4f7b413cdc
Added alias for ntop_http_content_t in apache Pulled in ntop port from corenetwork patch
903 lines
26 KiB
Plaintext
903 lines
26 KiB
Plaintext
|
|
policy_module(apache, 2.1.2)
|
|
|
|
#
|
|
# NOTES:
|
|
# This policy will work with SUEXEC enabled as part of the Apache
|
|
# configuration. However, the user CGI scripts will run under the
|
|
# system_u:system_r:httpd_user_script_t.
|
|
#
|
|
# The user CGI scripts must be labeled with the httpd_user_script_exec_t
|
|
# type, and the directory containing the scripts should also be labeled
|
|
# with these types. This policy allows the user role to perform that
|
|
# relabeling. If it is desired that only admin role should be able to relabel
|
|
# the user CGI scripts, then relabel rule for user roles should be removed.
|
|
#
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to modify public files
|
|
## used for public file transfer services. Directories/Files must
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_httpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to use mod_auth_pam
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_httpd_mod_auth_pam, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to use built in scripting (usually php)
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_builtin_scripting, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to connect to the network using TCP.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to connect to databases over the network.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect_db, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to act as a relay
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_relay, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow http daemon to send mail
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_sendmail, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to communicate with avahi service via dbus
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_dbus_avahi, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd cgi support
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_cgi, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to act as a FTP server by
|
|
## listening on the ftp port.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_ftp_server, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to read home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_homedirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_ssi_exec, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Unify HTTPD to communicate with the terminal.
|
|
## Needed for entering the passphrase for certificates at
|
|
## the terminal.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_tty_comm, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Unify HTTPD handling of all content files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_unified, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access cifs file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to run gpg
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_gpg, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access nfs file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_nfs, false)
|
|
|
|
attribute httpdcontent;
|
|
attribute httpd_user_content_type;
|
|
|
|
# domains that can exec all users scripts
|
|
attribute httpd_exec_scripts;
|
|
|
|
attribute httpd_script_exec_type;
|
|
attribute httpd_user_script_exec_type;
|
|
|
|
# user script domains
|
|
attribute httpd_script_domains;
|
|
|
|
type httpd_t;
|
|
type httpd_exec_t;
|
|
init_daemon_domain(httpd_t, httpd_exec_t)
|
|
role system_r types httpd_t;
|
|
|
|
# httpd_cache_t is the type given to the /var/cache/httpd
|
|
# directory and the files under that directory
|
|
type httpd_cache_t;
|
|
files_type(httpd_cache_t)
|
|
|
|
# httpd_config_t is the type given to the configuration files
|
|
type httpd_config_t;
|
|
files_type(httpd_config_t)
|
|
|
|
type httpd_helper_t;
|
|
type httpd_helper_exec_t;
|
|
domain_type(httpd_helper_t)
|
|
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
|
role system_r types httpd_helper_t;
|
|
|
|
type httpd_initrc_exec_t;
|
|
init_script_file(httpd_initrc_exec_t)
|
|
|
|
type httpd_lock_t;
|
|
files_lock_file(httpd_lock_t)
|
|
|
|
type httpd_log_t;
|
|
logging_log_file(httpd_log_t)
|
|
|
|
# httpd_modules_t is the type given to module files (libraries)
|
|
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
|
type httpd_modules_t;
|
|
files_type(httpd_modules_t)
|
|
|
|
type httpd_php_t;
|
|
type httpd_php_exec_t;
|
|
domain_type(httpd_php_t)
|
|
domain_entry_file(httpd_php_t, httpd_php_exec_t)
|
|
role system_r types httpd_php_t;
|
|
|
|
type httpd_php_tmp_t;
|
|
files_tmp_file(httpd_php_tmp_t)
|
|
|
|
type httpd_rotatelogs_t;
|
|
type httpd_rotatelogs_exec_t;
|
|
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
|
|
|
|
type httpd_squirrelmail_t;
|
|
files_type(httpd_squirrelmail_t)
|
|
|
|
# SUEXEC runs user scripts as their own user ID
|
|
type httpd_suexec_t; #, daemon;
|
|
type httpd_suexec_exec_t;
|
|
domain_type(httpd_suexec_t)
|
|
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
|
|
role system_r types httpd_suexec_t;
|
|
|
|
type httpd_suexec_tmp_t;
|
|
files_tmp_file(httpd_suexec_tmp_t)
|
|
|
|
# setup the system domain for system CGI scripts
|
|
apache_content_template(sys)
|
|
typealias httpd_sys_content_t alias ntop_http_content_t;
|
|
|
|
type httpd_tmp_t;
|
|
