add most of apache

2005-09-29 20:59:00 +00:00 · 2005-09-29 20:59:00 +00:00 · a996bdf4ad
commit a996bdf4ad
parent a5ec7cb6c4
12 changed files with 1205 additions and 19 deletions
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -48,6 +48,27 @@ gen_tunable(ftp_home_dir,false)
 ## Allow ftpd to run directly without inetd
 gen_tunable(ftpd_is_daemon,false)

+## Allow httpd to use built in scripting (usually php)
+gen_tunable(httpd_builtin_scripting,false)
+
+## Allow http daemon to tcp connect 
+gen_tunable(httpd_can_network_connect,false)
+
+## Allow httpd cgi support
+gen_tunable(httpd_enable_cgi,false)
+
+## Allow httpd to read home directories
+gen_tunable(httpd_enable_homedirs,false)
+
+## Run SSI execs in system CGI script domain.
+gen_tunable(httpd_ssi_exec,false)
+
+## Allow http daemon to communicate with the TTY
+gen_tunable(httpd_tty_comm,false)
+
+## Run CGI in the main httpd domain
+gen_tunable(httpd_unified,false)
+
 ## Allow BIND to write the master zone files.
 ## Generally this is used for dynamic DNS.
 gen_tunable(named_write_master_zones,false)
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@ -137,6 +137,12 @@ optional_policy(`acct.te',`
 	acct_exec_data(logrotate_t)
 ')

+optional_policy(`apache.te',`
+	apache_read_config(logrotate_t)
+	apache_domtrans(logrotate_t)
+	apache_signull(logrotate_t)
+')
+
 optional_policy(`consoletype.te',`
 	consoletype_exec(logrotate_t)

--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@ -0,0 +1,66 @@
+
+HOME_DIR/((www)|(web)|(public_html))(/.+)? context_template(system_u:object_r:httpd_ROLE_content_t,s0)
+
+/etc/apache(2)?(/.*)?			context_template(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?		context_template(system_u:object_r:httpd_config_t,s0)
+/etc/htdig(/.*)?			context_template(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd			-d	context_template(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf.*			context_template(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/logs				context_template(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules			context_template(system_u:object_r:httpd_modules_t,s0)
+/etc/vhosts			--	context_template(system_u:object_r:httpd_config_t,s0)
+
+/srv/([^/]*/)?www(/.*)?			context_template(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/bin/htsslpass 		--	context_template(system_u:object_r:httpd_helper_exec_t,s0)
+
+/usr/lib/apache-ssl/.+		--	context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?			context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib(64)?/apache(/.*)?		context_template(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache2/modules(/.*)?	context_template(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/httpd(/.*)?		context_template(system_u:object_r:httpd_modules_t,s0)
+
+/usr/sbin/apache(2)?		--	context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)?	--	context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)?	--	context_template(system_u:object_r:httpd_exec_t,s0)
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.*		--	context_template(system_u:object_r:httpd_exec_t,s0)
+')
+/usr/sbin/suexec		--	context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+
+/usr/share/htdig(/.*)?			context_template(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)?			context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?		context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)?	context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)?		context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem		--	context_template(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/htdig(/.*)?			context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?			context_template(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?		context_template(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/squirrelmail/prefs(/.*)?	context_template(system_u:object_r:httpd_squirrelmail_t,s0)
+
+/var/log/apache(2)?(/.*)?		context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?		context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*		--	context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)?			context_template(system_u:object_r:httpd_log_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?			context_template(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/run/apache.*			context_template(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port		-s	context_template(system_u:object_r:httpd_var_run_t,s0)
+
+/var/spool/gosa(/.*)?			context_template(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/spool/squirrelmail(/.*)?		context_template(system_u:object_r:squirrelmail_spool_t,s0)
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache		-- 	context_template(system_u:object_r:user_cron_spool_t,s0)
+')
+
+/var/www(/.*)?				context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/cgi-bin(/.*)?			context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)?			context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/perl(/.*)?			context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@ -0,0 +1,353 @@
+## <summary>Apache web server</summary>
+
