410 lines
13 KiB
Plaintext
410 lines
13 KiB
Plaintext
#DESC Apache - Web server
|
|
#
|
|
# X-Debian-Packages: apache2-common apache
|
|
#
|
|
###############################################################################
|
|
#
|
|
# Policy file for running the Apache web server
|
|
#
|
|
# NOTES:
|
|
# This policy will work with SUEXEC enabled as part of the Apache
|
|
# configuration. However, the user CGI scripts will run under the
|
|
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
|
|
# of the creating user.
|
|
#
|
|
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
|
|
# type, and the directory containing the scripts should also be labeled
|
|
# with these types. This policy allows user_r role to perform that
|
|
# relabeling. If it is desired that only sysadm_r should be able to relabel
|
|
# the user CGI scripts, then relabel rule for user_r should be removed.
|
|
#
|
|
###############################################################################
|
|
|
|
define(`httpd_home_dirs', `
|
|
r_dir_file(httpd_t, $1)
|
|
r_dir_file(httpd_suexec_t, $1)
|
|
can_exec(httpd_suexec_t, $1)
|
|
')
|
|
|
|
bool httpd_unified false;
|
|
|
|
# Allow httpd to use built in scripting (usually php)
|
|
bool httpd_builtin_scripting false;
|
|
|
|
# Allow httpd cgi support
|
|
bool httpd_enable_cgi false;
|
|
|
|
# Allow httpd to read home directories
|
|
bool httpd_enable_homedirs false;
|
|
|
|
# Run SSI execs in system CGI script domain.
|
|
bool httpd_ssi_exec false;
|
|
|
|
# Allow http daemon to communicate with the TTY
|
|
bool httpd_tty_comm false;
|
|
|
|
# Allow http daemon to tcp connect
|
|
bool httpd_can_network_connect false;
|
|
|
|
#########################################################
|
|
# Apache types
|
|
#########################################################
|
|
# httpd_config_t is the type given to the configuration
|
|
# files for apache /etc/httpd/conf
|
|
#
|
|
type httpd_config_t, file_type, sysadmfile;
|
|
|
|
# httpd_modules_t is the type given to module files (libraries)
|
|
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
|
#
|
|
type httpd_modules_t, file_type, sysadmfile;
|
|
|
|
# httpd_cache_t is the type given to the /var/cache/httpd
|
|
# directory and the files under that directory
|
|
#
|
|
type httpd_cache_t, file_type, sysadmfile;
|
|
|
|
# httpd_exec_t is the type give to the httpd executable.
|
|
#
|
|
daemon_domain(httpd, `, privmail, nscd_client_domain')
|
|
|
|
append_logdir_domain(httpd)
|
|
#can read /etc/httpd/logs
|
|
allow httpd_t httpd_log_t:lnk_file read;
|
|
|
|
# For /etc/init.d/apache2 reload
|
|
can_tcp_connect(httpd_t, httpd_t)
|
|
|
|
can_tcp_connect(web_client_domain, httpd_t)
|
|
|
|
can_exec(httpd_t, httpd_exec_t)
|
|
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
|
|
|
|
general_domain_access(httpd_t)
|
|
|
|
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
|
|
|
|
read_sysctl(httpd_t)
|
|
|
|
allow httpd_t crypt_device_t:chr_file rw_file_perms;
|
|
|
|
# for modules that want to access /etc/mtab and /proc/meminfo
|
|
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
|
|
|
|
uses_shlib(httpd_t)
|
|
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
|
|
allow httpd_t usr_t:lnk_file { getattr read };
|
|
|
|
# for apache2 memory mapped files
|
|
var_lib_domain(httpd)
|
|
|
|
# for tomcat
|
|
r_dir_file(httpd_t, var_lib_t)
|
|
|
|
# execute perl
|
|
allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
|
|
can_exec(httpd_t, { bin_t sbin_t })
|
|
allow httpd_t bin_t:lnk_file read;
|
|
|
|
########################################
|
|
# Set up networking
|
|
########################################
|
|
|
|
can_network_server(httpd_t)
|
|
can_kerberos(httpd_t)
|
|
can_resolve(httpd_t)
|
|
nsswitch_domain(httpd_t)
|
|
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
|
|
# allow httpd to connect to mysql/posgresql
|
|
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
|
|
# allow httpd to work as a relay
|
|
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
|
|
|
|
if (httpd_can_network_connect) {
|
|
can_network_client(httpd_t)
|
|
allow httpd_t port_type:tcp_socket name_connect;
|
|
}
|
|
|
|
##########################################
|
|
# Legacy: remove when it's fixed #
|
|
# Allow libphp5.so with text relocations #
|
|
##########################################
|
|
allow httpd_t texrel_shlib_t:file execmod;
|
|
|
|
#########################################
|
|
# Allow httpd to search users directories
|
|
#########################################
|
|
allow httpd_t home_root_t:dir { getattr search };
|
|
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
|
|
|
|
############################################################################
|
|
# Allow the httpd_t the capability to bind to a port and various other stuff
|
|
############################################################################
|
|
allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
|
dontaudit httpd_t self:capability net_admin;
|
|
|
|
#################################################
|
|
# Allow the httpd_t to read the web servers config files
|
|
###################################################
|
|
r_dir_file(httpd_t, httpd_config_t)
|
|
# allow logrotate to read the config files for restart
|
|
ifdef(`logrotate.te', `
|
|
r_dir_file(logrotate_t, httpd_config_t)
|
|
domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
|
|
allow logrotate_t httpd_t:process signull;
|
|
')
|
|
r_dir_file(initrc_t, httpd_config_t)
|
|
##################################################
|
|
|
|
###############################
|
|
# Allow httpd_t to put files in /var/cache/httpd etc
|
|
##############################
|
|
create_dir_file(httpd_t, httpd_cache_t)
|
|
|
|
###############################
|
|
# Allow httpd_t to access the tmpfs file system
|
|
##############################
|
|
tmpfs_domain(httpd)
|
|
|
|
#####################
|
|
# Allow httpd_t to access
|
|
# libraries for its modules
|
|
###############################
|
|
allow httpd_t httpd_modules_t:file rx_file_perms;
|
|
allow httpd_t httpd_modules_t:dir r_dir_perms;
|
|
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
|
|
|
|
######################################################################
|
|
# Allow initrc_t to access the Apache modules directory.
|
|
######################################################################
|
|
allow initrc_t httpd_modules_t:dir r_dir_perms;
|
|
|
|
##############################################
|
|
# Allow httpd_t to have access to files
|
|
# such as nisswitch.conf
|
|
# need ioctl for php
|
|
###############################################
|
|
allow httpd_t etc_t:file { read getattr ioctl };
|
|
allow httpd_t etc_t:lnk_file { getattr read };
|
|
|
|
# setup the system domain for system CGI scripts
|
|
apache_domain(sys)
|
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
|
|
# Run SSI execs in system CGI script domain.
|
|
if (httpd_ssi_exec) {
|
|
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
|
|
}
|
|
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|
|
|
##################################################
|
|
#
|
|
# PHP Directives
|
|
##################################################
|
|
|
|
type httpd_php_exec_t, file_type, sysadmfile, exec_type;
|
|
type httpd_php_t, domain;
|
|
|
|
# Transition from the user domain to this domain.
|
|
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
|
|
|
|
# The system role is authorized for this domain.
|
|
role system_r types httpd_php_t;
|
|
|
|
general_domain_access(httpd_php_t)
|
|
uses_shlib(httpd_php_t)
|
|
can_exec(httpd_php_t, lib_t)
|
|
|
|
# allow php to read and append to apache logfiles
|
|
allow httpd_php_t httpd_log_t:file ra_file_perms;
|
|
|
|
# access to /tmp
|
|
tmp_domain(httpd)
|
|
tmp_domain(httpd_php)
|
|
|
|
# Creation of lock files for apache2
|
|
lock_domain(httpd)
|
|
|
|
# Allow apache to used public_content_t
|
|
anonymous_domain(httpd)
|
|
|
|
# connect to mysql
|
|
ifdef(`mysqld.te', `
|
|
can_unix_connect(httpd_php_t, mysqld_t)
|
|
can_unix_connect(httpd_t, mysqld_t)
|
|
can_unix_connect(httpd_sys_script_t, mysqld_t)
|
|
allow httpd_php_t mysqld_var_run_t:dir search;
|
|
allow httpd_php_t mysqld_var_run_t:sock_file write;
|
|
allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
|
|
allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
|
|
allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
|
|
')
|
|
allow httpd_t bin_t:dir search;
|
|
allow httpd_t sbin_t:dir search;
|
|
allow httpd_t httpd_log_t:dir remove_name;
|
|
|
|
read_fonts(httpd_t)
|
|
|
|
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
|
|
allow httpd_t autofs_t:dir { search getattr };
|
|
|
|
if (use_nfs_home_dirs && httpd_enable_homedirs) {
|
|
httpd_home_dirs(nfs_t)
|
|
}
|
|
if (use_samba_home_dirs && httpd_enable_homedirs) {
|
|
httpd_home_dirs(cifs_t)
|
|
}
|
|
|
|
#
|
|
# Allow users to mount additional directories as http_source
|
|
#
|
|
allow httpd_t mnt_t:dir r_dir_perms;
|
|
|
|
ifdef(`targeted_policy', `
|
|
typealias httpd_sys_content_t alias httpd_user_content_t;
|
|
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
|
|
|
|
if (httpd_enable_homedirs) {
|
|
allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
|
|
}
|
|
') dnl targeted policy
|
|
|
|
# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
|
|
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
|
|
|
|
ifdef(`distro_redhat', `
|
|
#
|
|
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
|
|
# This is a bug but it still exists in FC2
|
|
#
|
|
typealias httpd_log_t alias httpd_runtime_t;
|
|
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
|
|
dontaudit httpd_t httpd_runtime_t:file ioctl;
|
|
') dnl distro_redhat
|
|
#
|
|
# Customer reported the following
|
|
#
|
|
ifdef(`snmpd.te', `
|
|
dontaudit httpd_t snmpd_var_lib_t:dir search;
|
|
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
|
|
', `
|
|
dontaudit httpd_t usr_t:dir write;
|
|
')
|
|
|
|
application_domain(httpd_helper)
|
|
role system_r types httpd_helper_t;
|
|
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
|
allow httpd_helper_t httpd_config_t:file { getattr read };
|
|
allow httpd_helper_t httpd_log_t:file { append };
|
|
|
|
########################################
|
|
# When the admin starts the server, the server wants to access
|
|
# the TTY or PTY associated with the session. The httpd appears
|
|
# to run correctly without this permission, so the permission
|
|
# are dontaudited here.
|
|
##################################################
|
|
|
|
if (httpd_tty_comm) {
|
|
allow { httpd_t httpd_helper_t } devpts_t:dir search;
|
|
ifdef(`targeted_policy', `
|
|
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
|
|
')
|
|
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
|
|
} else {
|
|
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
|
|
}
|
|
|
|
read_sysctl(httpd_sys_script_t)
|
|
allow httpd_sys_script_t var_lib_t:dir search;
|
|
dontaudit httpd_t selinux_config_t:dir search;
|
|
r_dir_file(httpd_t, cert_t)
|
|
|
|
#
|
|
# unconfined domain for apache scripts. Only to be used as a last resort
|
|
#
|
|
type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
|
|
type httpd_unconfined_script_t, domain, nscd_client_domain;
|
|
role system_r types httpd_unconfined_script_t;
|
|
unconfined_domain(httpd_unconfined_script_t)
|
|
|
|
# The following are types for SUEXEC,which runs user scripts as their
|
|
# own user ID
|
|
#
|
|
daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
|
|
allow httpd_t httpd_suexec_exec_t:file { getattr read };
|
|
|
|
#########################################################
|
|
# Permissions for running child processes and scripts
|
|
##########################################################
|
|
|
|
allow httpd_suexec_t self:capability { setuid setgid };
|
|
|
|
dontaudit httpd_suexec_t var_run_t:dir search;
|
|
allow httpd_suexec_t { var_t var_log_t }:dir search;
|
|
allow httpd_suexec_t home_root_t:dir search;
|
|
|
|
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
|
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
|
allow httpd_suexec_t httpd_t:fifo_file getattr;
|
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow httpd_suexec_t etc_t:file { getattr read };
|
|
read_locale(httpd_suexec_t)
|
|
read_sysctl(httpd_suexec_t)
|
|
allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
|
|
|
|
# for shell scripts
|
|
allow httpd_suexec_t bin_t:dir search;
|
|
allow httpd_suexec_t bin_t:lnk_file read;
|
|
can_exec(httpd_suexec_t, { bin_t shell_exec_t })
|
|
|
|
if (httpd_can_network_connect) {
|
|
can_network(httpd_suexec_t)
|
|
allow httpd_suexec_t port_type:tcp_socket name_connect;
|
|
}
|
|
|
|
can_ypbind(httpd_suexec_t)
|
|
allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
|
|
|
|
allow httpd_suexec_t autofs_t:dir { search getattr };
|
|
tmp_domain(httpd_suexec)
|
|
|
|
if (httpd_enable_cgi && httpd_unified) {
|
|
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
|
ifdef(`targeted_policy', `', `
|
|
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
|
|
')
|
|
}
|
|
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
|
|
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
|
|
create_dir_file(httpd_t, httpdcontent)
|
|
}
|
|
if (httpd_enable_cgi) {
|
|
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
|
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
|
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
|
|
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
|
|
}
|
|
|
|
#
|
|
# Types for squirrelmail
|
|
#
|
|
type httpd_squirrelmail_t, file_type, sysadmfile;
|
|
create_dir_file(httpd_t, httpd_squirrelmail_t)
|
|
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
|
|
# File Type of squirrelmail attachments
|
|
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
|
|
allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
|
|
create_dir_file(httpd_t, squirrelmail_spool_t)
|
|
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
|
|
|
|
ifdef(`mta.te', `
|
|
# apache should set close-on-exec
|
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
|
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
|
|
dontaudit system_mail_t httpd_log_t:file { append getattr };
|
|
allow system_mail_t httpd_squirrelmail_t:file { append read };
|
|
dontaudit system_mail_t httpd_t:tcp_socket { read write };
|
|
')
|