policy_module(apache,1.0) # # NOTES: # This policy will work with SUEXEC enabled as part of the Apache # configuration. However, the user CGI scripts will run under the # system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the # of the creating user. # # The user CGI scripts must be labeled with the httpd_$1_script_exec_t # type, and the directory containing the scripts should also be labeled # with these types. This policy allows user_r role to perform that # relabeling. If it is desired that only sysadm_r should be able to relabel # the user CGI scripts, then relabel rule for user_r should be removed. # ######################################## # # Declarations # attribute httpdcontent; type httpd_t; type httpd_exec_t; init_daemon_domain(httpd_t,httpd_exec_t) # httpd_cache_t is the type given to the /var/cache/httpd # directory and the files under that directory type httpd_cache_t; files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; files_type(httpd_config_t) type httpd_helper_t; domain_type(httpd_helper_t) role system_r types httpd_helper_t; type httpd_helper_exec_t; domain_entry_file(httpd_helper_t,httpd_helper_exec_t) type httpd_lock_t; files_lock_file(httpd_lock_t) type httpd_log_t; logging_log_file(httpd_log_t) # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; files_type(httpd_modules_t) type httpd_php_t; domain_type(httpd_php_t) role system_r types httpd_php_t; type httpd_php_exec_t; domain_entry_file(httpd_php_t,httpd_php_exec_t) type httpd_php_tmp_t; files_tmp_file(httpd_php_tmp_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) # SUEXEC runs user scripts as their own user ID type httpd_suexec_t; #, daemon; domain_type(httpd_suexec_t) role system_r types httpd_suexec_t; type httpd_suexec_exec_t; domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t) type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) type httpd_tmp_t; files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) # Unconfined domain for apache scripts. # Only to be used as a last resort type httpd_unconfined_script_t; domain_type(httpd_unconfined_script_t) role system_r types httpd_unconfined_script_t; type httpd_unconfined_script_exec_t; # customizable files_type(httpd_unconfined_script_exec_t) # for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) # File Type of squirrelmail attachments type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) ######################################## # # Apache server local policy # allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:fifo_file rw_file_perms; allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; allow httpd_t self:unix_dgram_socket create_socket_perms; allow httpd_t self:unix_stream_socket create_stream_socket_perms; allow httpd_t self:unix_dgram_socket sendto; allow httpd_t self:unix_stream_socket connectto; allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket { connect }; allow httpd_t self:tcp_socket connected_socket_perms; allow httpd_t self:udp_socket connected_socket_perms; # Allow httpd_t to put files in /var/cache/httpd etc allow httpd_t httpd_cache_t:dir create_dir_perms; allow httpd_t httpd_cache_t:file create_file_perms; allow httpd_t httpd_cache_t:lnk_file create_lnk_perms; # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir r_dir_perms; allow httpd_t httpd_config_t:file r_file_perms; allow httpd_t httpd_config_t:lnk_file { getattr read }; can_exec(httpd_t, httpd_exec_t) allow httpd_t httpd_lock_t:file create_file_perms; files_create_lock(httpd_t,httpd_lock_t) allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; allow httpd_t httpd_log_t:file { create ra_file_perms }; allow httpd_t httpd_log_t:lnk_file read; allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; allow httpd_t httpd_modules_t:lnk_file r_file_perms; allow httpd_t httpd_squirrelmail_t:dir create_dir_perms; allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms; allow httpd_t httpd_squirrelmail_t:file create_file_perms; allow httpd_t httpd_tmp_t:dir create_dir_perms; allow httpd_t httpd_tmp_t:file create_file_perms; files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir }) allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow httpd_t httpd_var_lib_t:file create_file_perms; allow httpd_t httpd_var_lib_t:dir create_dir_perms; files_create_var_lib(httpd_t,httpd_var_lib_t) allow httpd_t httpd_var_run_t:file create_file_perms; allow httpd_t httpd_var_run_t:sock_file create_file_perms; allow httpd_t httpd_var_run_t:dir rw_dir_perms; files_create_pid(httpd_t,httpd_var_run_t, { file sock_file }) allow httpd_t squirrelmail_spool_t:dir create_dir_perms; allow httpd_t squirrelmail_spool_t:file create_file_perms; allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms; kernel_read_kernel_sysctl(httpd_t) kernel_tcp_recvfrom(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) corenet_udp_sendrecv_all_if(httpd_t) corenet_raw_sendrecv_all_if(httpd_t) corenet_tcp_sendrecv_all_nodes(httpd_t) corenet_udp_sendrecv_all_nodes(httpd_t) corenet_raw_sendrecv_all_nodes(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) corenet_udp_bind_all_nodes(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) dev_read_urand(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) term_dontaudit_use_console(httpd_t) # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_sbin(httpd_t) domain_use_wide_inherit_fd(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) # for