+template(`apache_content_template',`
+
+	#This type is for webpages
+	type httpd_$1_content_t, httpdcontent; # customizable
+	files_type(httpd_$1_content_t)
+
+	# This type is used for .htaccess files
+	type httpd_$1_htaccess_t; # customizable;
+	files_type(httpd_$1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type httpd_$1_script_t;
+	domain_type(httpd_$1_script_t)
+	role system_r types httpd_$1_script_t;
+
+	# This type is used for executable scripts files
+	type httpd_$1_script_exec_t; # customizable;
+	domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
+
+	# The following three are the only areas that 
+	# scripts can read, read/write, or append to
+	type httpd_$1_script_ro_t, httpdcontent; # customizable
+	files_type(httpd_$1_script_ro_t)
+
+	type httpd_$1_script_rw_t, httpdcontent; # customizable
+	files_type(httpd_$1_script_rw_t)
+
+	type httpd_$1_script_ra_t, httpdcontent; # customizable
+	files_type(httpd_$1_script_ra_t)
+
+	allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
+
+	domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+	allow httpd_suexec_t httpd_$1_script_t:fd use;
+	allow httpd_$1_script_t httpd_suexec_t:fd use;
+	allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
+	allow httpd_$1_script_t httpd_suexec_t:process sigchld;
+
+	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+
+	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+
+	allow httpd_$1_script_t httpd_t:fifo_file write;
+	# apache should set close-on-exec
+	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+
+	allow httpd_$1_script_t httpd_log_t:file { getattr append };
+	allow httpd_$1_script_t httpd_log_t:dir search;
+	logging_search_logs(httpd_$1_script_t)
+
+	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+	allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+
+	allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
+	allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
+	allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+	allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
+	allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
+	allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+	allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
+	allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
+	allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+	allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
+	allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
+	files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
+
+	dev_read_rand(httpd_$1_script_t)
+	dev_read_urand(httpd_$1_script_t)
+
+	corecmd_exec_bin(httpd_$1_script_t)
+	corecmd_exec_sbin(httpd_$1_script_t)
+
+	domain_exec_all_entry_files(httpd_$1_script_t)
+
+	files_exec_etc_files(httpd_$1_script_t)
+	files_read_etc_files(httpd_$1_script_t)
+	files_search_home(httpd_$1_script_t)
+
+	libs_use_ld_so(httpd_$1_script_t)
+	libs_use_shared_libs(httpd_$1_script_t)
+	libs_exec_ld_so(httpd_$1_script_t)
+	libs_exec_lib_files(httpd_$1_script_t)
+
+	miscfiles_read_fonts(httpd_$1_script_t)
+
+	seutil_dontaudit_search_config(httpd_$1_script_t)
+
+	ifdef(`targeted_policy',`
+		tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
+			allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+			allow httpd_$1_script_t httpdcontent:file create_file_perms;
+			allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+			can_exec(httpd_$1_script_t, httpdcontent)
+		')
+	',`
+		tunable_policy(`httpd_enable_cgi && httpd_unified',`
+			allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+			allow httpd_$1_script_t httpdcontent:file create_file_perms;
+			allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+			can_exec(httpd_$1_script_t, httpdcontent)
+		')
+	')
+
+	# Allow the web server to run scripts and serve pages
+	tunable_policy(`httpd_builtin_scripting',`
+		allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
+		allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
+		allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+		allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+
+		allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
+		allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
+		allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+		allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
+		allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
+		allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+		allow httpd_t httpd_$1_content_t:dir r_dir_perms;
+		allow httpd_t httpd_$1_content_t:file r_file_perms;
+		allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+		allow httpd_t httpd_$1_script_t:fd use;
+		allow httpd_$1_script_t httpd_t:fd use;
+		allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
+		allow httpd_$1_script_t httpd_t:process sigchld;
+
+		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+		allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+		allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
+
+		allow httpd_$1_script_t self:process signal_perms;
+		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+
+		allow httpd_$1_script_t httpd_t:fd use;
+		allow httpd_$1_script_t httpd_t:process sigchld;
