wrap up almost all of apache
This commit is contained in:
parent
4615d80eab
commit
e749cd12a6
|
@ -14,6 +14,7 @@
|
||||||
- Fix errors uncovered by sediff.
|
- Fix errors uncovered by sediff.
|
||||||
- Added policies:
|
- Added policies:
|
||||||
anaconda
|
anaconda
|
||||||
|
apache
|
||||||
apm
|
apm
|
||||||
arpwatch
|
arpwatch
|
||||||
bluetooth
|
bluetooth
|
||||||
|
|
|
@ -1036,6 +1036,22 @@ interface(`kernel_rw_modprobe_sysctl',`
|
||||||
allow $1 sysctl_modprobe_t:file rw_file_perms;
|
allow $1 sysctl_modprobe_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to search generic kernel sysctls.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_dontaudit_search_kernel_sysctl',`
|
||||||
|
gen_require(`
|
||||||
|
type sysctl_kernel_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 sysctl_kernel_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read generic kernel sysctls.
|
## Read generic kernel sysctls.
|
||||||
|
|
|
@ -18,7 +18,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||||
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||||
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||||
|
|
||||||
|
|
|
@ -84,6 +84,9 @@ template(`apache_content_template',`
|
||||||
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
||||||
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
|
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
|
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||||
|
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||||
|
|
||||||
dev_read_rand(httpd_$1_script_t)
|
dev_read_rand(httpd_$1_script_t)
|
||||||
dev_read_urand(httpd_$1_script_t)
|
dev_read_urand(httpd_$1_script_t)
|
||||||
|
|
||||||
|
@ -106,20 +109,11 @@ template(`apache_content_template',`
|
||||||
|
|
||||||
seutil_dontaudit_search_config(httpd_$1_script_t)
|
seutil_dontaudit_search_config(httpd_$1_script_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
|
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
||||||
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
||||||
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
||||||
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
can_exec(httpd_$1_script_t, httpdcontent)
|
||||||
can_exec(httpd_$1_script_t, httpdcontent)
|
|
||||||
')
|
|
||||||
',`
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
||||||
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
|
||||||
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
|
||||||
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
|
||||||
can_exec(httpd_$1_script_t, httpdcontent)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`allow_httpd_$1_script_anon_write',`
|
tunable_policy(`allow_httpd_$1_script_anon_write',`
|
||||||
|
@ -147,6 +141,16 @@ template(`apache_content_template',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi',`
|
tunable_policy(`httpd_enable_cgi',`
|
||||||
|
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
||||||
|
|
||||||
|
# privileged users run the script:
|
||||||
|
domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||||
|
allow httpd_exec_scripts httpd_$1_script_t:fd use;
|
||||||
|
allow httpd_$1_script_t httpd_exec_scripts:fd use;
|
||||||
|
allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
|
||||||
|
allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
|
||||||
|
|
||||||
|
# apache runs the script:
|
||||||
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||||
allow httpd_t httpd_$1_script_t:fd use;
|
allow httpd_t httpd_$1_script_t:fd use;
|
||||||
allow httpd_$1_script_t httpd_t:fd use;
|
allow httpd_$1_script_t httpd_t:fd use;
|
||||||
|
@ -215,21 +219,6 @@ template(`apache_content_template',`
|
||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
nscd_use_socket(httpd_$1_script_t)
|
nscd_use_socket(httpd_$1_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
#
|
|
||||||
# If a user starts a script by hand it gets the proper context
|
|
||||||
#
|
|
||||||
ifdef(`targeted_policy', `', `
|
|
||||||
if (httpd_enable_cgi) {
|
|
||||||
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
||||||
}
|
|
||||||
')
|
|
||||||
role sysadm_r types httpd_$1_script_t;
|
|
||||||
|
|
||||||
dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
|
|
||||||
dontaudit httpd_$1_script_t sysctl_t:dir search;
|
|
||||||
') dnl end TODO
