rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
7b61fe506d
selinux-policy/policy/modules/services/apache.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore. 
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

793 lines
21 KiB
Plaintext
Raw Blame History

policy_module(apache,1.6.1)
#
# NOTES:
# This policy will work with SUEXEC enabled as part of the Apache
# configuration. However, the user CGI scripts will run under the
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
# of the creating user.
#
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
# type, and the directory containing the scripts should also be labeled
# with these types. This policy allows user_r role to perform that
# relabeling. If it is desired that only sysadm_r should be able to relabel
# the user CGI scripts, then relabel rule for user_r should be removed.
#
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow Apache to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write,false)
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam,false)
## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## </desc>
gen_tunable(httpd_builtin_scripting,false)
## <desc>
## <p>
## Allow http daemon to tcp connect
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
## <desc>
## <p>
## Allow httpd to connect to mysql/posgresql
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
## Allow httpd cgi support
## </p>
## </desc>
gen_tunable(httpd_enable_cgi,false)
## <desc>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server,false)
## <desc>
## <p>
## Allow httpd to read home directories
## </p>
## </desc>
gen_tunable(httpd_enable_homedirs,false)
## <desc>
## <p>
## Run SSI execs in system CGI script domain.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec,false)
## <desc>
## <p>
## Allow http daemon to communicate with the TTY
## </p>
## </desc>
gen_tunable(httpd_tty_comm,false)
## <desc>
## <p>
## Run CGI in the main httpd domain
## </p>
## </desc>
gen_tunable(httpd_unified,false)
attribute httpdcontent;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
# user script domains
attribute httpd_script_domains;
type httpd_t;
type httpd_exec_t;
init_daemon_domain(httpd_t,httpd_exec_t)
role system_r types httpd_t;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_type(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
domain_type(httpd_helper_t)
domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
role system_r types httpd_helper_t;
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
logging_log_file(httpd_log_t)
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
type httpd_php_t;
type httpd_php_exec_t;
domain_type(httpd_php_t)
domain_entry_file(httpd_php_t,httpd_php_exec_t)
role system_r types httpd_php_t;
type httpd_php_tmp_t;
files_tmp_file(httpd_php_tmp_t)
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
# SUEXEC runs user scripts as their own user ID
type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
# Unconfined domain for apache scripts.
# Only to be used as a last resort
type httpd_unconfined_script_t;
type httpd_unconfined_script_exec_t; # customizable
domain_type(httpd_unconfined_script_t)
domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
role system_r types httpd_unconfined_script_t;
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
ifdef(`targeted_policy',`
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')
optional_policy(`
prelink_object_file(httpd_modules_t)
')
########################################
#
# Apache server local policy
#
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
manage_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
manage_lnk_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_config_t,httpd_config_t)
read_lnk_files_pattern(httpd_t,httpd_config_t,httpd_config_t)
can_exec(httpd_t, httpd_exec_t)
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t,httpd_lock_t,file)
allow httpd_t httpd_log_t:dir setattr;
create_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
append_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
read_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
read_lnk_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
# cjp: need to refine create interfaces to
# cut this back to add_name only
logging_log_filetrans(httpd_t,httpd_log_t,file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
manage_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file { getattr read };
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
manage_dirs_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
manage_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
manage_lnk_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern(httpd_t,httpd_var_lib_t,httpd_var_lib_t)
files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
manage_dirs_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
manage_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
corenet_tcp_sendrecv_all_nodes(httpd_t)
corenet_udp_sendrecv_all_nodes(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
auth_use_nsswitch(httpd_t)
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
domain_use_interactive_fds(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
# Allow httpd_t to have access to files such as nisswitch.conf
files_read_etc_files(httpd_t)
# for tomcat
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
libs_read_lib_files(httpd_t)
logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_certs(httpd_t)
seutil_dontaudit_search_config(httpd_t)
sysnet_read_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
mta_send_mail(httpd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(httpd_t)
term_dontaudit_use_generic_ptys(httpd_t)
files_dontaudit_read_root_files(httpd_t)
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dirs(httpd_t)
')
')
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
corenet_tcp_connect_mysqld_port(httpd_t)
corenet_sendrecv_postgresql_client_packets(httpd_t)
corenet_sendrecv_mysqld_client_packets(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
tunable_policy(`httpd_enable_cgi',`
domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
')
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
allow httpd_sys_script_t httpd_t:process sigchld;
')
# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_t)
userdom_use_sysadm_terms(httpd_t)
',`
userdom_dontaudit_use_sysadm_terms(httpd_t)
')
optional_policy(`
calamaris_read_www_files(httpd_t)
')
optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
kerberos_use(httpd_t)
kerberos_read_kdc_config(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
openca_domtrans(httpd_t)
openca_signal(httpd_t)
openca_sigstop(httpd_t)
openca_kill(httpd_t)
')
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
')
optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
optional_policy(`
udev_read_db(httpd_t)
')
optional_policy(`
yam_read_content(httpd_t)
')
########################################
#
# Apache helper local policy
#
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file append;
libs_use_ld_so(httpd_helper_t)
libs_use_shared_libs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
userdom_use_sysadm_terms(httpd_helper_t)
')
########################################
#
# Apache PHP script local policy
#
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_php_t self:fd use;
allow httpd_php_t self:fifo_file rw_fifo_file_perms;
allow httpd_php_t self:sock_file read_sock_file_perms;
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_php_t self:unix_dgram_socket sendto;
allow httpd_php_t self:unix_stream_socket connectto;
allow httpd_php_t self:shm create_shm_perms;
allow httpd_php_t self:sem create_sem_perms;
allow httpd_php_t self:msgq create_msgq_perms;
allow httpd_php_t self:msg { send receive };
domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
manage_dirs_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t)
manage_files_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t)
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
fs_search_auto_mountpoints(httpd_php_t)
libs_exec_lib_files(httpd_php_t)
libs_use_ld_so(httpd_php_t)
libs_use_shared_libs(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
optional_policy(`
mysql_stream_connect(httpd_php_t)
')
optional_policy(`
nis_use_ypbind(httpd_php_t)
')
########################################
#
# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
read_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
allow httpd_suexec_t httpd_t:fifo_file getattr;
manage_dirs_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
libs_use_ld_so(httpd_suexec_t)
libs_use_shared_libs(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dirs(httpd_suexec_t)
')
')
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
sysnet_read_config(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi',`
domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
optional_policy(`
mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
mta_stub(httpd_suexec_t)
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
optional_policy(`
nagios_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
nis_use_ypbind(httpd_suexec_t)
')
optional_policy(`
nscd_socket_use(httpd_suexec_t)
')
########################################
#
# Apache system script local policy
#
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
read_lnk_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dirs(httpd_sys_script_t)
')
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
')
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
')
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
')
########################################
#
# Apache unconfined script local policy
#
unconfined_domain(httpd_unconfined_script_t)
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
nscd_socket_use(httpd_unconfined_script_t)
')
########################################
#
# httpd_rotatelogs local policy
#
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
files_read_etc_files(httpd_rotatelogs_t)
libs_use_ld_so(httpd_rotatelogs_t)
libs_use_shared_libs(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
Reference in New Issue View Git Blame Copy Permalink