+
+		kernel_read_system_state(httpd_$1_script_t)
+
+		dev_read_urand(httpd_$1_script_t)
+
+		fs_getattr_xattr_fs(httpd_$1_script_t)
+
+		files_read_etc_runtime_files(httpd_$1_script_t)
+		files_read_usr_files(httpd_$1_script_t)
+
+		libs_read_lib(httpd_$1_script_t)
+
+		miscfiles_read_localization(httpd_$1_script_t)
+	')
+
+	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+		allow httpd_$1_script_t self:udp_socket create_socket_perms;
+		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+		corenet_raw_sendrecv_all_if(httpd_$1_script_t)
+		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+		corenet_tcp_bind_all_nodes(httpd_$1_script_t)
+		corenet_udp_bind_all_nodes(httpd_$1_script_t)
+		corenet_tcp_connect_all_ports(httpd_$1_script_t)
+
+		sysnet_read_config(httpd_$1_script_t)
+	')
+
+	optional_policy(`mount.te',`
+		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+			mount_send_nfs_client_request(httpd_$1_script_t)
+		')
+	')
+
+
+	optional_policy(`mta.te',`
+		mta_send_mail(httpd_$1_script_t)
+	')
+
+	optional_policy(`nis.te',`
+		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+			nis_use_ypbind_uncond(httpd_$1_script_t)
+		')
+	')
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket(httpd_$1_script_t)
+	')
+
+	ifdef(`TODO',`
+	anonymous_domain(httpd_$1_script)
+
+	#
+	# If a user starts a script by hand it gets the proper context
+	#
+	ifdef(`targeted_policy', `', `
+	if (httpd_enable_cgi) {
+	domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+	}
+	')
+	role sysadm_r types httpd_$1_script_t;
+
+	dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+	dontaudit httpd_$1_script_t sysctl_t:dir search;
+	') dnl end TODO
+')
+
+template(`apache_per_userdomain_template', `
+
+	apache_content_template($1)
+
+#	typeattribute httpd_$1_content_t $1_file_type;
+
+	role $3 types httpd_$1_script_t;
+
+	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+	allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+
+	allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
+
+	allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
+
+	allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
+
+	allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
+	allow $2 httpd_$1_script_exec_t:file create_file_perms;
+	allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
+
+	allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
+	allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+
+	ifdef(`targeted_policy',`
+		tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
+			domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
+			allow $2 httpd_$1_script_t:fd use;
+			allow httpd_$1_script_t $2:fd use;
+			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+			allow httpd_$1_script_t $2:process sigchld;
+		')
+
+		tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',`
+			domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+			allow $2 httpd_$1_script_t:fd use;
+			allow httpd_$1_script_t $2:fd use;
+			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+			allow httpd_$1_script_t $2:process sigchld;
+		')
+	',`
+		tunable_policy(`httpd_enable_cgi',`
+			# If a user starts a script by hand it gets the proper context
+			domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+			allow $2 httpd_$1_script_t:fd use;
+			allow httpd_$1_script_t $2:fd use;
+			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+			allow httpd_$1_script_t $2:process sigchld;
+		')
+
+		tunable_policy(`httpd_enable_cgi && httpd_unified',`
+			domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+			allow $2 httpd_$1_script_t:fd use;
+			allow httpd_$1_script_t $2:fd use;
+			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+			allow httpd_$1_script_t $2:process sigchld;
+		')
+	')
+
+	# allow accessing files/dirs below the users home dir
+	tunable_policy(`httpd_enable_homedirs',`
+		userdom_search_user_home($1,httpd_t)
+		userdom_search_user_home($1,httpd_suexec_t)
+		userdom_search_user_home($1,httpd_$1_script_t)
+	')
+')
+
+########################################
+## <summary>
+##	Transition to Apache.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_domtrans',`
+	gen_require(`
+		type httpd_t, httpd_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,httpd_exec_t,httpd_t)
+
+	allow $1 httpd_t:fd use;
+	allow httpd_t $1:fd use;
+	allow httpd_t $1:fifo_file rw_file_perms;
+	allow httpd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a null signal to apache.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`apache_signull',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_read_config',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 httpd_config_t:dir r_dir_perms;
+	allow $1 httpd_config_t:file r_file_perms;
+	allow $1 httpd_config_t:lnk_file { getattr read };
+')
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@ -0,0 +1,647 @@
+
+policy_module(apache,1.0)
+
+#
+# NOTES: 
+#  This policy will work with SUEXEC enabled as part of the Apache
+#  configuration. However, the user CGI scripts will run under the
+#  system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
+#  of the creating user.