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -262,6 +251,7 @@ template(`apache_per_userdomain_template', `
|
||||||
|
|
||||||
apache_content_template($1)
|
apache_content_template($1)
|
||||||
|
|
||||||
|
typeattribute httpd_$1_content_t httpd_script_domains;
|
||||||
# typeattribute httpd_$1_content_t $1_file_type;
|
# typeattribute httpd_$1_content_t $1_file_type;
|
||||||
|
|
||||||
role $3 types httpd_$1_script_t;
|
role $3 types httpd_$1_script_t;
|
||||||
|
@ -290,39 +280,23 @@ template(`apache_per_userdomain_template', `
|
||||||
allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
|
allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
|
||||||
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
tunable_policy(`httpd_enable_cgi',`
|
||||||
tunable_policy(`httpd_enable_cgi',`
|
# If a user starts a script by hand it gets the proper context
|
||||||
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||||
allow $2 httpd_$1_script_t:fd use;
|
allow $2 httpd_$1_script_t:fd use;
|
||||||
allow httpd_$1_script_t $2:fd use;
|
allow httpd_$1_script_t $2:fd use;
|
||||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||||
allow httpd_$1_script_t $2:process sigchld;
|
allow httpd_$1_script_t $2:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
|
allow httpd_$1_script_t httpdcontent:file entrypoint;
|
||||||
allow $2 httpd_$1_script_t:fd use;
|
|
||||||
allow httpd_$1_script_t $2:fd use;
|
|
||||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
||||||
allow httpd_$1_script_t $2:process sigchld;
|
|
||||||
')
|
|
||||||
',`
|
|
||||||
tunable_policy(`httpd_enable_cgi',`
|
|
||||||
# If a user starts a script by hand it gets the proper context
|
|
||||||
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
||||||
allow $2 httpd_$1_script_t:fd use;
|
|
||||||
allow httpd_$1_script_t $2:fd use;
|
|
||||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
||||||
allow httpd_$1_script_t $2:process sigchld;
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
|
||||||
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
|
allow $2 httpd_$1_script_t:fd use;
|
||||||
allow $2 httpd_$1_script_t:fd use;
|
allow httpd_$1_script_t $2:fd use;
|
||||||
allow httpd_$1_script_t $2:fd use;
|
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
allow httpd_$1_script_t $2:process sigchld;
|
||||||
allow httpd_$1_script_t $2:process sigchld;
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
# allow accessing files/dirs below the users home dir
|
# allow accessing files/dirs below the users home dir
|
||||||
|
@ -403,6 +377,40 @@ interface(`apache_use_fd',`
|
||||||
allow $1 httpd_t:fd use;
|
allow $1 httpd_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read and write Apache
|
||||||
|
## unix domain stream sockets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_dontaudit_rw_stream_socket',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 httpd_t:unix_stream_socket { read write };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read and write Apache
|
||||||
|
## TCP sockets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_dontaudit_rw_tcp_socket',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 httpd_t:tcp_socket { read write };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to read
|
## Allow the specified domain to read
|
||||||
|
@ -506,7 +514,7 @@ interface(`apache_dontaudit_append_log',`
|
||||||
type httpd_log_t;
|
type httpd_log_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 httpd_log_t:file append;
|
dontaudit $1 httpd_log_t:file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -574,3 +582,95 @@ interface(`apache_domtrans_sys_script',`
|
||||||
allow httpd_sys_script_t $1:process sigchld;
|
allow httpd_sys_script_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read and write Apache
|
||||||
|
## system script unix domain stream sockets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_dontaudit_rw_sys_script_stream_socket',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_sys_script_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute all user scripts in the user
|
||||||
|
## script domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_domtrans_all_scripts',`
|
||||||
|
gen_require(`
|
||||||
|
