1059 lines
27 KiB
Plaintext
1059 lines
27 KiB
Plaintext
## <summary>Apache web server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a set of derived types for apache
|
|
## web content.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
## The prefix to be used for deriving type names.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`apache_content_template',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
attribute httpd_exec_scripts;
|
|
attribute httpd_script_exec_type;
|
|
type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
')
|
|
# allow write access to public file transfer
|
|
# services files.
|
|
gen_tunable(allow_httpd_$1_script_anon_write,false)
|
|
|
|
#This type is for webpages
|
|
type httpd_$1_content_t, httpdcontent; # customizable
|
|
files_type(httpd_$1_content_t)
|
|
|
|
# This type is used for .htaccess files
|
|
type httpd_$1_htaccess_t; # customizable;
|
|
files_type(httpd_$1_htaccess_t)
|
|
|
|
# Type that CGI scripts run as
|
|
type httpd_$1_script_t;
|
|
domain_type(httpd_$1_script_t)
|
|
role system_r types httpd_$1_script_t;
|
|
|
|
# This type is used for executable scripts files
|
|
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
corecmd_shell_entry_type(httpd_$1_script_t)
|
|
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
|
|
|
|
# The following three are the only areas that
|
|
# scripts can read, read/write, or append to
|
|
type httpd_$1_script_ro_t, httpdcontent; # customizable
|
|
files_type(httpd_$1_script_ro_t)
|
|
|
|
type httpd_$1_script_rw_t, httpdcontent; # customizable
|
|
files_type(httpd_$1_script_rw_t)
|
|
|
|
type httpd_$1_script_ra_t, httpdcontent; # customizable
|
|
files_type(httpd_$1_script_ra_t)
|
|
|
|
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
|
|
|
|
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
|
|
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
|
|
|
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
|
allow httpd_$1_script_t self:unix_stream_socket connectto;
|
|
|
|
allow httpd_$1_script_t httpd_t:fifo_file write;
|
|
# apache should set close-on-exec
|
|
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
|
|
|
# Allow the script process to search the cgi directory, and users directory
|
|
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
|
|
|
append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
|
|
logging_search_logs(httpd_$1_script_t)
|
|
|
|
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
|
|
|
|
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
|
|
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
|
|
allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
|
|
manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
|
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
|
|
|
dev_read_rand(httpd_$1_script_t)
|
|
dev_read_urand(httpd_$1_script_t)
|
|
|
|
corecmd_exec_all_executables(httpd_$1_script_t)
|
|
|
|
files_exec_etc_files(httpd_$1_script_t)
|
|
files_read_etc_files(httpd_$1_script_t)
|
|
files_search_home(httpd_$1_script_t)
|
|
|
|
libs_use_ld_so(httpd_$1_script_t)
|
|
libs_use_shared_libs(httpd_$1_script_t)
|
|
libs_exec_ld_so(httpd_$1_script_t)
|
|
libs_exec_lib_files(httpd_$1_script_t)
|
|
|
|
miscfiles_read_fonts(httpd_$1_script_t)
|
|
miscfiles_read_public_files(httpd_$1_script_t)
|
|
|
|
seutil_dontaudit_search_config(httpd_$1_script_t)
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_$1_script_t httpdcontent:file entrypoint;
|
|
|
|
manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
|
|
manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
|
|
manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
|
|
can_exec(httpd_$1_script_t, httpdcontent)
|
|
')
|
|
|
|
tunable_policy(`allow_httpd_$1_script_anon_write',`
|
|
miscfiles_manage_public_files(httpd_$1_script_t)
|
|
')
|
|
|
|
# Allow the web server to run scripts and serve pages
|
|
tunable_policy(`httpd_builtin_scripting',`
|
|
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
|
|
allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
|
|
read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
|
|
allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
|
|
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
|
|
read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
|
|
|
# privileged users run the script:
|
|
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
|
|
# apache runs the script:
|
|
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
|
|
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
|
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
|
|
|
|
allow httpd_$1_script_t self:process { setsched signal_perms };
|
|
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow httpd_$1_script_t httpd_t:fd use;
|
|
allow httpd_$1_script_t httpd_t:process sigchld;
|
|
|
|
kernel_read_system_state(httpd_$1_script_t)
|
|
|
|
dev_read_urand(httpd_$1_script_t)
|
|
|
|
fs_getattr_xattr_fs(httpd_$1_script_t)
|
|
|
|
files_read_etc_runtime_files(httpd_$1_script_t)
|
|
files_read_usr_files(httpd_$1_script_t)
|
|
|
|
libs_read_lib_files(httpd_$1_script_t)
|
|
|
|
miscfiles_read_localization(httpd_$1_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
|
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
|
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
|
|
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
|
|
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
|
|
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
|
|
|
|
sysnet_read_config(httpd_$1_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
|
corenet_tcp_connect_all_ports(httpd_$1_script_t)
|
|
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
|
|
|
|
sysnet_read_config(httpd_$1_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_send_mail(httpd_$1_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
|
nis_use_ypbind_uncond(httpd_$1_script_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(httpd_$1_script_t)
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The per role template for the apache module.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This template creates types used for web pages
