2029 lines
48 KiB
Text
2029 lines
48 KiB
Text
|
## <summary>Apache web server</summary>
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create a set of derived types for apache
|
||
|
## web content.
|
||
|
## </summary>
|
||
|
## <param name="prefix">
|
||
|
## <summary>
|
||
|
## The prefix to be used for deriving type names.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
template(`apache_user_content_template',`
|
||
|
gen_require(`
|
||
|
attribute httpd_exec_scripts, httpd_script_exec_type;
|
||
|
type httpd_t, httpd_suexec_t;
|
||
|
attribute httpd_script_type, httpd_user_content_type;
|
||
|
')
|
||
|
|
||
|
#This type is for webpages
|
||
|
type $1_content_t; # customizable;
|
||
|
typeattribute $1_content_t httpd_user_content_type;
|
||
|
typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t };
|
||
|
files_type($1_content_t)
|
||
|
|
||
|
# This type is used for .htaccess files
|
||
|
type $1_htaccess_t, httpd_content_type; # customizable;
|
||
|
typeattribute $1_htaccess_t httpd_user_content_type;
|
||
|
typealias $1_htaccess_t alias {httpd_$1_htaccess_t };
|
||
|
files_type($1_htaccess_t)
|
||
|
|
||
|
# Type that CGI scripts run as
|
||
|
type $1_script_t, httpd_script_type;
|
||
|
typealias $1_script_t alias { httpd_$1_script_t };
|
||
|
domain_type($1_script_t)
|
||
|
role system_r types $1_script_t;
|
||
|
|
||
|
kernel_read_system_state($1_script_t)
|
||
|
|
||
|
# This type is used for executable scripts files
|
||
|
type $1_script_exec_t, httpd_script_exec_type; # customizable;
|
||
|
typeattribute $1_script_exec_t httpd_user_content_type;
|
||
|
typealias $1_script_exec_t alias { httpd_$1_script_exec_t };
|
||
|
domain_entry_file($1_script_t, $1_script_exec_t)
|
||
|
|
||
|
type $1_rw_content_t; # customizable
|
||
|
typeattribute $1_rw_content_t httpd_user_content_type;
|
||
|
typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t };
|
||
|
files_type($1_rw_content_t)
|
||
|
|
||
|
type $1_ra_content_t, httpd_content_type; # customizable
|
||
|
typeattribute $1_ra_content_t httpd_user_content_type;
|
||
|
typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t };
|
||
|
files_type($1_ra_content_t)
|
||
|
|
||
|
# Allow the script process to search the cgi directory, and users directory
|
||
|
allow $1_script_t $1_content_t:dir search_dir_perms;
|
||
|
|
||
|
can_exec($1_script_t, $1_script_exec_t)
|
||
|
allow $1_script_t $1_script_exec_t:dir list_dir_perms;
|
||
|
allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||
|
read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
|
||
|
allow $1_script_t $1_content_t:dir list_dir_perms;
|
||
|
read_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
||
|
read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
||
|
|
||
|
manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
allow $1_script_t $1_rw_content_t:file map;
|
||
|
|
||
|
allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
|
||
|
|
||
|
# Allow the web server to run scripts and serve pages
|
||
|
tunable_policy(`httpd_builtin_scripting',`
|
||
|
manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
|
||
|
allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
|
||
|
read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
|
||
|
')
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi',`
|
||
|
allow $1_script_t $1_script_exec_t:file entrypoint;
|
||
|
|
||
|
domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
|
||
|
|
||
|
# privileged users run the script:
|
||
|
domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
|
||
|
|
||
|
allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
|
||
|
|
||
|
# apache runs the script:
|
||
|
domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
|
||
|
allow httpd_t $1_script_t:unix_dgram_socket sendto;
|
||
|
')
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create a set of derived types for apache