attribute httpd_exec_scripts;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 httpd_exec_scripts;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute all user scripts in the user
|
||||||
|
## script domain. Add user script domains
|
||||||
|
## to the specified role.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## The role to be allowed the script domains.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
# cjp: this is missing the terminal since scripts
|
||||||
|
# do not output to the terminal
|
||||||
|
interface(`apache_run_all_scripts',`
|
||||||
|
gen_require(`
|
||||||
|
attribute httpd_exec_scripts, httpd_script_domains;
|
||||||
|
')
|
||||||
|
|
||||||
|
role $2 types httpd_script_domains;
|
||||||
|
apache_domtrans_all_scripts($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to read
|
||||||
|
## apache squirrelmail data.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_read_squirrelmail_data',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_squirrelmail_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 httpd_squirrelmail_t:file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to append
|
||||||
|
## apache squirrelmail data.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_append_squirrelmail_data',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_squirrelmail_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 httpd_squirrelmail_t:file { getattr append };
|
||||||
|
')
|
||||||
|
|
|
@ -22,9 +22,16 @@ policy_module(apache,1.0)
|
||||||
|
|
||||||
attribute httpdcontent;
|
attribute httpdcontent;
|
||||||
|
|
||||||
|
# domains that can exec all users scripts
|
||||||
|
attribute httpd_exec_scripts;
|
||||||
|
|
||||||
|
# user script domains
|
||||||
|
attribute httpd_script_domains;
|
||||||
|
|
||||||
type httpd_t;
|
type httpd_t;
|
||||||
type httpd_exec_t;
|
type httpd_exec_t;
|
||||||
init_daemon_domain(httpd_t,httpd_exec_t)
|
init_daemon_domain(httpd_t,httpd_exec_t)
|
||||||
|
role system_r types httpd_t;
|
||||||
|
|
||||||
# httpd_cache_t is the type given to the /var/cache/httpd
|
# httpd_cache_t is the type given to the /var/cache/httpd
|
||||||
# directory and the files under that directory
|
# directory and the files under that directory
|
||||||
|
@ -36,11 +43,10 @@ type httpd_config_t;
|
||||||
files_type(httpd_config_t)
|
files_type(httpd_config_t)
|
||||||
|
|
||||||
type httpd_helper_t;
|
type httpd_helper_t;
|
||||||
domain_type(httpd_helper_t)
|
|
||||||
role system_r types httpd_helper_t;
|
|
||||||
|
|
||||||
type httpd_helper_exec_t;
|
type httpd_helper_exec_t;
|
||||||
|
domain_type(httpd_helper_t)
|
||||||
domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
|
domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
|
||||||
|
role system_r types httpd_helper_t;
|
||||||
|
|
||||||
type httpd_lock_t;
|
type httpd_lock_t;
|
||||||
files_lock_file(httpd_lock_t)
|
files_lock_file(httpd_lock_t)
|
||||||
|
@ -54,11 +60,10 @@ type httpd_modules_t;
|
||||||
files_type(httpd_modules_t)
|
files_type(httpd_modules_t)
|
||||||
|
|
||||||
type httpd_php_t;
|
type httpd_php_t;
|
||||||
domain_type(httpd_php_t)
|
|
||||||
role system_r types httpd_php_t;
|
|
||||||
|
|
||||||
type httpd_php_exec_t;
|
type httpd_php_exec_t;
|
||||||
|
domain_type(httpd_php_t)
|
||||||
domain_entry_file(httpd_php_t,httpd_php_exec_t)
|
domain_entry_file(httpd_php_t,httpd_php_exec_t)
|
||||||
|
role system_r types httpd_php_t;
|
||||||
|
|
||||||
type httpd_php_tmp_t;
|
type httpd_php_tmp_t;
|
||||||
files_tmp_file(httpd_php_tmp_t)
|
files_tmp_file(httpd_php_tmp_t)
|
||||||
|
@ -68,11 +73,10 @@ files_type(httpd_squirrelmail_t)
|
||||||
|
|
||||||
# SUEXEC runs user scripts as their own user ID
|
# SUEXEC runs user scripts as their own user ID
|
||||||
type httpd_suexec_t; #, daemon;
|
type httpd_suexec_t; #, daemon;
|
||||||
domain_type(httpd_suexec_t)
|
|
||||||
role system_r types httpd_suexec_t;
|
|
||||||
|
|
||||||
type httpd_suexec_exec_t;
|
type httpd_suexec_exec_t;
|
||||||
|
domain_type(httpd_suexec_t)
|
||||||
domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
|
domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
|
||||||
|
role system_r types httpd_suexec_t;
|
||||||
|
|
||||||
type httpd_suexec_tmp_t;
|
type httpd_suexec_tmp_t;
|
||||||
files_tmp_file(httpd_suexec_tmp_t)
|
files_tmp_file(httpd_suexec_tmp_t)
|
||||||
|
@ -89,11 +93,10 @@ files_tmpfs_file(httpd_tmpfs_t)
