First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
This commit is contained in:
parent
25d81d2655
commit
83caba3eb9
@ -2,29 +2,40 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
|
||||
|
||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
|
||||
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
||||
|
||||
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
|
||||
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
@ -32,14 +43,30 @@ ifdef(`distro_suse', `
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
|
||||
/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
@ -47,6 +74,7 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
@ -57,6 +85,9 @@ ifdef(`distro_suse', `
|
||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
')
|
||||
@ -64,11 +95,17 @@ ifdef(`distro_debian', `
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
||||
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
||||
|
||||
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
|
@ -24,6 +24,7 @@ template(`apache_content_template',`
|
||||
|
||||
#This type is for webpages
|
||||
type httpd_$1_content_t, httpdcontent; # customizable
|
||||
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
||||
files_type(httpd_$1_content_t)
|
||||
|
||||
# This type is used for .htaccess files
|
||||
@ -40,22 +41,19 @@ template(`apache_content_template',`
|
||||
corecmd_shell_entry_type(httpd_$1_script_t)
|
||||
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
|
||||
# The following three are the only areas that
|
||||
# scripts can read, read/write, or append to
|
||||
type httpd_$1_script_ro_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_ro_t)
|
||||
type httpd_$1_rw_content_t, httpdcontent; # customizable
|
||||
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
||||
files_type(httpd_$1_rw_content_t)
|
||||
|
||||
type httpd_$1_script_rw_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_rw_t)
|
||||
|
||||
type httpd_$1_script_ra_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_ra_t)
|
||||
type httpd_$1_ra_content_t, httpdcontent; # customizable
|
||||
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
||||
files_type(httpd_$1_ra_content_t)
|
||||
|
||||
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
|
||||
|
||||
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
|
||||
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t self:unix_stream_socket connectto;
|
||||
@ -73,21 +71,21 @@ template(`apache_content_template',`
|
||||
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
|
||||
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file })
|
||||
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
@ -124,19 +122,19 @@ template(`apache_content_template',`
|
||||
|
||||
# Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
|
||||
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
||||
|
||||
allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
|
||||
allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
||||
|
||||
allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
|
||||
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
|
||||
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
||||
@ -258,8 +256,7 @@ interface(`apache_role',`
|
||||
attribute httpdcontent;
|
||||
type httpd_user_content_t, httpd_user_htaccess_t;
|
||||
type httpd_user_script_t, httpd_user_script_exec_t;
|
||||
type httpd_user_script_ra_t, httpd_user_script_ro_t;
|
||||
type httpd_user_script_rw_t;
|
||||
type httpd_user_ra_content_t, httpd_user_rw_content_t;
|
||||
')
|
||||
|
||||
role $1 types httpd_user_script_t;
|
||||
@ -268,26 +265,19 @@ interface(`apache_role',`
|
||||
|
||||
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
@ -1092,11 +1082,17 @@ interface(`apache_admin',`
|
||||
type httpd_modules_t, httpd_lock_t;
|
||||
type httpd_var_run_t, httpd_php_tmp_t;
|
||||
type httpd_suexec_tmp_t, httpd_tmp_t;
|
||||
type httpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_t:process { getattr ptrace signal_perms };
|
||||
ps_process_pattern($1, httpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 httpd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
apache_manage_all_content($1)
|
||||
miscfiles_manage_public_files($1)
|
||||
|
||||
|
@ -140,6 +140,9 @@ domain_type(httpd_helper_t)
|
||||
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
||||
role system_r types httpd_helper_t;
|
||||
|
||||
type httpd_initrc_exec_t;
|
||||
init_script_file(httpd_initrc_exec_t)
|
||||
|
||||
type httpd_lock_t;
|
||||
files_lock_file(httpd_lock_t)
|
||||
|
||||
@ -191,24 +194,23 @@ ubac_constrained(httpd_user_script_t)
|
||||
userdom_user_home_content(httpd_user_content_t)
|
||||
userdom_user_home_content(httpd_user_htaccess_t)
|
||||
userdom_user_home_content(httpd_user_script_exec_t)
|
||||
userdom_user_home_content(httpd_user_script_ra_t)
|
||||
userdom_user_home_content(httpd_user_script_ro_t)
|
||||
userdom_user_home_content(httpd_user_script_rw_t)
|
||||
userdom_user_home_content(httpd_user_ra_content_t)
|
||||
userdom_user_home_content(httpd_user_rw_content_t)
|
||||
typeattribute httpd_user_script_t httpd_script_domains;
|
||||
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
||||
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
|
||||
typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
|
||||
typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
|
||||
typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
|
||||
typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
|
||||
typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
||||
typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
||||
typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
|
||||
typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
||||
typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
||||
typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
||||
typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
|
||||
typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
||||
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
||||
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
||||
|
||||
# for apache2 memory mapped files
|
||||
type httpd_var_lib_t;
|
||||
@ -463,8 +465,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(httpd_t)
|
||||
kerberos_read_kdc_config(httpd_t)
|
||||
kerberos_keytab_template(httpd, httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,3 +1,3 @@
|
||||
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
|
||||
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
|
||||
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
||||
|
@ -1,7 +1,6 @@
|
||||
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
|
||||
|
||||
/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
|
||||
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
|
||||
|
||||
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
|
||||
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntop, 1.8.0)
|
||||
policy_module(ntop, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user