+#
+#  The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+#  type, and the directory containing the scripts should also be labeled
+#  with these types. This policy allows user_r role to perform that 
+#  relabeling. If it is desired that only sysadm_r should be able to relabel
+#  the user CGI scripts, then relabel rule for user_r should be removed.
+#
+
+########################################
+#
+# Declarations
+#
+
+attribute httpdcontent;
+
+type httpd_t;
+type httpd_exec_t;
+init_daemon_domain(httpd_t,httpd_exec_t)
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+type httpd_cache_t;
+files_type(httpd_cache_t)
+
+# httpd_config_t is the type given to the configuration files
+type httpd_config_t;
+files_type(httpd_config_t)
+
+type httpd_helper_t;
+domain_type(httpd_helper_t)
+role system_r types httpd_helper_t;
+
+type httpd_helper_exec_t;
+domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
+
+type httpd_lock_t;
+files_lock_file(httpd_lock_t)
+
+type httpd_log_t;
+logging_log_file(httpd_log_t)
+
+# httpd_modules_t is the type given to module files (libraries) 
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+type httpd_modules_t;
+files_type(httpd_modules_t)
+
+type httpd_php_t;
+domain_type(httpd_php_t)
+role system_r types httpd_php_t;
+
+type httpd_php_exec_t;
+domain_entry_file(httpd_php_t,httpd_php_exec_t)
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
+type httpd_squirrelmail_t;
+files_type(httpd_squirrelmail_t)
+
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
+domain_type(httpd_suexec_t)
+role system_r types httpd_suexec_t;
+
+type httpd_suexec_exec_t;
+domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
+
+type httpd_suexec_tmp_t;
+files_tmp_file(httpd_suexec_tmp_t)
+
+type httpd_tmp_t;
+files_tmp_file(httpd_tmp_t)
+
+type httpd_tmpfs_t;
+files_tmpfs_file(httpd_tmpfs_t)
+
+# Unconfined domain for apache scripts.
+# Only to be used as a last resort
+type httpd_unconfined_script_t;
+domain_type(httpd_unconfined_script_t)
+role system_r types httpd_unconfined_script_t;
+
+type httpd_unconfined_script_exec_t; # customizable
+files_type(httpd_unconfined_script_exec_t)
+
+# for apache2 memory mapped files
+type httpd_var_lib_t;
+files_type(httpd_var_lib_t)
+
+type httpd_var_run_t;
+files_pid_file(httpd_var_run_t)
+
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+
+########################################
+#
+# Apache server local policy
+#
+
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
+allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:fd use;
+allow httpd_t self:fifo_file rw_file_perms;
+allow httpd_t self:shm create_shm_perms;
+allow httpd_t self:sem create_sem_perms;
+allow httpd_t self:msgq create_msgq_perms;
+allow httpd_t self:msg { send receive };
+allow httpd_t self:unix_dgram_socket create_socket_perms;
+allow httpd_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_t self:unix_dgram_socket sendto;
+allow httpd_t self:unix_stream_socket connectto;
+allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom };
+
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket { connect };
+allow httpd_t self:tcp_socket connected_socket_perms;
+allow httpd_t self:udp_socket connected_socket_perms;
+
+# Allow httpd_t to put files in /var/cache/httpd etc
+allow httpd_t httpd_cache_t:dir create_dir_perms;
+allow httpd_t httpd_cache_t:file create_file_perms;
+allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
+
+# Allow the httpd_t to read the web servers config files
+allow httpd_t httpd_config_t:dir r_dir_perms;
+allow httpd_t httpd_config_t:file r_file_perms;
+allow httpd_t httpd_config_t:lnk_file { getattr read };
+
+can_exec(httpd_t, httpd_exec_t)