files_tmp_file(httpd_tmp_t)
|
|
|
|
type httpd_tmpfs_t;
|
|
files_tmpfs_file(httpd_tmpfs_t)
|
|
|
|
apache_content_template(user)
|
|
ubac_constrained(httpd_user_script_t)
|
|
userdom_user_home_content(httpd_user_content_t)
|
|
userdom_user_home_content(httpd_user_htaccess_t)
|
|
userdom_user_home_content(httpd_user_script_exec_t)
|
|
userdom_user_home_content(httpd_user_ra_content_t)
|
|
userdom_user_home_content(httpd_user_rw_content_t)
|
|
typeattribute httpd_user_script_t httpd_script_domains;
|
|
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
|
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
|
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
|
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
|
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
|
|
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
|
|
typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
|
|
typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
|
|
typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
|
|
typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
|
|
typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
|
|
typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
|
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
|
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
|
|
|
# for apache2 memory mapped files
|
|
type httpd_var_lib_t;
|
|
files_type(httpd_var_lib_t)
|
|
|
|
type httpd_var_run_t;
|
|
files_pid_file(httpd_var_run_t)
|
|
|
|
# File Type of squirrelmail attachments
|
|
type squirrelmail_spool_t;
|
|
files_tmp_file(squirrelmail_spool_t)
|
|
|
|
optional_policy(`
|
|
prelink_object_file(httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache server local policy
|
|
#
|
|
|
|
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow httpd_t self:fd use;
|
|
allow httpd_t self:sock_file read_sock_file_perms;
|
|
allow httpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow httpd_t self:shm create_shm_perms;
|
|
allow httpd_t self:sem create_sem_perms;
|
|
allow httpd_t self:msgq create_msgq_perms;
|
|
allow httpd_t self:msg { send receive };
|
|
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_t self:udp_socket create_socket_perms;
|
|
|
|
# Allow httpd_t to put files in /var/cache/httpd etc
|
|
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
|
|
# Allow the httpd_t to read the web servers config files
|
|
allow httpd_t httpd_config_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
|
|
can_exec(httpd_t, httpd_exec_t)
|
|
|
|
allow httpd_t httpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(httpd_t, httpd_lock_t, file)
|
|
|
|
allow httpd_t httpd_log_t:dir setattr;
|
|
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
# cjp: need to refine create interfaces to
|
|
# cut this back to add_name only
|
|
logging_log_filetrans(httpd_t, httpd_log_t, file)
|
|
|
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
|
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
|
|
apache_domtrans_rotatelogs(httpd_t)
|
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
|
allow httpd_t httpd_rotatelogs_t:process signal_perms;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
|
|
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
|
|
|
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
|
|
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
|
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
|
|
|
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
|
|
|
|
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_t)
|
|
# for modules that want to access /proc/meminfo
|
|
kernel_read_system_state(httpd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
|
corenet_all_recvfrom_netlabel(httpd_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_t)
|
|
corenet_udp_sendrecv_generic_if(httpd_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_t)
|
|
corenet_udp_sendrecv_generic_node(httpd_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
|
corenet_tcp_bind_generic_node(httpd_t)
|
|
corenet_tcp_bind_http_port(httpd_t)
|
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
|
corenet_sendrecv_http_server_packets(httpd_t)
|
|
# Signal self for shutdown
|
|
corenet_tcp_connect_http_port(httpd_t)
|
|
|
|
dev_read_sysfs(httpd_t)
|
|
dev_read_rand(httpd_t)
|
|
dev_read_urand(httpd_t)
|
|
dev_rw_crypto(httpd_t)
|
|
|
|
fs_getattr_all_fs(httpd_t)
|
|
fs_search_auto_mountpoints(httpd_t)
|
|
|
|
auth_use_nsswitch(httpd_t)
|
|
|
|
# execute perl
|
|
corecmd_exec_bin(httpd_t)
|
|
corecmd_exec_shell(httpd_t)
|
|
|
|
domain_use_interactive_fds(httpd_t)
|
|
|
|
files_dontaudit_getattr_all_pids(httpd_t)
|
|
files_read_usr_files(httpd_t)
|
|
files_list_mnt(httpd_t)
|
|
files_search_spool(httpd_t)
|
|
files_read_var_lib_files(httpd_t)
|
|
files_search_home(httpd_t)
|
|
files_getattr_home_dir(httpd_t)
|
|
# for modules that want to access /etc/mtab
|
|
files_read_etc_runtime_files(httpd_t)
|
|
# Allow httpd_t to have access to files such as nisswitch.conf
|
|
files_read_etc_files(httpd_t)
|
|
# for tomcat
|
|
files_read_var_lib_symlinks(httpd_t)
|
|
|
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
|
|
|
libs_read_lib_files(httpd_t)
|
|
|
|
logging_send_syslog_msg(httpd_t)
|
|
|
|
miscfiles_read_localization(httpd_t)
|
|
miscfiles_read_fonts(httpd_t)
|
|
miscfiles_read_public_files(httpd_t)
|
|
miscfiles_read_certs(httpd_t)
|
|
|
|
seutil_dontaudit_search_config(httpd_t)
|
|
|
|
userdom_use_unpriv_users_fds(httpd_t)
|
|
|
|
tunable_policy(`allow_httpd_anon_write',`
|
|
miscfiles_manage_public_files(httpd_t)
|
|
')
|
|
|
|
ifdef(`TODO', `
|
|
#
|
|
# We need optionals to be able to be within booleans to make this work
|
|
#
|
|
tunable_policy(`allow_httpd_mod_auth_pam',`
|
|
auth_domtrans_chk_passwd(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
corenet_tcp_connect_all_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_relay',`
|
|
# allow httpd to work as a relay
|
|
corenet_tcp_connect_gopher_port(httpd_t)
|
|
corenet_tcp_connect_ftp_port(httpd_t)
|
|
corenet_tcp_connect_http_port(httpd_t)
|
|
corenet_tcp_connect_http_cache_port(httpd_t)
|
|
corenet_tcp_connect_memcache_port(httpd_t)
|
|
corenet_sendrecv_gopher_client_packets(httpd_t)
|
|
corenet_sendrecv_ftp_client_packets(httpd_t)
|
|
corenet_sendrecv_http_client_packets(httpd_t)
|
|
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
|
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
|
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
|
|
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_ftp_server',`
|
|
corenet_tcp_bind_ftp_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_read_user_home_content_files(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(httpd_t)
|
|
fs_read_nfs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_t)
|
|
fs_read_cifs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
# allow httpd to connect to mail servers
|
|
corenet_tcp_connect_smtp_port(httpd_t)
|
|
corenet_sendrecv_smtp_client_packets(httpd_t)
|
|
mta_send_mail(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_ssi_exec',`
|
|
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
|
allow httpd_sys_script_t httpd_t:fd use;
|
|
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
|
allow httpd_sys_script_t httpd_t:process sigchld;
|
|
')
|
|
|
|
# When the admin starts the server, the server wants to access
|
|
# the TTY or PTY associated with the session. The httpd appears
|
|
# to run correctly without this permission, so the permission
|
|
# are dontaudited here.
|
|
tunable_policy(`httpd_tty_comm',`
|
|
userdom_use_user_terminals(httpd_t)
|
|
',`
|
|
userdom_dontaudit_use_user_terminals(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
calamaris_read_www_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cobbler_search_lib(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(httpd_t, httpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cvs_read_data(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(httpd_t, httpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(httpd_t)
|
|
|
|
tunable_policy(`httpd_dbus_avahi',`
|
|
avahi_dbus_chat(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
|
|
gpg_domtrans(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(httpd, httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_signal_cgi(httpd_t)
|
|
mailman_domtrans_cgi(httpd_t)
|
|
mailman_read_data_files(httpd_t)
|
|
# should have separate types for public and private archives
|
|
mailman_search_data(httpd_t)
|
|
mailman_read_archive(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Allow httpd to work with mysql
|
|
mysql_stream_connect(httpd_t)
|
|
mysql_rw_db_sockets(httpd_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
nagios_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openca_domtrans(httpd_t)
|
|
openca_signal(httpd_t)
|
|
openca_sigstop(httpd_t)
|
|
openca_kill(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Allow httpd to work with postgresql
|
|
postgresql_stream_connect(httpd_t)
|
|
postgresql_unpriv_client(httpd_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
postgresql_tcp_connect(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
yam_read_content(httpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache helper local policy
|
|
#
|
|
|
|
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
|
|
|
allow httpd_helper_t httpd_config_t:file read_file_perms;
|
|
|
|
allow httpd_helper_t httpd_log_t:file append_file_perms;
|
|
|
|
logging_send_syslog_msg(httpd_helper_t)
|
|
|
|
userdom_use_user_terminals(httpd_helper_t)
|
|
|
|
########################################
|
|
#
|
|
# Apache PHP script local policy
|
|
#
|
|
|
|
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow httpd_php_t self:fd use;
|
|
allow httpd_php_t self:fifo_file rw_fifo_file_perms;
|
|
allow httpd_php_t self:sock_file read_sock_file_perms;
|
|
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
|
|
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_php_t self:unix_dgram_socket sendto;
|
|
allow httpd_php_t self:unix_stream_socket connectto;
|
|
allow httpd_php_t self:shm create_shm_perms;
|
|
allow httpd_php_t self:sem create_sem_perms;
|
|
allow httpd_php_t self:msgq create_msgq_perms;
|
|
allow httpd_php_t self:msg { send receive };
|
|
|
|
domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
|
|
|
|
# allow php to read and append to apache logfiles
|
|
allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
|
|
|
|
manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
|
|
|
|
fs_search_auto_mountpoints(httpd_php_t)
|
|
|
|
auth_use_nsswitch(httpd_php_t)
|
|
|
|
libs_exec_lib_files(httpd_php_t)
|
|
|
|
userdom_use_unpriv_users_fds(httpd_php_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
corenet_tcp_connect_mysqld_port(httpd_t)
|
|
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
|
corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