modules that want to access /etc/mtab files_read_etc_runtime_files(httpd_t) # Allow httpd_t to have access to files such as nisswitch.conf files_read_etc_files(httpd_t) init_use_fd(httpd_t) init_use_script_pty(httpd_t) libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) libs_read_lib(httpd_t) logging_send_syslog_msg(httpd_t) miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) seutil_dontaudit_search_config(httpd_t) sysnet_dns_name_resolve(httpd_t) sysnet_use_ldap(httpd_t) sysnet_read_config(httpd_t) userdom_use_unpriv_users_fd(httpd_t) userdom_dontaudit_search_sysadm_home_dir(httpd_t) mta_send_mail(httpd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(httpd_t) term_dontaudit_use_generic_pty(httpd_t) files_dontaudit_read_root_file(httpd_t) ') tunable_policy(`httpd_enable_cgi',` domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) allow httpd_t httpd_unconfined_script_t:fd use; allow httpd_unconfined_script_t httpd_t:fd use; allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms; allow httpd_unconfined_script_t httpd_t:process sigchld; allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) ') tunable_policy(`httpd_can_network_connect',` allow httpd_t self:tcp_socket create_socket_perms; allow httpd_t self:udp_socket { connect }; allow httpd_t self:udp_socket connected_socket_perms; corenet_tcp_sendrecv_all_if(httpd_t) corenet_udp_sendrecv_all_if(httpd_t) corenet_raw_sendrecv_all_if(httpd_t) corenet_tcp_sendrecv_all_nodes(httpd_t) corenet_udp_sendrecv_all_nodes(httpd_t) corenet_raw_sendrecv_all_nodes(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) corenet_udp_bind_all_nodes(httpd_t) corenet_tcp_connect_all_ports(httpd_t) sysnet_read_config(httpd_t) ') optional_policy(`kerberos.te',` kerberos_use(httpd_t) ') optional_policy(`mta.te',` # apache should set close-on-exec dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') optional_policy(`mysql.te',` mysql_stream_connect(httpd_t) ') optional_policy(`nis.te',` nis_use_ypbind(httpd_t) ') optional_policy(`nscd.te',` nscd_use_socket(httpd_t) ') optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(httpd_t) ') optional_policy(`udev.te', ` udev_read_db(httpd_t) ') ifdef(`TODO',` optional_policy(`rhgb.te',` rhgb_domain(httpd_t) ') allow httpd_t var_log_t:dir ra_dir_perms; type_transition httpd_t var_log_t:file httpd_log_t; can_tcp_connect(web_client_domain, httpd_t) allow httpd_t crypt_device_t:chr_file rw_file_perms; # for tomcat allow httpd_t var_lib_t:lnk_file { getattr read }; ######################################### # Allow httpd to search users directories ######################################### allow httpd_t home_root_t:dir { getattr search }; dontaudit httpd_t sysadm_home_dir_t:dir getattr; # Allow apache to used ftpd_anon_t anonymous_domain(httpd) optional_policy(`mysql.te',` allow httpd_t mysqld_db_t:dir search; allow httpd_t mysqld_db_t:sock_file rw_file_perms; ') ifdef(`snmpd.te', ` dontaudit httpd_t snmpd_var_lib_t:dir search; dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; ', ` dontaudit httpd_t usr_t:dir write; ') r_dir_file(initrc_t, httpd_config_t) allow initrc_t httpd_modules_t:dir r_dir_perms; # setup the system domain for system CGI scripts dontaudit httpd_sys_script_t httpd_config_t:dir search; allow httpd_sys_script_t httpd_t:tcp_socket { read write }; kernel_read_kernel_sysctl(httpd_sys_script_t) allow httpd_sys_script_t var_spool_t:dir { getattr search }; r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; allow httpd_sys_script_t var_lib_t:dir search; # Run SSI execs in system CGI script domain. tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_t httpd_sys_script_t:fd use; allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_t:process sigchld; ') optional_policy(`mysql.te',` allow httpd_sys_script_t mysqld_db_t:dir search; allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms; mysql_stream_connect(httpd_sys_script_t) ') ifdef(`targeted_policy', ` typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; if (httpd_enable_homedirs) { allow httpd_t user_home_dir_t:dir { getattr search }; } if (httpd_enable_homedirs) { allow httpd_sys_script_t user_home_dir_t:dir { getattr search }; } if (httpd_enable_homedirs) { allow httpd_suexec_t user_home_dir_t:dir { getattr search }; } ') # We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context typealias httpd_sys_content_t alias httpd_sysadm_content_t; ifdef(`distro_redhat',` # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat # This is a bug but it still exists in FC2 typealias httpd_log_t alias httpd_runtime_t; allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') ######################################## # When the admin starts the server, the server wants to access # the TTY or PTY associated with the session. The httpd appears # to run correctly without this permission, so the permission # are dontaudited here. ################################################## if (httpd_tty_comm) { allow { httpd_t httpd_helper_t } devpts_t:dir search; allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; } else { dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; } r_dir_file(httpd_t, cert_t) dontaudit httpd_suexec_t var_run_t:dir search; allow httpd_suexec_t home_root_t:dir search; if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) allow httpd_suexec_t httpd_sys_script_t:fd use; allow httpd_sys_script_t httpd_suexec_t:fd use; allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_suexec_t:process sigchld; ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) ') } if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) allow httpd_t httpd_sys_script_t:fd use; allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; allow httpd_sys_script_t httpd_t:process sigchld; allow httpd_t httpdcontent:dir create_dir_perms; allow httpd_t httpdcontent:file create_file_perms; allow httpd_t httpdcontent:lnk_file create_lnk_perms; } tunable_policy(`httpd_enable_cgi',` domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) ') optional_policy(`mta.te',` # apache should set close-on-exec dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; dontaudit system_mail_t httpd_log_t:file { append getattr }; allow system_mail_t httpd_squirrelmail_t:file { append read }; dontaudit system_mail_t httpd_t:tcp_socket { read write }; ') ') dnl end TODO ######################################## # # Apache helper local policy # domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) allow httpd_t httpd_helper_t:fd use; allow httpd_helper_t httpd_t:fd use; allow httpd_helper_t httpd_t:fifo_file rw_file_perms; allow httpd_helper_t httpd_t:process sigchld; allow httpd_helper_t httpd_config_t:file { getattr read }; allow httpd_helper_t httpd_log_t:file append; libs_use_ld_so(httpd_helper_t) libs_use_shared_libs(httpd_helper_t) # a "run" interface needs to be # added, and have sysadm_t use it # in a optional_policy block. for httpd_helper_t ######################################## # # Apache PHP script local policy # allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_php_t self:fd use; allow httpd_php_t self:fifo_file rw_file_perms; allow httpd_php_t self:unix_dgram_socket create_socket_perms; allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; allow httpd_php_t self:unix_dgram_socket sendto; allow httpd_php_t self:unix_stream_socket connectto; allow httpd_php_t self:shm create_shm_perms; allow httpd_php_t self:sem create_sem_perms; allow httpd_php_t self:msgq create_msgq_perms; allow httpd_php_t self:msg { send receive }; domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) allow httpd_t httpd_php_t:fd use; allow httpd_php_t httpd_t:fd use; allow httpd_php_t httpd_t:fifo_file rw_file_perms; allow httpd_php_t httpd_t:process sigchld; # allow php to read and append to apache logfiles allow httpd_php_t httpd_log_t:file ra_file_perms; allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms; allow httpd_php_t httpd_php_tmp_t:file create_file_perms; files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) libs_exec_lib_files(httpd_php_t) libs_use_ld_so(httpd_php_t) libs_use_shared_libs(httpd_php_t) userdom_use_unpriv_users_fd(httpd_php_t) optional_policy(`mysql.te',` mysql_stream_connect(httpd_php_t) ') optional_policy(`nis.te',` nis_use_ypbind(httpd_php_t) ') ######################################## # # Apache suexec local policy # allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; # cjp: need transitionbool domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) allow httpd_t httpd_suexec_t:fd use; allow httpd_suexec_t httpd_t:fd use; allow httpd_suexec_t httpd_t:fifo_file rw_file_perms; allow httpd_suexec_t httpd_t:process sigchld; allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; allow httpd_suexec_t httpd_t:fifo_file getattr; allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) kernel_read_kernel_sysctl(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) dev_read_urand(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) # for shell scripts corecmd_exec_bin(httpd_suexec_t) corecmd_exec_shell(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) libs_use_ld_so(httpd_suexec_t) libs_use_shared_libs(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if(httpd_suexec_t) corenet_udp_sendrecv_all_if(httpd_suexec_t) corenet_raw_sendrecv_all_if(httpd_suexec_t) corenet_tcp_sendrecv_all_nodes(httpd_suexec_t) corenet_udp_sendrecv_all_nodes(httpd_suexec_t) corenet_raw_sendrecv_all_nodes(httpd_suexec_t) corenet_tcp_sendrecv_all_ports(httpd_suexec_t) corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_bind_all_nodes(httpd_suexec_t) corenet_udp_bind_all_nodes(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) sysnet_read_config(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_execute_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) fs_execute_cifs_files(httpd_suexec_t) ') optional_policy(`mount.te',` tunable_policy(`httpd_can_network_connect',` mount_send_nfs_client_request(httpd_suexec_t) ') ') optional_policy(`nis.te',` nis_use_ypbind(httpd_suexec_t) ') ######################################## # # Apache system script local policy # apache_content_template(sys) ######################################## # # Apache unconfined script local policy # unconfined_domain_template(httpd_unconfined_script_t) optional_policy(`nscd.te',` nscd_use_socket(httpd_unconfined_script_t) ')