|
|
## and web cgi to be used from the user home directory.
|
|
## </p>
|
|
## <p>
|
|
## This template is invoked automatically for each user, and
|
|
## generally does not need to be invoked directly
|
|
## by policy writers.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="userdomain_prefix">
|
|
## <summary>
|
|
## The prefix of the user domain (e.g., user
|
|
## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The role associated with the user domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`apache_per_role_template', `
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_domains;
|
|
attribute httpd_exec_scripts;
|
|
type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
')
|
|
|
|
apache_content_template($1)
|
|
|
|
typeattribute httpd_$1_script_t httpd_script_domains;
|
|
userdom_user_home_content($1,httpd_$1_content_t)
|
|
|
|
role $3 types httpd_$1_script_t;
|
|
|
|
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
|
|
|
|
allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
|
|
|
manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
|
|
|
|
manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
|
|
|
|
manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
|
|
|
|
manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
# If a user starts a script by hand it gets the proper context
|
|
domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_$1_script_t httpdcontent:file entrypoint;
|
|
|
|
domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
|
|
')
|
|
|
|
# allow accessing files/dirs below the users home dir
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_user_home_dirs($1,httpd_t)
|
|
userdom_search_user_home_dirs($1,httpd_suexec_t)
|
|
userdom_search_user_home_dirs($1,httpd_$1_script_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd user scripts executables.
|
|
## </summary>
|
|
## <param name="domain_prefix">
|
|
## <summary>
|
|
## Prefix of the domain. Example, user would be
|
|
## the prefix for the uder_t domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`apache_read_user_scripts',`
|
|
gen_require(`
|
|
type httpd_$1_script_exec_t;
|
|
')
|
|
|
|
allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
|
|
read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read user web content.
|
|
## </summary>
|
|
## <param name="domain_prefix">
|
|
## <summary>
|
|
## Prefix of the domain. Example, user would be
|
|
## the prefix for the uder_t domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`apache_read_user_content',`
|
|
gen_require(`
|
|
type httpd_$1_content_t;
|
|
')
|
|
|
|
allow $2 httpd_$1_content_t:dir list_dir_perms;
|
|
read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
|
|
read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Transition to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans',`
|
|
gen_require(`
|
|
type httpd_t, httpd_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1,httpd_exec_t,httpd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send a null signal to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_signull',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send a SIGCHLD signal to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_sigchld',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Inherit and use file descriptors from Apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_use_fds',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write Apache
|
|
## unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_stream_sockets',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write Apache
|
|
## TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_tcp_sockets',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_t:tcp_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete all web content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_manage_all_content',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_exec_type;
|
|
')
|
|
|
|
manage_dirs_pattern($1,httpdcontent,httpdcontent)
|
|
manage_files_pattern($1,httpdcontent,httpdcontent)
|
|
manage_lnk_files_pattern($1,httpdcontent,httpdcontent)
|
|
|
|
manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
|
|
manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
|
|
manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to read
|
|
## and write Apache cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_rw_cache_files',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
allow $1 httpd_cache_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to read
|
|
## apache configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_read_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 httpd_config_t:dir list_dir_perms;
|
|
read_files_pattern($1,httpd_config_t,httpd_config_t)
|
|
read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to manage
|
|
## apache configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
|
|
manage_files_pattern($1,httpd_config_t,httpd_config_t)
|
|
read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the Apache helper program with
|
|
## a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_helper',`
|
|
gen_require(`
|
|
type httpd_helper_t, httpd_helper_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the Apache helper program with
|
|
## a domain transition, and allow the
|
|
## specified role the dmidecode domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed the dmidecode domain.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="terminal">
|
|
## <summary>
|
|
## The type of the terminal allow the dmidecode domain to use.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_run_helper',`
|