+
+allow httpd_t httpd_lock_t:file create_file_perms;
+files_create_lock(httpd_t,httpd_lock_t)
+
+allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
+allow httpd_t httpd_log_t:file { create ra_file_perms };
+allow httpd_t httpd_log_t:lnk_file read;
+
+allow httpd_t httpd_modules_t:file rx_file_perms;
+allow httpd_t httpd_modules_t:dir r_dir_perms;
+allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+
+allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
+allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
+allow httpd_t httpd_squirrelmail_t:file create_file_perms;
+
+allow httpd_t httpd_tmp_t:dir create_dir_perms;
+allow httpd_t httpd_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
+
+allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow httpd_t httpd_var_lib_t:file create_file_perms;
+allow httpd_t httpd_var_lib_t:dir create_dir_perms;
+files_create_var_lib(httpd_t,httpd_var_lib_t)
+
+allow httpd_t httpd_var_run_t:file create_file_perms;
+allow httpd_t httpd_var_run_t:sock_file create_file_perms;
+allow httpd_t httpd_var_run_t:dir rw_dir_perms;
+files_create_pid(httpd_t,httpd_var_run_t, { file sock_file })
+
+allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
+allow httpd_t squirrelmail_spool_t:file create_file_perms;
+allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
+
+kernel_read_kernel_sysctl(httpd_t)
+kernel_tcp_recvfrom(httpd_t)
+# for modules that want to access /proc/meminfo
+kernel_read_system_state(httpd_t)
+
+corenet_tcp_sendrecv_all_if(httpd_t)
+corenet_udp_sendrecv_all_if(httpd_t)
+corenet_raw_sendrecv_all_if(httpd_t)
+corenet_tcp_sendrecv_all_nodes(httpd_t)
+corenet_udp_sendrecv_all_nodes(httpd_t)
+corenet_raw_sendrecv_all_nodes(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
+corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
+corenet_tcp_bind_http_port(httpd_t)
+corenet_tcp_bind_http_cache_port(httpd_t)
+
+dev_read_sysfs(httpd_t)
+dev_read_rand(httpd_t)
+dev_read_urand(httpd_t)
+
+fs_getattr_all_fs(httpd_t)
+fs_search_auto_mountpoints(httpd_t)
+
+term_dontaudit_use_console(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_sbin(httpd_t)
+
+domain_use_wide_inherit_fd(httpd_t)
+
+files_read_usr_files(httpd_t)
+files_list_mnt(httpd_t)
+files_search_spool(httpd_t)
+files_read_var_lib_files(httpd_t)
+files_search_home(httpd_t)
+files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
+files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+files_read_etc_files(httpd_t)
+
+init_use_fd(httpd_t)
+init_use_script_pty(httpd_t)
+
+libs_use_ld_so(httpd_t)
+libs_use_shared_libs(httpd_t)
+libs_read_lib(httpd_t)
+
+logging_send_syslog_msg(httpd_t)
+
+miscfiles_read_localization(httpd_t)
+miscfiles_read_fonts(httpd_t)
+
+seutil_dontaudit_search_config(httpd_t)
+
+sysnet_dns_name_resolve(httpd_t)
+sysnet_use_ldap(httpd_t)
+sysnet_read_config(httpd_t)
+
+userdom_use_unpriv_users_fd(httpd_t)
+userdom_dontaudit_search_sysadm_home_dir(httpd_t)
+
+mta_send_mail(httpd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(httpd_t)
+	term_dontaudit_use_generic_pty(httpd_t)
+	files_dontaudit_read_root_file(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi',`
+	domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+	allow httpd_t httpd_unconfined_script_t:fd use;
+	allow httpd_unconfined_script_t httpd_t:fd use;
+	allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_unconfined_script_t httpd_t:process sigchld;
+
+	allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+	allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_t)
+	fs_read_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_t)
+	fs_read_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_connect',`
