selinux-policy/targeted/macros/program/apache_macros.te

206 lines
7.5 KiB
Plaintext

define(`apache_domain', `
#This type is for webpages
#
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
# This type is used for .htaccess files
#
type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
# This type is used for executable scripts files
#
type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
# Type that CGI scripts run as
type httpd_$1_script_t, domain, privmail, nscd_client_domain;
role system_r types httpd_$1_script_t;
uses_shlib(httpd_$1_script_t)
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_$1_script_t usr_t:lnk_file { getattr read };
allow httpd_$1_script_t self:process { fork signal_perms };
allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
read_locale(httpd_$1_script_t)
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_$1_script_t { self proc_t }:file r_file_perms;
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
allow httpd_$1_script_t { self proc_t }:lnk_file read;
allow httpd_$1_script_t device_t:dir { getattr search };
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
}
if (httpd_enable_cgi && httpd_can_network_connect) {
can_network_client(httpd_$1_script_t)
allow httpd_$1_script_t port_type:tcp_socket name_connect;
}
ifdef(`ypbind.te', `
if (httpd_enable_cgi && allow_ypbind) {
uncond_can_ypbind(httpd_$1_script_t)
}
')
# The following are the only areas that
# scripts can read, read/write, or append to
#
type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
#########################################################
# Permissions for running child processes and scripts
##########################################################
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_$1_script_t httpd_t:fifo_file write;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
###########################################################################
# Allow the script interpreters to run the scripts. So
# the perl executable will be able to run a perl script
#########################################################################
allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
can_exec_any(httpd_$1_script_t)
allow httpd_$1_script_t etc_t:file { getattr read };
dontaudit httpd_$1_script_t selinux_config_t:dir search;
############################################################################
# Allow the script process to search the cgi directory, and users directory
##############################################################################
allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t home_root_t:dir { getattr search };
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
#############################################################################
# Allow the scripts to read, read/write, append to the specified directories
# or files
############################################################################
read_fonts(httpd_$1_script_t)
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
anonymous_domain(httpd_$1_script)
if (httpd_enable_cgi && httpd_unified) {
create_dir_file(httpd_$1_script_t, httpdcontent)
can_exec(httpd_$1_script_t, httpdcontent)
}
#
# If a user starts a script by hand it gets the proper context
#
ifdef(`targeted_policy', `', `
if (httpd_enable_cgi) {
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
')
role sysadm_r types httpd_$1_script_t;
dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
dontaudit httpd_$1_script_t sysctl_t:dir search;
############################################
# Allow scripts to append to http logs
#########################################
allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
allow httpd_$1_script_t httpd_log_t:file { getattr append };
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
################################################################
# Allow the web server to run scripts and serve pages
##############################################################
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
r_dir_file(httpd_t, httpd_$1_content_t)
}
')
define(`apache_user_domain', `
apache_domain($1)
typeattribute httpd_$1_content_t $1_file_type;
if (httpd_enable_cgi && httpd_unified) {
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
}
if (httpd_enable_cgi) {
# If a user starts a script by hand it gets the proper context
domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
role $1_r types httpd_$1_script_t;
#######################################
# Allow user to create or edit web content
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
######################################################################
# Allow the user to create htaccess files
#####################################################################
allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
#########################################################################
# Allow user to create files or directories
# that scripts are able to read, write, or append to
###########################################################################
create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
# allow accessing files/dirs below the users home dir
if (httpd_enable_homedirs) {
allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
ifdef(`nfs_home_dirs', `
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
ifdef(`crond.te', `
create_dir_file($1_crond_t, httpd_$1_content_t)
')
ifdef(`ftpd.te', `
if (ftp_home_dir) {
create_dir_file(ftpd_t, httpd_$1_content_t)
}
')
')