||
@ -431,6 +480,13 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_sendmail',`
|
||||
# allow httpd to connect to mail servers
|
||||
corenet_tcp_connect_smtp_port(httpd_t)
|
||||
corenet_sendrecv_smtp_client_packets(httpd_t)
|
||||
mta_send_mail(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@ -452,6 +508,10 @@ optional_policy(`
|
||||
calamaris_read_www_files(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ccs_read_config(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cobbler_search_lib(httpd_t)
|
||||
')
|
||||
@ -460,10 +520,28 @@ optional_policy(`
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cvs_read_data(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_dbus_avahi',`
|
||||
avahi_dbus_chat(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
|
||||
gpg_domtrans(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(httpd, httpd_t)
|
||||
')
|
||||
@ -471,6 +549,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mailman_signal_cgi(httpd_t)
|
||||
mailman_domtrans_cgi(httpd_t)
|
||||
mailman_read_data_files(httpd_t)
|
||||
# should have separate types for public and private archives
|
||||
mailman_search_data(httpd_t)
|
||||
mailman_read_archive(httpd_t)
|
||||
@ -488,7 +567,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
nagios_domtrans_cgi(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -569,16 +647,31 @@ files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
auth_use_nsswitch(httpd_php_t)
|
||||
|
||||
libs_exec_lib_files(httpd_php_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_php_t)
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
|
||||
|
||||
corenet_tcp_connect_mssql_port(httpd_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_t)
|
||||
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
||||
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(httpd_php_t)
|
||||
mysql_stream_connect(httpd_php_t)
|
||||
mysql_read_config(httpd_php_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -600,7 +693,7 @@ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
allow httpd_suexec_t httpd_t:fifo_file getattr;
|
||||
allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
@ -629,6 +722,7 @@ logging_search_logs(httpd_suexec_t)
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
miscfiles_read_public_files(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -647,11 +741,9 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_sys_script_t httpdcontent:file entrypoint;
|
||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_read_user_home_content_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@ -677,15 +769,14 @@ optional_policy(`
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nagios_domtrans_cgi(httpd_suexec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
#
|
||||
|
||||
allow httpd_sys_script_t self:process getsched;
|
||||
|
||||
allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@ -708,6 +799,28 @@ ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_sendmail',`
|
||||
mta_send_mail(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_tcp_bind_all_nodes(httpd_sys_script_t)
|
||||
corenet_udp_bind_all_nodes(httpd_sys_script_t)
|
||||
corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
||||
corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_sys_script_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
||||
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
||||
corenet_sendrecv_all_client_packets(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_read_user_home_content_files(httpd_sys_script_t)
|
||||
')
|
||||
@ -740,6 +853,8 @@ optional_policy(`
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
allow httpd_rotatelogs_t self:capability dac_override;
|
||||
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@ -752,6 +867,23 @@ logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined script local policy
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
type httpd_unconfined_script_t;
|
||||
type httpd_unconfined_script_exec_t;
|
||||
domain_type(httpd_unconfined_script_t)
|
||||
domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
|
||||
domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
unconfined_domain(httpd_unconfined_script_t)
|
||||
|
||||
role system_r types httpd_unconfined_script_t;
|
||||
allow httpd_t httpd_unconfined_script_t:process signal_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# User content local policy
|
||||
|
Loading…
Reference in New Issue
Block a user