+	allow httpd_t self:tcp_socket create_socket_perms;
+	allow httpd_t self:udp_socket { connect };
+	allow httpd_t self:udp_socket connected_socket_perms;
+
+	corenet_tcp_sendrecv_all_if(httpd_t)
+	corenet_udp_sendrecv_all_if(httpd_t)
+	corenet_raw_sendrecv_all_if(httpd_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_t)
+	corenet_udp_sendrecv_all_nodes(httpd_t)
+	corenet_raw_sendrecv_all_nodes(httpd_t)
+	corenet_tcp_sendrecv_all_ports(httpd_t)
+	corenet_udp_sendrecv_all_ports(httpd_t)
+	corenet_tcp_bind_all_nodes(httpd_t)
+	corenet_udp_bind_all_nodes(httpd_t)
+	corenet_tcp_connect_all_ports(httpd_t)
+
+	sysnet_read_config(httpd_t)
+')
+
+optional_policy(`kerberos.te',`
+	kerberos_use(httpd_t)
+')
+
+optional_policy(`mta.te',`
+	# apache should set close-on-exec
+	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
+optional_policy(`mysql.te',`
+	mysql_stream_connect(httpd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(httpd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(httpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(httpd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(httpd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(httpd_t)
+')
+
+allow httpd_t var_log_t:dir ra_dir_perms;
+type_transition httpd_t var_log_t:file httpd_log_t;
+
+can_tcp_connect(web_client_domain, httpd_t)
+
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
+# for tomcat
+allow httpd_t var_lib_t:lnk_file { getattr read };
+
+#########################################
+# Allow httpd to search users directories
+#########################################
+allow httpd_t home_root_t:dir { getattr search };
+
+dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+
+# Allow apache to used ftpd_anon_t
+anonymous_domain(httpd)
+
+optional_policy(`mysql.te',`
+	allow httpd_t mysqld_db_t:dir search;
+	allow httpd_t mysqld_db_t:sock_file rw_file_perms;
+')
+
+ifdef(`snmpd.te', `
+	dontaudit httpd_t snmpd_var_lib_t:dir search;
+	dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+	dontaudit httpd_t usr_t:dir write;
+')
+
+r_dir_file(initrc_t, httpd_config_t)
+allow initrc_t httpd_modules_t:dir r_dir_perms;
+
+
+# setup the system domain for system CGI scripts
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+kernel_read_kernel_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_spool_t:dir { getattr search };
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+allow httpd_sys_script_t var_lib_t:dir search;
+
+# Run SSI execs in system CGI script domain.
+tunable_policy(`httpd_ssi_exec',`
+	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
+	allow httpd_t httpd_sys_script_t:fd use;
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
+optional_policy(`mysql.te',`
+	allow httpd_sys_script_t mysqld_db_t:dir search;
+	allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms;
+
+	mysql_stream_connect(httpd_sys_script_t)
+')
+
+ifdef(`targeted_policy', `
+	typealias httpd_sys_content_t alias httpd_user_content_t;
+	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+
+	if (httpd_enable_homedirs) {
+		allow httpd_t user_home_dir_t:dir { getattr search };
+	}
+	if (httpd_enable_homedirs) {
+		allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
+	}
+	if (httpd_enable_homedirs) {
+		allow httpd_suexec_t user_home_dir_t:dir { getattr search };
+	}
+')
+
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
+ifdef(`distro_redhat',`
+	# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
+	# This is a bug but it still exists in FC2
+	typealias httpd_log_t alias httpd_runtime_t;
+
+	allow httpd_sys_script_t httpd_log_t:file { getattr append };
+')
+
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here. 