|
||||||
# Unconfined domain for apache scripts.
|
# Unconfined domain for apache scripts.
|
||||||
# Only to be used as a last resort
|
# Only to be used as a last resort
|
||||||
type httpd_unconfined_script_t;
|
type httpd_unconfined_script_t;
|
||||||
domain_type(httpd_unconfined_script_t)
|
|
||||||
role system_r types httpd_unconfined_script_t;
|
|
||||||
|
|
||||||
type httpd_unconfined_script_exec_t; # customizable
|
type httpd_unconfined_script_exec_t; # customizable
|
||||||
files_type(httpd_unconfined_script_exec_t)
|
domain_type(httpd_unconfined_script_t)
|
||||||
|
domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
|
||||||
|
role system_r types httpd_unconfined_script_t;
|
||||||
|
|
||||||
# for apache2 memory mapped files
|
# for apache2 memory mapped files
|
||||||
type httpd_var_lib_t;
|
type httpd_var_lib_t;
|
||||||
|
@ -178,15 +181,15 @@ allow httpd_t httpd_tmp_t:dir create_dir_perms;
|
||||||
allow httpd_t httpd_tmp_t:file create_file_perms;
|
allow httpd_t httpd_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
|
files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
|
||||||
|
|
||||||
allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
|
||||||
allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow httpd_t httpd_tmpfs_t:file create_file_perms;
|
||||||
allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
|
||||||
allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
|
||||||
allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
|
||||||
fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
|
|
||||||
allow httpd_t httpd_var_lib_t:file create_file_perms;
|
allow httpd_t httpd_var_lib_t:file create_file_perms;
|
||||||
allow httpd_t httpd_var_lib_t:dir create_dir_perms;
|
allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
|
||||||
files_create_var_lib(httpd_t,httpd_var_lib_t)
|
files_create_var_lib(httpd_t,httpd_var_lib_t)
|
||||||
|
|
||||||
allow httpd_t httpd_var_run_t:file create_file_perms;
|
allow httpd_t httpd_var_run_t:file create_file_perms;
|
||||||
|
@ -341,6 +344,14 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_symlinks(httpd_t)
|
fs_read_cifs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
|
allow httpd_t httpd_sys_script_t:fd use;
|
||||||
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
|
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
||||||
|
allow httpd_sys_script_t httpd_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
# When the admin starts the server, the server wants to access
|
# When the admin starts the server, the server wants to access
|
||||||
# the TTY or PTY associated with the session. The httpd appears
|
# the TTY or PTY associated with the session. The httpd appears
|
||||||
# to run correctly without this permission, so the permission
|
# to run correctly without this permission, so the permission
|
||||||
|
@ -391,10 +402,6 @@ optional_policy(`rhgb.te',`
|
||||||
|
|
||||||
can_tcp_connect(web_client_domain, httpd_t)
|
can_tcp_connect(web_client_domain, httpd_t)
|
||||||
|
|
||||||
allow httpd_t home_root_t:dir getattr;
|
|
||||||
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
|
|
||||||
allow httpd_sys_script_t var_spool_t:dir getattr;
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
if (httpd_enable_homedirs) {
|
if (httpd_enable_homedirs) {
|
||||||
allow httpd_t user_home_dir_t:dir { getattr search };
|
allow httpd_t user_home_dir_t:dir { getattr search };
|
||||||
|
@ -406,14 +413,6 @@ ifdef(`targeted_policy',`
|
||||||
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
|
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
|
||||||
}
|
}
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mta.te',`
|
|
||||||
# apache should set close-on-exec
|
|
||||||
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
|
|
||||||
dontaudit system_mail_t httpd_log_t:file { append getattr };
|
|
||||||
allow system_mail_t httpd_squirrelmail_t:file { append read };
|
|
||||||
dontaudit system_mail_t httpd_t:tcp_socket { read write };
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -434,6 +433,8 @@ allow httpd_helper_t httpd_log_t:file append;
|
||||||
libs_use_ld_so(httpd_helper_t)
|
libs_use_ld_so(httpd_helper_t)
|
||||||
libs_use_shared_libs(httpd_helper_t)
|
libs_use_shared_libs(httpd_helper_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
|
|
|
@ -254,10 +254,16 @@ interface(`mta_mailserver_delivery',`
|
||||||
#
|
#
|
||||||
interface(`mta_mailserver_user_agent',`
|
interface(`mta_mailserver_user_agent',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute mailserver_user_agent;
|
attribute mta_user_agent;
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 mailserver_user_agent;
|
typeattribute $1 mta_user_agent;
|
||||||
|
|
||||||
|
optional_policy(`apache.te',`
|
||||||
|
# apache should set close-on-exec
|
||||||
|
apache_dontaudit_rw_stream_socket($1)
|
||||||
|
apache_dontaudit_rw_sys_script_stream_socket($1)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
|
|
@ -119,6 +119,17 @@ ifdef(`targeted_policy',`
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`apache.te',`
|
||||||
|
apache_read_squirrelmail_data(system_mail_t)
|
||||||
|
apache_append_squirrelmail_data(system_mail_t)
|
||||||
|
|
||||||
|
# apache should set close-on-exec
|
||||||
|
apache_dontaudit_append_log(system_mail_t)
|
||||||
|
apache_dontaudit_rw_stream_socket(system_mail_t)
|
||||||
|
apache_dontaudit_rw_tcp_socket(system_mail_t)
|
||||||
|
apache_dontaudit_rw_sys_script_stream_socket(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -122,7 +122,7 @@ ifdef(`targeted_policy',`
|
||||||
|
|
||||||
optional_policy(`apache.te',`
|
optional_policy(`apache.te',`
|
||||||
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||||
# cjp: why is this not run
|
#apache_run_all_scripts(sysadm_t,sysadm_r)
|
||||||
#apache_domtrans_sys_script(sysadm_t)
|
#apache_domtrans_sys_script(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue