193 lines
7.2 KiB
Plaintext
193 lines
7.2 KiB
Plaintext
|
|
define(`apache_domain', `
|
|
|
|
#This type is for webpages
|
|
#
|
|
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
|
|
|
|
# This type is used for .htaccess files
|
|
#
|
|
type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
|
|
allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
|
|
|
|
# This type is used for executable scripts files
|
|
#
|
|
type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
|
|
|
|
# Type that CGI scripts run as
|
|
type httpd_$1_script_t, domain, privmail, nscd_client_domain;
|
|
role system_r types httpd_$1_script_t;
|
|
uses_shlib(httpd_$1_script_t)
|
|
|
|
if (httpd_enable_cgi) {
|
|
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
|
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
|
|
|
|
allow httpd_$1_script_t httpd_t:fd use;
|
|
allow httpd_$1_script_t httpd_t:process sigchld;
|
|
|
|
allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
|
|
allow httpd_$1_script_t usr_t:lnk_file { getattr read };
|
|
|
|
allow httpd_$1_script_t self:process { fork signal_perms };
|
|
|
|
allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
|
|
allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
|
|
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
|
|
read_locale(httpd_$1_script_t)
|
|
allow httpd_$1_script_t fs_t:filesystem getattr;
|
|
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow httpd_$1_script_t { self proc_t }:file r_file_perms;
|
|
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
|
|
allow httpd_$1_script_t { self proc_t }:lnk_file read;
|
|
|
|
allow httpd_$1_script_t device_t:dir { getattr search };
|
|
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
|
|
}
|
|
|
|
if (httpd_enable_cgi && httpd_can_network_connect) {
|
|
can_network(httpd_$1_script_t)
|
|
allow httpd_$1_script_t port_type:tcp_socket name_connect;
|
|
}
|
|
|
|
ifdef(`ypbind.te', `
|
|
if (httpd_enable_cgi && allow_ypbind) {
|
|
uncond_can_ypbind(httpd_$1_script_t)
|
|
}
|
|
')
|
|
# The following are the only areas that
|
|
# scripts can read, read/write, or append to
|
|
#
|
|
type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
|
|
type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
|
|
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
|
|
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
|
|
|
|
#########################################################
|
|
# Permissions for running child processes and scripts
|
|
##########################################################
|
|
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
|
|
|
|
domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
|
|
allow httpd_$1_script_t httpd_t:fifo_file write;
|
|
|
|
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
|
|
|
allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
|
|
|
|
###########################################################################
|
|
# Allow the script interpreters to run the scripts. So
|
|
# the perl executable will be able to run a perl script
|
|
#########################################################################
|
|
can_exec_any(httpd_$1_script_t)
|
|
allow httpd_$1_script_t etc_t:file { getattr read };
|
|
dontaudit httpd_$1_script_t selinux_config_t:dir search;
|
|
|
|
############################################################################
|
|
# Allow the script process to search the cgi directory, and users directory
|
|
##############################################################################
|
|
allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
|
|
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
allow httpd_$1_script_t home_root_t:dir { getattr search };
|
|
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
|
|
|
|
#############################################################################
|
|
# Allow the scripts to read, read/write, append to the specified directories
|
|
# or files
|
|
############################################################################
|
|
read_fonts(httpd_$1_script_t)
|
|
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
|
|
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
|
|
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
|
|
|
|
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
|
create_dir_file(httpd_$1_script_t, httpdcontent)
|
|
can_exec(httpd_$1_script_t, httpdcontent)
|
|
}
|
|
|
|
#
|
|
# If a user starts a script by hand it gets the proper context
|
|
#
|
|
ifdef(`targeted_policy', `', `
|
|
if (httpd_enable_cgi) {
|
|
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
}
|
|
')
|
|
role sysadm_r types httpd_$1_script_t;
|
|
|
|
dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
|
|
dontaudit httpd_$1_script_t sysctl_t:dir search;
|
|
|
|
############################################
|
|
# Allow scripts to append to http logs
|
|
#########################################
|
|
allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
|
|
allow httpd_$1_script_t httpd_log_t:file { getattr append };
|
|
|
|
# apache should set close-on-exec
|
|
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
|
|
|
################################################################
|
|
# Allow the web server to run scripts and serve pages
|
|
##############################################################
|
|
if (httpd_builtin_scripting) {
|
|
r_dir_file(httpd_t, httpd_$1_script_ro_t)
|
|
create_dir_file(httpd_t, httpd_$1_script_rw_t)
|
|
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
|
|
}
|
|
r_dir_file(httpd_t, httpd_$1_content_t)
|
|
|
|
')
|
|
define(`apache_user_domain', `
|
|
|
|
apache_domain($1)
|
|
|
|
typeattribute httpd_$1_content_t $1_file_type;
|
|
|
|
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
|
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
|
|
}
|
|
|
|
if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
|
# If a user starts a script by hand it gets the proper context
|
|
domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
}
|
|
role $1_r types httpd_$1_script_t;
|
|
|
|
#######################################
|
|
# Allow user to create or edit web content
|
|
#########################################
|
|
|
|
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
|
|
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
|
|
|
|
######################################################################
|
|
# Allow the user to create htaccess files
|
|
#####################################################################
|
|
|
|
allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
|
|
|
|
#########################################################################
|
|
# Allow user to create files or directories
|
|
# that scripts are able to read, write, or append to
|
|
###########################################################################
|
|
|
|
create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
|
|
allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
|
|
|
|
# allow accessing files/dirs below the users home dir
|
|
if (httpd_enable_homedirs) {
|
|
allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
|
|
ifdef(`nfs_home_dirs', `
|
|
r_dir_file(httpd_$1_script_t, nfs_t)
|
|
')dnl end if nfs_home_dirs
|
|
}
|
|
ifdef(`crond.te', `
|
|
create_dir_file($1_crond_t, httpd_$1_content_t)
|
|
')
|
|
|
|
')
|