|
||
|
## web content.
|
||
|
## </summary>
|
||
|
## <param name="prefix">
|
||
|
## <summary>
|
||
|
## The prefix to be used for deriving type names.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
template(`apache_content_template',`
|
||
|
gen_require(`
|
||
|
attribute httpd_exec_scripts, httpd_script_exec_type;
|
||
|
type httpd_t, httpd_suexec_t;
|
||
|
attribute httpd_script_type, httpd_content_type;
|
||
|
')
|
||
|
|
||
|
#This type is for webpages
|
||
|
type $1_content_t; # customizable;
|
||
|
typeattribute $1_content_t httpd_content_type;
|
||
|
typealias $1_content_t alias httpd_$1_script_ro_t;
|
||
|
files_type($1_content_t)
|
||
|
|
||
|
# This type is used for .htaccess files
|
||
|
type $1_htaccess_t, httpd_content_type; # customizable;
|
||
|
typeattribute $1_htaccess_t httpd_content_type;
|
||
|
files_type($1_htaccess_t)
|
||
|
|
||
|
# Type that CGI scripts run as
|
||
|
type $1_script_t, httpd_script_type;
|
||
|
typealias $1_script_t alias { httpd_$1_script_t };
|
||
|
domain_type($1_script_t)
|
||
|
role system_r types $1_script_t;
|
||
|
|
||
|
kernel_read_system_state($1_script_t)
|
||
|
|
||
|
# This type is used for executable scripts files
|
||
|
type $1_script_exec_t, httpd_script_exec_type; # customizable;
|
||
|
typeattribute $1_script_exec_t httpd_content_type;
|
||
|
domain_entry_file($1_script_t, $1_script_exec_t)
|
||
|
|
||
|
type $1_rw_content_t; # customizable
|
||
|
typeattribute $1_rw_content_t httpd_content_type;
|
||
|
typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
|
||
|
files_type($1_rw_content_t)
|
||
|
|
||
|
type $1_ra_content_t, httpd_content_type; # customizable
|
||
|
typeattribute $1_ra_content_t httpd_content_type;
|
||
|
typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
|
||
|
files_type($1_ra_content_t)
|
||
|
|
||
|
# Allow the script process to search the cgi directory, and users directory
|
||
|
allow $1_script_t $1_content_t:dir search_dir_perms;
|
||
|
|
||
|
can_exec($1_script_t, $1_script_exec_t)
|
||
|
allow $1_script_t $1_script_exec_t:dir list_dir_perms;
|
||
|
allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
||
|
read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
|
||
|
allow $1_script_t $1_content_t:dir list_dir_perms;
|
||
|
read_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
||
|
read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
|
||
|
|
||
|
manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
|
||
|
allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
|
||
|
|
||
|
# Allow the web server to run scripts and serve pages
|
||
|
tunable_policy(`httpd_builtin_scripting',`
|
||
|
manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
|
||
|
|
||
|
allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
|
||
|
read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
|
||
|
|
||
|
')
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi',`
|
||
|
allow $1_script_t $1_script_exec_t:file entrypoint;
|
||
|
|
||
|
domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
|
||
|
|
||
|
# privileged users run the script:
|
||
|
domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
|
||
|
|
||
|
allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
|
||
|
|
||
|
# apache runs the script:
|
||
|
domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
|
||
|
allow httpd_t $1_script_t:unix_dgram_socket sendto;
|
||
|
')
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create a set of derived types for apache
|
||
|
## web content.
|
||
|
## </summary>
|
||
|
## <param name="prefix">
|
||
|
## <summary>
|
||
|
## The prefix to be used for deriving new type names.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="oldprefix">
|
||
|
## <summary>
|
||
|
## The prefix to be used for deriving old type names.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
template(`apache_content_alias_template',`
|
||
|
typealias $1_htaccess_t alias httpd_$2_htaccess_t;
|
||
|
#typealias $1_script_t alias httpd_$2_script_t;
|
||
|
typealias $1_script_exec_t alias httpd_$2_script_exec_t;
|
||
|
typealias $1_content_t alias httpd_$2_content_t;
|
||
|
typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
|
||
|
typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Role access for apache
|
||
|
## </summary>
|
||
|
## <param name="role">
|
||
|
## <summary>
|
||
|
## Role allowed access
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## User domain for the role
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_role',`
|
||
|
gen_require(`
|
||
|
attribute httpdcontent;
|
||
|
type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
|
||
|
type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
|
||
|
')
|
||
|
|
||
|
role $1 types httpd_user_script_t;
|
||
|
|
||
|
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
||
|
|
||
|
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
|
||
|
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||
|
|
||
|
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||
|
|
||
|
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||
|
|
||
|
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
|
||
|
apache_exec_modules($2)
|
||
|
apache_filetrans_home_content($2)
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi',`
|
||
|
# If a user starts a script by hand it gets the proper context
|
||
|
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||
|
domtrans_pattern($2, httpdcontent, httpd_user_script_t)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read httpd user scripts executables.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_user_scripts',`
|
||
|
gen_require(`
|
||
|
type httpd_user_script_exec_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_user_script_exec_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read user web content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_user_content',`
|
||
|
gen_require(`
|
||
|
type httpd_user_content_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_user_content_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
||
|
read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Manage user web content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_manage_user_content',`