|
|
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
|
|
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
|
|
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
|
|
|
|
corenet_tcp_connect_mssql_port(httpd_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_t)
|
|
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
|
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_php_t)
|
|
mysql_read_config(httpd_php_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_php_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache suexec local policy
|
|
#
|
|
|
|
allow httpd_suexec_t self:capability { setuid setgid };
|
|
allow httpd_suexec_t self:process signal_perms;
|
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
|
|
|
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
|
|
allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
|
|
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
|
kernel_list_proc(httpd_suexec_t)
|
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
|
|
|
dev_read_urand(httpd_suexec_t)
|
|
|
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
|
|
|
# for shell scripts
|
|
corecmd_exec_bin(httpd_suexec_t)
|
|
corecmd_exec_shell(httpd_suexec_t)
|
|
|
|
files_read_etc_files(httpd_suexec_t)
|
|
files_read_usr_files(httpd_suexec_t)
|
|
files_dontaudit_search_pids(httpd_suexec_t)
|
|
files_search_home(httpd_suexec_t)
|
|
|
|
auth_use_nsswitch(httpd_suexec_t)
|
|
|
|
logging_search_logs(httpd_suexec_t)
|
|
logging_send_syslog_msg(httpd_suexec_t)
|
|
|
|
miscfiles_read_localization(httpd_suexec_t)
|
|
miscfiles_read_public_files(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
|
|
corenet_all_recvfrom_netlabel(httpd_suexec_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
|
|
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
|
|
corenet_udp_sendrecv_generic_node(httpd_suexec_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
|
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_sys_script_t httpdcontent:file entrypoint;
|
|
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
|
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(httpd_suexec_t)
|
|
fs_read_nfs_symlinks(httpd_suexec_t)
|
|
fs_exec_nfs_files(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_suexec_t)
|
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
|
fs_exec_cifs_files(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_domtrans_cgi(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_stub(httpd_suexec_t)
|
|
|
|
# apache should set close-on-exec
|
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache system script local policy
|
|
#
|
|
|
|
allow httpd_sys_script_t self:process getsched;
|
|
|
|
allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|
|
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
|
|
allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
|
|
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
|
|
|
files_search_var_lib(httpd_sys_script_t)
|
|
files_search_spool(httpd_sys_script_t)
|
|
|
|
# Should we add a boolean?
|
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
|
')
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
mta_send_mail(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_tcp_bind_all_nodes(httpd_sys_script_t)
|
|
corenet_udp_bind_all_nodes(httpd_sys_script_t)
|
|
corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_all_if(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
|
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
|
corenet_sendrecv_all_client_packets(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_read_user_home_content_files(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(httpd_sys_script_t)
|
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_sys_script_t)
|
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_domtrans_clamscan(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_sys_script_t)
|
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_sys_script_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# httpd_rotatelogs local policy
|
|
#
|
|
|
|
allow httpd_rotatelogs_t self:capability dac_override;
|
|
|
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
|
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
|
|
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
|
|
|
|
files_read_etc_files(httpd_rotatelogs_t)
|
|
|
|
logging_search_logs(httpd_rotatelogs_t)
|
|
|
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
|
|
|
########################################
|
|
#
|
|
# Unconfined script local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
type httpd_unconfined_script_t;
|
|
type httpd_unconfined_script_exec_t;
|
|
domain_type(httpd_unconfined_script_t)
|
|
domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
|
|
domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
|
unconfined_domain(httpd_unconfined_script_t)
|
|
|
|
role system_r types httpd_unconfined_script_t;
|
|
allow httpd_t httpd_unconfined_script_t:process signal_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# User content local policy
|
|
#
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_user_script_t httpdcontent:file entrypoint;
|
|
')
|
|
|
|
# allow accessing files/dirs below the users home dir
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_user_home_dirs(httpd_t)
|
|
userdom_search_user_home_dirs(httpd_suexec_t)
|
|
userdom_search_user_home_dirs(httpd_user_script_t)
|
|
')
|