rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1900668638
selinux-policy/policy/modules/services/apache.if
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

1005 lines
26 KiB
Plaintext
Raw Blame History

## <summary>Apache web server</summary>
########################################
## <summary>
## Create a set of derived types for apache
## web content.
## </summary>
## <param name="prefix">
## <summary>
## The prefix to be used for deriving type names.
## </summary>
## </param>
#
template(`apache_content_template',`
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t; # customizable;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
type httpd_$1_script_t;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
# The following three are the only areas that
# scripts can read, read/write, or append to
type httpd_$1_script_ro_t, httpdcontent; # customizable
files_type(httpd_$1_script_ro_t)
type httpd_$1_script_rw_t, httpdcontent; # customizable
files_type(httpd_$1_script_rw_t)
type httpd_$1_script_ra_t, httpdcontent; # customizable
files_type(httpd_$1_script_ra_t)
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
files_search_home(httpd_$1_script_t)
libs_use_ld_so(httpd_$1_script_t)
libs_use_shared_libs(httpd_$1_script_t)
libs_exec_ld_so(httpd_$1_script_t)
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
miscfiles_read_public_files(httpd_$1_script_t)
seutil_dontaudit_search_config(httpd_$1_script_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
can_exec(httpd_$1_script_t, httpdcontent)
')
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_all_ports(httpd_$1_script_t)
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
optional_policy(`
mta_send_mail(httpd_$1_script_t)
')
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
')
#######################################
## <summary>
## The per role template for the apache module.
## </summary>
## <desc>
## <p>
## This template creates types used for web pages
## and web cgi to be used from the user home directory.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
apache_content_template($1)
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
')
')
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_scripts',`
gen_require(`
type httpd_$1_script_exec_t;
')
allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_content',`
gen_require(`
type httpd_$1_content_t;
')
allow $2 httpd_$1_content_t:dir list_dir_perms;
read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
')
########################################
## <summary>
## Transition to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans',`
gen_require(`
type httpd_t, httpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,httpd_exec_t,httpd_t)
')
########################################
## <summary>
## Send a null signal to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_signull',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signull;
')
########################################
## <summary>
## Send a SIGCHLD signal to apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_sigchld',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process sigchld;
')
########################################
## <summary>
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_use_fds',`
gen_require(`
type httpd_t;
')
allow $1 httpd_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_stream_sockets',`
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_tcp_sockets',`
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:tcp_socket { read write };
')
########################################
## <summary>
## Create, read, write, and delete all web content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_content',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
manage_dirs_pattern($1,httpdcontent,httpdcontent)
manage_files_pattern($1,httpdcontent,httpdcontent)
manage_lnk_files_pattern($1,httpdcontent,httpdcontent)
manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
')
########################################
## <summary>
## Allow the specified domain to read
## and write Apache cache files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_rw_cache_files',`
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:file rw_file_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_read_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir list_dir_perms;
read_files_pattern($1,httpd_config_t,httpd_config_t)
read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
')
########################################
## <summary>
## Allow the specified domain to manage
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
manage_files_pattern($1,httpd_config_t,httpd_config_t)
read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_helper',`
gen_require(`
type httpd_helper_t, httpd_helper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
')
########################################
## <summary>
## Execute the Apache helper program with
## a domain transition, and allow the
## specified role the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the dmidecode domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the dmidecode domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_run_helper',`
gen_require(`
type httpd_helper_t;
')
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
allow httpd_helper_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_read_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir list_dir_perms;
read_files_pattern($1,httpd_log_t,httpd_log_t)
read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
## <summary>
## Allow the specified domain to append
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir list_dir_perms;
append_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
## <summary>
## Do not audit attempts to append to the
## Apache logs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_dontaudit_append_log',`
gen_require(`
type httpd_log_t;
')
dontaudit $1 httpd_log_t:file { getattr append };
')
########################################
## <summary>
## Allow the specified domain to manage
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
manage_files_pattern($1,httpd_log_t,httpd_log_t)
read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
## <summary>
## Do not audit attempts to search Apache
## module directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_dontaudit_search_modules',`
gen_require(`
type httpd_modules_t;
')
dontaudit $1 httpd_modules_t:dir search_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_list_modules',`
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to execute
## apache modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_exec_modules',`
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
allow $1 httpd_modules_t:lnk_file read_file_perms;
can_exec($1,httpd_modules_t)
')
########################################
## <summary>
## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
domtrans_pattern($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
')
########################################
## <summary>
## Allow the specified domain to manage
## apache system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
files_search_var($1)
manage_dirs_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
manage_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
manage_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
')
########################################
## <summary>
## Execute all web scripts in the system
## script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
gen_require(`
type httpd_sys_script_t;
')
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_all_scripts',`
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
')
########################################
## <summary>
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the script domains.
## </summary>
## </param>
#
# cjp: this is missing the terminal since scripts
# do not output to the terminal
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
')
########################################
## <summary>
## Allow the specified domain to read
## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr read };
')
########################################
## <summary>
## Allow the specified domain to append
## apache squirrelmail data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_append_squirrelmail_data',`
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr append };
')
########################################
## <summary>
## Search apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_search_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
########################################
## <summary>
## Read apache system content.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_read_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir list_dir_perms;
read_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
')
########################################
## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_search_sys_script_state',`
gen_require(`
type httpd_sys_script_t;
')
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
Reference in New Issue View Git Blame Copy Permalink