+##################################################
+
+if (httpd_tty_comm) {
+	allow { httpd_t httpd_helper_t } devpts_t:dir search;
+	allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+	dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+}
+
+r_dir_file(httpd_t, cert_t)
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+	domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+	allow httpd_suexec_t httpd_sys_script_t:fd use;
+	allow httpd_sys_script_t httpd_suexec_t:fd use;
+	allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_suexec_t:process sigchld;
+
+	ifdef(`targeted_policy', `', `
+		domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+	')
+}
+
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+	domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+	allow httpd_t httpd_sys_script_t:fd use;
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
+
+	allow httpd_t httpdcontent:dir create_dir_perms;
+	allow httpd_t httpdcontent:file create_file_perms;
+	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+}
+
+tunable_policy(`httpd_enable_cgi',`
+	domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+')
+
+
+optional_policy(`mta.te',`
+	# apache should set close-on-exec
+	dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+	dontaudit system_mail_t httpd_log_t:file { append getattr };
+	allow system_mail_t httpd_squirrelmail_t:file { append read };
+	dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+') dnl end TODO
+
+########################################
+#
+# Apache helper local policy
+#
+
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_t httpd_helper_t:fd use;
+allow httpd_helper_t httpd_t:fd use;
+allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
+allow httpd_helper_t httpd_t:process sigchld;
+
+allow httpd_helper_t httpd_config_t:file { getattr read };
+
+allow httpd_helper_t httpd_log_t:file append;
+
+libs_use_ld_so(httpd_helper_t)
+libs_use_shared_libs(httpd_helper_t)
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block. for httpd_helper_t
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+allow httpd_t httpd_php_t:fd use;
+allow httpd_php_t httpd_t:fd use;
+allow httpd_php_t httpd_t:fifo_file rw_file_perms;
+allow httpd_php_t httpd_t:process sigchld;
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file ra_file_perms;
+
+allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
+allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+libs_use_ld_so(httpd_php_t)
+libs_use_shared_libs(httpd_php_t)
+
+userdom_use_unpriv_users_fd(httpd_php_t)
+
+optional_policy(`mysql.te',`
+	mysql_stream_connect(httpd_php_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(httpd_php_t)
+')
+
+########################################
+#
+# Apache suexec local policy
+#
+
+allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:process signal_perms;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+# cjp: need transitionbool
+domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+allow httpd_t httpd_suexec_t:fd use;
+allow httpd_suexec_t httpd_t:fd use;
+allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+allow httpd_suexec_t httpd_t:process sigchld;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+
+allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
+allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
+kernel_read_kernel_sysctl(httpd_suexec_t)
+kernel_list_proc(httpd_suexec_t)
+kernel_read_proc_symlinks(httpd_suexec_t)
+
+dev_read_urand(httpd_suexec_t)
+
+fs_search_auto_mountpoints(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
+files_read_etc_files(httpd_suexec_t)
+files_read_usr_files(httpd_suexec_t)
+
+libs_use_ld_so(httpd_suexec_t)
+libs_use_shared_libs(httpd_suexec_t)
+
+logging_search_logs(httpd_suexec_t)
+logging_send_syslog_msg(httpd_suexec_t)
+
+miscfiles_read_localization(httpd_suexec_t)
+
+tunable_policy(`httpd_can_network_connect',`
+	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+	corenet_udp_sendrecv_all_if(httpd_suexec_t)
+	corenet_raw_sendrecv_all_if(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+	corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
+	corenet_raw_sendrecv_all_nodes(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_tcp_bind_all_nodes(httpd_suexec_t)
+	corenet_udp_bind_all_nodes(httpd_suexec_t)
+	corenet_tcp_connect_all_ports(httpd_suexec_t)
+
+	sysnet_read_config(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_suexec_t)
+	fs_read_nfs_symlinks(httpd_suexec_t)
+	fs_execute_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
+	fs_execute_cifs_files(httpd_suexec_t)
+')
+
+optional_policy(`mount.te',`
+	tunable_policy(`httpd_can_network_connect',`
+		mount_send_nfs_client_request(httpd_suexec_t)
+	')
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(httpd_suexec_t)
+')
+
+########################################
+#
+# Apache system script local policy
+#
+
+apache_content_template(sys)
+
+########################################
+#
+# Apache unconfined script local policy
+#
+
+unconfined_domain_template(httpd_unconfined_script_t)
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(httpd_unconfined_script_t)
+')
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -147,6 +147,9 @@ template(`cron_per_userdomain_template',`
 	')

 	ifdef(`TODO',`
+	optional_policy(`apache.te', `
+		create_dir_file($1_crond_t, httpd_$1_content_t)
+	')
 	allow $1_crond_t tmp_t:dir rw_dir_perms;
 	type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;

--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@ -1,5 +1,68 @@
 ## <summary>Policy for NIS (YP) servers and clients</summary>

+########################################
+## <summary>
+##	Use the ypbind service to access NIS services
+##	unconditionally.
+## </summary>
+## <desc>
+##	<p>
+##	Use the ypbind service to access NIS services
+##	unconditionally.
