policy_module(apache, 2.2.0) # # NOTES: # This policy will work with SUEXEC enabled as part of the Apache # configuration. However, the user CGI scripts will run under the # system_u:system_r:httpd_user_script_t. # # The user CGI scripts must be labeled with the httpd_user_script_exec_t # type, and the directory containing the scripts should also be labeled # with these types. This policy allows the user role to perform that # relabeling. If it is desired that only admin role should be able to relabel # the user CGI scripts, then relabel rule for user roles should be removed. # ######################################## # # Declarations # selinux_genbool(httpd_bool_t) ## ##

## Allow Apache to modify public files ## used for public file transfer services. Directories/Files must ## be labeled public_content_rw_t. ##

##
gen_tunable(allow_httpd_anon_write, false) ## ##

## Allow Apache to use mod_auth_pam ##

##
gen_tunable(allow_httpd_mod_auth_pam, false) ## ##

## Allow httpd scripts and modules execmem/execstack ##

##
gen_tunable(httpd_execmem, false) ## ##

## Allow httpd daemon to change system limits ##

##
gen_tunable(httpd_setrlimit, false) ## ##

## Allow httpd to use built in scripting (usually php) ##

##
gen_tunable(httpd_builtin_scripting, false) ## ##

## Allow HTTPD scripts and modules to connect to the network using TCP. ##

##
gen_tunable(httpd_can_network_connect, false) ## ##

## Allow HTTPD scripts and modules to connect to cobbler over the network. ##

##
gen_tunable(httpd_can_network_connect_cobbler, false) ## ##

## Allow HTTPD scripts and modules to connect to databases over the network. ##

##
gen_tunable(httpd_can_network_connect_db, false) ## ##

## Allow httpd to act as a relay ##

##
gen_tunable(httpd_can_network_relay, false) ## ##

## Allow http daemon to send mail ##

##
gen_tunable(httpd_can_sendmail, false) ## ##

## Allow http daemon to check spam ##

##
gen_tunable(httpd_can_check_spam, false) ## ##

## Allow Apache to communicate with avahi service via dbus ##

##
gen_tunable(httpd_dbus_avahi, false) ## ##

## Allow httpd cgi support ##

##
gen_tunable(httpd_enable_cgi, false) ## ##

## Allow httpd to act as a FTP server by ## listening on the ftp port. ##

##
gen_tunable(httpd_enable_ftp_server, false) ## ##

## Allow httpd to read home directories ##

##
gen_tunable(httpd_enable_homedirs, false) ## ##

## Allow httpd to read user content ##

##
gen_tunable(httpd_read_user_content, false) ## ##

## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

##
gen_tunable(httpd_ssi_exec, false) ## ##

## Allow Apache to execute tmp content. ##

##
gen_tunable(httpd_tmp_exec, false) ## ##

## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. ##

##
gen_tunable(httpd_tty_comm, false) ## ##

## Unify HTTPD handling of all content files. ##

##
gen_tunable(httpd_unified, false) ## ##

## Allow httpd to access cifs file systems ##

##
gen_tunable(httpd_use_cifs, false) ## ##

## Allow httpd to run gpg in gpg-web domain ##

##
gen_tunable(httpd_use_gpg, false) ## ##

## Allow httpd to access nfs file systems ##

##
gen_tunable(httpd_use_nfs, false) ## ##

## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. ##

##
gen_tunable(allow_httpd_sys_script_anon_write, false) attribute httpdcontent; attribute httpd_user_content_type; # domains that can exec all users scripts attribute httpd_exec_scripts; attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; # user script domains attribute httpd_script_domains; type httpd_t; type httpd_exec_t; init_daemon_domain(httpd_t, httpd_exec_t) role system_r types httpd_t; # httpd_cache_t is the type given to the /var/cache/httpd # directory and the files under that directory type httpd_cache_t; files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; files_type(httpd_config_t) type httpd_helper_t; type httpd_helper_exec_t; domain_type(httpd_helper_t) domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) type httpd_lock_t; files_lock_file(httpd_lock_t) type httpd_log_t; logging_log_file(httpd_log_t) # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; files_type(httpd_modules_t) type httpd_php_t; type httpd_php_exec_t; domain_type(httpd_php_t) domain_entry_file(httpd_php_t, httpd_php_exec_t) role system_r types httpd_php_t; type httpd_php_tmp_t; files_tmp_file(httpd_php_tmp_t) type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) # SUEXEC runs user scripts as their own user ID type httpd_suexec_t; #, daemon; type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) typeattribute httpd_sys_content_t httpdcontent; # customizable typeattribute httpd_sys_rw_content_t httpdcontent; # customizable typeattribute httpd_sys_ra_content_t httpdcontent; # customizable type httpd_tmp_t; files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) typeattribute httpd_user_content_t httpdcontent; typeattribute httpd_user_rw_content_t httpdcontent; typeattribute httpd_user_ra_content_t httpdcontent; userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; typealias httpd_user_content_t alias httpd_unconfined_content_t; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; # for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) # File Type of squirrelmail attachments type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) optional_policy(` prelink_object_file(httpd_modules_t) ') ######################################## # # Apache server local policy # allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; allow httpd_t self:fifo_file rw_fifo_file_perms; allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; # Allow httpd_t to put files in /var/cache/httpd etc manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) can_exec(httpd_t, httpd_exec_t) allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t, httpd_lock_t, file) allow httpd_t httpd_log_t:dir setattr; create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) # cjp: need to refine create interfaces to # cut this back to add_name only logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file read_file_perms; allow httpd_t httpd_sys_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) kernel_search_network_sysctl(httpd_t) corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) corenet_tcp_sendrecv_generic_node(httpd_t) corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) corenet_udp_bind_generic_node(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_tcp_bind_ntop_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) dev_read_urand(httpd_t) dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) fs_read_iso9660_files(httpd_t) fs_read_anon_inodefs_files(httpd_t) auth_use_nsswitch(httpd_t) application_exec_all(httpd_t) domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) # for modules that want to access /etc/mtab files_read_etc_runtime_files(httpd_t) # Allow httpd_t to have access to files such as nisswitch.conf files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) # php uploads a file to /tmp and then execs programs to acton them manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) logging_send_syslog_msg(httpd_t) miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) tunable_policy(`httpd_setrlimit',` allow httpd_t self:process setrlimit; ') tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') # # We need optionals to be able to be within booleans to make this work # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chkpwd(httpd_t) logging_send_audit_msgs(httpd_t) ') ## ##