|
gen_require(`
|
|
type httpd_helper_t;
|
|
')
|
|
|
|
apache_domtrans_helper($1)
|
|
role $2 types httpd_helper_t;
|
|
allow httpd_helper_t $3:chr_file rw_term_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to read
|
|
## apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_read_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 httpd_log_t:dir list_dir_perms;
|
|
read_files_pattern($1,httpd_log_t,httpd_log_t)
|
|
read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to append
|
|
## to apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_append_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 httpd_log_t:dir list_dir_perms;
|
|
append_files_pattern($1,httpd_log_t,httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to append to the
|
|
## Apache logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_append_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_log_t:file { getattr append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to manage
|
|
## to apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
|
|
manage_files_pattern($1,httpd_log_t,httpd_log_t)
|
|
read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search Apache
|
|
## module directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_search_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to list
|
|
## the contents of the apache modules
|
|
## directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_list_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to execute
|
|
## apache modules.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_exec_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
allow $1 httpd_modules_t:lnk_file read_file_perms;
|
|
can_exec($1,httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run httpd_rotatelogs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_rotatelogs',`
|
|
gen_require(`
|
|
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to manage
|
|
## apache system content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
|
|
interface(`apache_manage_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
manage_dirs_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
|
|
manage_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
|
|
manage_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all web scripts in the system
|
|
## script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: this interface specifically added to allow
|
|
# sysadm_t to run scripts
|
|
interface(`apache_domtrans_sys_script',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write Apache
|
|
## system script unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
|
|
gen_require(`
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all user scripts in the user
|
|
## script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_all_scripts',`
|
|
gen_require(`
|
|
attribute httpd_exec_scripts;
|
|
')
|
|
|
|
typeattribute $1 httpd_exec_scripts;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all user scripts in the user
|
|
## script domain. Add user script domains
|
|
## to the specified role.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed the script domains.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: this is missing the terminal since scripts
|
|
# do not output to the terminal
|
|
interface(`apache_run_all_scripts',`
|
|
gen_require(`
|
|
attribute httpd_exec_scripts, httpd_script_domains;
|
|
')
|
|
|
|
role $2 types httpd_script_domains;
|
|
apache_domtrans_all_scripts($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to read
|
|
## apache squirrelmail data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_squirrelmail_data',`
|
|
gen_require(`
|
|
type httpd_squirrelmail_t;
|
|
')
|
|
|
|
allow $1 httpd_squirrelmail_t:file { getattr read };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to append
|
|
## apache squirrelmail data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_append_squirrelmail_data',`
|
|
gen_require(`
|
|
type httpd_squirrelmail_t;
|
|
')
|
|
|
|
allow $1 httpd_squirrelmail_t:file { getattr append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search apache system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read apache system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
allow $1 httpd_sys_content_t:dir list_dir_perms;
|
|
read_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
|
|
read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search apache system CGI directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_scripts',`
|
|
gen_require(`
|
|
type httpd_sys_content_t, httpd_sys_script_exec_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search system script state directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_script_state',`
|
|
gen_require(`
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
allow $1 httpd_sys_script_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute CGI in the specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute CGI in the specified domain.
|
|
## </p>
|
|
## <p>
|
|
## This is an interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain run the cgi script in.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entrypoint">
|
|
## <summary>
|
|
## Type of the executable to enter the cgi domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_cgi_domain',`
|
|
gen_require(`
|
|
type httpd_t, httpd_sys_script_exec_t;
|
|
')
|
|
|
|
domtrans_pattern(httpd_t, $2, $1)
|
|
apache_search_sys_scripts($1)
|
|
|
|
allow httpd_t $1:process signal;
|
|
')
|