+##	</p>
+##	<p>
+##	This interface was added because of apache and
+##	spamassassin, to fix a nested conditionals problem.
+##	When that support is added, this should be removed,
+##	and the regular	interface should be used.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`nis_use_ypbind_uncond',`
+	gen_require(`
+		type var_yp_t;
+	')
+
+	dontaudit $1 self:capability net_bind_service;
+
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+
+	allow $1 var_yp_t:dir r_dir_perms;
+	allow $1 var_yp_t:lnk_file { getattr read };
+	allow $1 var_yp_t:file r_file_perms;
+
+	corenet_tcp_sendrecv_all_if($1)
+	corenet_udp_sendrecv_all_if($1)
+	corenet_raw_sendrecv_all_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
+	corenet_udp_sendrecv_all_nodes($1)
+	corenet_raw_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_all_ports($1)
+	corenet_udp_sendrecv_all_ports($1)
+	corenet_tcp_bind_all_nodes($1)
+	corenet_udp_bind_all_nodes($1)
+	corenet_tcp_bind_generic_port($1)
+	corenet_udp_bind_generic_port($1)
+	corenet_tcp_bind_reserved_port($1)
+	corenet_udp_bind_reserved_port($1)
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+	corenet_dontaudit_udp_bind_all_reserved_ports($1)
+	corenet_tcp_connect_portmap_port($1)
+	corenet_tcp_connect_reserved_port($1)
+	corenet_tcp_connect_generic_port($1)
+	corenet_dontaudit_tcp_connect_all_reserved_ports($1)
+
+	sysnet_read_config($1)
+
+	optional_policy(`mount.te',`
+		mount_send_nfs_client_request($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Use the ypbind service to access NIS services.
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@ -24,25 +24,17 @@
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
-## <param name="user_domain">
-##	The type of the user domain.
-## </param>
-## <param name="user_role">
-##	The role associated with the user domain.
-## </param>
 #
 template(`samba_per_userdomain_template',`
-	optional_policy(`
-		gen_require(`
-			type smbd_t;
-		')
-
-		userdom_manage_user_home_subdir_files($1,smbd_t)
-		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
-		userdom_manage_user_home_subdir_sockets($1,smbd_t)
-		userdom_manage_user_home_subdir_pipes($1,smbd_t)
-		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+	gen_require(`
+		type smbd_t;
 	')
+
+	userdom_manage_user_home_subdir_files($1,smbd_t)
+	userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+	userdom_manage_user_home_subdir_sockets($1,smbd_t)
+	userdom_manage_user_home_subdir_pipes($1,smbd_t)
+#	userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
 ')

 ########################################
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@ -99,6 +99,10 @@ ifdef(`distro_suse', `
 /usr/share/mc/extfs/.*	--	context_template(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)

+ifdef(`distro_suse',`
+/usr/share/apache2/[^/]* --	context_template(system_u:object_r:bin_t,s0)
+')
+
 #
 # /var
 #
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@ -32,6 +32,7 @@ ifdef(`distro_gentoo', `
 #
 # /usr
 #
+/usr/sbin/apachectl	-- 	context_template(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	context_template(system_u:object_r:initrc_exec_t,s0)

 #
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -88,8 +88,8 @@ interface(`init_daemon_domain',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
 		# at the end of the type, it returns empty!
-		bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
-		if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
+		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+		if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 			domain_auto_trans(initrc_t,$2,$1)
 			allow initrc_t $1:fd use;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -956,6 +956,36 @@ template(`admin_user_template',`
 	') dnl endif TODO
 ')

+########################################
+## <summary>
+##	Search user home directories.
+## </summary>
+## <desc>
+##	<p>
+##	Search user home directories.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+template(`userdom_search_user_home',`
+	gen_require(`
+		class dir { getattr search };
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir { getattr search };
+')
+
 ########################################
 ## <summary>
 ##	Read user home files.
@ -1921,7 +1951,7 @@ interface(`userdom_create_user_home',`
 		class dir rw_dir_perms;
 	')

-	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	ifelse(`$2',`',`
 		type_transition $1 user_home_dir_t:file user_home_t;
 	',`