## Allow Apache to use mod_auth_pam ##

##
gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) optional_policy(` tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` samba_domtrans_winbind_helper(httpd_t) ') ') tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) corenet_tcp_connect_squid_port(httpd_t) corenet_tcp_connect_memcache_port(httpd_t) corenet_sendrecv_gopher_client_packets(httpd_t) corenet_sendrecv_ftp_client_packets(httpd_t) corenet_sendrecv_http_client_packets(httpd_t) corenet_sendrecv_http_cache_client_packets(httpd_t) corenet_sendrecv_squid_client_packets(httpd_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) can_exec(httpd_sys_script_t, httpd_sys_content_t) ') tunable_policy(`allow_httpd_sys_script_anon_write',` miscfiles_manage_public_files(httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) ') tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_t) ') tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` can_exec(httpd_t, httpd_tmp_t) ') tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` can_exec(httpd_sys_script_t, httpd_tmp_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') tunable_policy(`httpd_use_nfs',` fs_manage_nfs_dirs(httpd_t) fs_manage_nfs_files(httpd_t) fs_manage_nfs_symlinks(httpd_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) ') tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) mta_signal_system_mail(httpd_t) ') tunable_policy(`httpd_use_cifs',` fs_manage_cifs_dirs(httpd_t) fs_manage_cifs_files(httpd_t) fs_manage_cifs_symlinks(httpd_t) ') tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_t:process sigchld; ') # When the admin starts the server, the server wants to access # the TTY or PTY associated with the session. The httpd appears # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) userdom_use_user_terminals(httpd_suexec_t) ',` userdom_dontaudit_use_user_terminals(httpd_t) userdom_dontaudit_use_user_terminals(httpd_suexec_t) ') optional_policy(` calamaris_read_www_files(httpd_t) ') optional_policy(` ccs_read_config(httpd_t) ') optional_policy(` cobbler_list_config(httpd_t) cobbler_read_config(httpd_t) cobbler_read_content(httpd_t) tunable_policy(`httpd_can_network_connect_cobbler',` corenet_tcp_connect_cobbler_port(httpd_t) ') ') optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) ') optional_policy(` cvs_read_data(httpd_t) ') optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') optional_policy(` dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') ') optional_policy(` gitosis_read_lib_files(httpd_t) ') optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` gpg_domtrans_web(httpd_t) ') ') optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` mailman_signal_cgi(httpd_t) mailman_domtrans_cgi(httpd_t) mailman_read_data_files(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) mailman_read_archive(httpd_t) ') optional_policy(` # Allow httpd to work with mysql mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) ') ') optional_policy(` nagios_read_config(httpd_t) nagios_read_log(httpd_t) ') optional_policy(` openca_domtrans(httpd_t) openca_signal(httpd_t) openca_sigstop(httpd_t) openca_kill(httpd_t) ') optional_policy(` rpc_search_nfs_state_data(httpd_t) ') tunable_policy(`httpd_execmem',` allow httpd_t self:process { execmem execstack }; allow httpd_sys_script_t self:process { execmem execstack }; allow httpd_suexec_t self:process { execmem execstack }; ') optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) postgresql_tcp_connect(httpd_sys_script_t) ') ') optional_policy(` seutil_sigchld_newrole(httpd_t) ') optional_policy(` smokeping_getattr_lib_files(httpd_t) ') optional_policy(` files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') optional_policy(` udev_read_db(httpd_t) ') optional_policy(` yam_read_content(httpd_t) ') optional_policy(` zarafa_stream_connect_server(httpd_t) ') ######################################## # # Apache helper local policy # domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) allow httpd_helper_t httpd_config_t:file read_file_perms; allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_helper_t) ') ######################################## # # Apache PHP script local policy # allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_php_t self:fd use; allow httpd_php_t self:fifo_file rw_fifo_file_perms; allow httpd_php_t self:sock_file read_sock_file_perms; allow httpd_php_t self:unix_dgram_socket create_socket_perms; allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; allow httpd_php_t self:unix_dgram_socket sendto; allow httpd_php_t self:unix_stream_socket connectto; allow httpd_php_t self:shm create_shm_perms; allow httpd_php_t self:sem create_sem_perms; allow httpd_php_t self:msgq create_msgq_perms; allow httpd_php_t self:msg { send receive }; domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) # allow php to read and append to apache logfiles allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) auth_use_nsswitch(httpd_php_t) libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` corenet_tcp_connect_mysqld_port(httpd_t) corenet_sendrecv_mysqld_client_packets(httpd_t) corenet_tcp_connect_mysqld_port(httpd_sys_script_t) corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) corenet_tcp_connect_mysqld_port(httpd_suexec_t) corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) corenet_tcp_connect_mssql_port(httpd_t) corenet_sendrecv_mssql_client_packets(httpd_t) corenet_tcp_connect_mssql_port(httpd_sys_script_t) corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) corenet_tcp_connect_mssql_port(httpd_suexec_t) corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ') optional_policy(` mysql_stream_connect(httpd_php_t) mysql_read_config(httpd_php_t) ') optional_policy(` postgresql_stream_connect(httpd_php_t) ') ######################################## # # Apache suexec local policy # allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) can_exec(httpd_suexec_t, httpd_sys_script_exec_t) kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) dev_read_urand(httpd_suexec_t) fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) application_exec_all(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) miscfiles_read_public_files(httpd_suexec_t) tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) corenet_udp_sendrecv_generic_node(httpd_suexec_t) corenet_tcp_sendrecv_all_ports(httpd_suexec_t) corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) ') read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') tunable_policy(`httpd_enable_cgi',` domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) ') optional_policy(` mailman_domtrans_cgi(httpd_suexec_t) ') optional_policy(` mta_stub(httpd_suexec_t) # apache should set close-on-exec dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') optional_policy(` mysql_stream_connect(httpd_suexec_t) mysql_rw_db_sockets(httpd_suexec_t) mysql_read_config(httpd_suexec_t) ') ######################################## # # Apache system script local policy # allow httpd_sys_script_t self:process getsched; allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) logging_inherit_append_all_logs(httpd_sys_script_t) # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) auth_use_nsswitch(httpd_sys_script_t) ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') optional_policy(` tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` spamassassin_domtrans_client(httpd_t) ') ') fs_cifs_entry_type(httpd_sys_script_t) fs_read_iso9660_files(httpd_sys_script_t) fs_nfs_entry_type(httpd_sys_script_t) tunable_policy(`httpd_use_nfs',` fs_manage_nfs_dirs(httpd_sys_script_t) fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) fs_manage_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; corenet_tcp_bind_all_nodes(httpd_sys_script_t) corenet_udp_bind_all_nodes(httpd_sys_script_t) corenet_all_recvfrom_unlabeled(httpd_sys_script_t) corenet_all_recvfrom_netlabel(httpd_sys_script_t) corenet_tcp_sendrecv_all_if(httpd_sys_script_t) corenet_udp_sendrecv_all_if(httpd_sys_script_t) corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) corenet_sendrecv_all_client_packets(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') tunable_policy(`httpd_use_cifs',` fs_manage_cifs_dirs(httpd_sys_script_t) fs_manage_cifs_files(httpd_sys_script_t) fs_manage_cifs_symlinks(httpd_sys_script_t) fs_manage_cifs_dirs(httpd_suexec_t) fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) ') optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) ') optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) mysql_read_config(httpd_sys_script_t) ') optional_policy(` postgresql_stream_connect(httpd_sys_script_t) ') ######################################## # # httpd_rotatelogs local policy # allow httpd_rotatelogs_t self:capability dac_override; manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) files_read_etc_files(httpd_rotatelogs_t) logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) ######################################## # # Unconfined script local policy # optional_policy(` type httpd_unconfined_script_t; type httpd_unconfined_script_exec_t; domain_type(httpd_unconfined_script_t) domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) unconfined_domain(httpd_unconfined_script_t) role system_r types httpd_unconfined_script_t; allow httpd_t httpd_unconfined_script_t:process signal_perms; ') ######################################## # # User content local policy # tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') # allow accessing files/dirs below the users home dir tunable_policy(`httpd_enable_homedirs',` userdom_search_user_home_content(httpd_t) userdom_search_user_home_content(httpd_suexec_t) userdom_search_user_home_content(httpd_user_script_t) ') tunable_policy(`httpd_read_user_content',` userdom_read_user_home_content_files(httpd_user_script_t) userdom_read_user_home_content_files(httpd_suexec_t) ') tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` userdom_read_user_home_content_files(httpd_t) ') # Removal of fastcgi, will cause problems without the following typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; typealias httpd_sys_script_t alias httpd_fastcgi_script_t; typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;