|
||
|
gen_require(`
|
||
|
type httpd_user_content_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_user_content_t:dir manage_dir_perms;
|
||
|
manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
||
|
manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Transition to apache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_domtrans',`
|
||
|
gen_require(`
|
||
|
type httpd_t, httpd_exec_t;
|
||
|
')
|
||
|
|
||
|
corecmd_search_bin($1)
|
||
|
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to execute apache
|
||
|
## in the caller domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec',`
|
||
|
gen_require(`
|
||
|
type httpd_exec_t;
|
||
|
')
|
||
|
|
||
|
can_exec($1, httpd_exec_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to execute apache suexec
|
||
|
## in the caller domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec_suexec',`
|
||
|
gen_require(`
|
||
|
type httpd_suexec_exec_t;
|
||
|
')
|
||
|
|
||
|
can_exec($1, httpd_suexec_exec_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Send a generic signal to apache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_signal',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:process signal;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Send a null signal to apache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_signull',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:process signull;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Send a SIGCHLD signal to apache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_sigchld',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:process sigchld;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the domain to read apache state files in /proc.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_state',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
kernel_search_proc($1)
|
||
|
ps_process_pattern($1, httpd_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Inherit and use file descriptors from Apache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_use_fds',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:fd use;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to read and write Apache
|
||
|
## unnamed pipes.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_rw_fifo_file',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow attempts to read and write Apache
|
||
|
## unix domain stream sockets.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_rw_stream_sockets',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:unix_stream_socket { getattr read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to read and write Apache
|
||
|
## unix domain stream sockets.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_rw_stream_sockets',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to read and write Apache
|
||
|
## TCP sockets.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_rw_tcp_sockets',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_t:tcp_socket { read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create, read, write, and delete all web content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_manage_all_content',`
|
||
|
gen_require(`
|
||
|
attribute httpdcontent, httpd_script_exec_type;
|
||
|
')
|
||
|
|
||
|
manage_dirs_pattern($1, httpdcontent, httpdcontent)
|
||
|
manage_files_pattern($1, httpdcontent, httpdcontent)
|
||
|
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
|
||
|
|
||
|
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
||
|
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
||
|
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow domain to set the attributes
|
||
|
## of the APACHE cache directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_setattr_cache_dirs',`
|
||
|
gen_require(`
|
||
|
type httpd_cache_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_cache_t:dir setattr_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to list
|
||
|
## Apache cache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_list_cache',`
|
||
|
gen_require(`
|
||
|
type httpd_cache_t;
|
||
|
')
|
||
|
|
||
|
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## and write Apache cache files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_rw_cache_files',`
|
||
|
gen_require(`
|
||
|
type httpd_cache_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_cache_t:file rw_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to delete
|
||
|
## Apache cache dirs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_delete_cache_dirs',`
|
||
|
gen_require(`
|
||
|
type httpd_cache_t;
|
||
|
')
|
||
|
|
||
|
delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to delete
|
||
|
## Apache cache.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_delete_cache_files',`
|
||
|
gen_require(`
|
||
|
type httpd_cache_t;
|
||
|
')
|
||
|
|
||
|
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to search
|
||
|
## apache configuration dirs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_search_config',`
|
||
|
gen_require(`
|
||
|
type httpd_config_t;
|
||
|
')
|
||
|
|
||
|
files_search_etc($1)
|
||
|
allow $1 httpd_config_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Dontaudit the specified domain to search
|
||
|
## apache configuration dirs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_search_config',`
|
||
|
gen_require(`
|
||
|
type httpd_config_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_config_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache configuration files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_read_config',`
|
||
|
gen_require(`
|
||
|
type httpd_config_t;
|
||
|
')
|
||
|
|
||
|
files_search_etc($1)
|
||
|
allow $1 httpd_config_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, httpd_config_t, httpd_config_t)
|
||
|
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to manage
|
||
|
## apache configuration files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_manage_config',`
|
||
|
gen_require(`
|
||
|
type httpd_config_t;
|
||
|
')
|
||
|
|
||
|
files_search_etc($1)
|
||
|
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
|
||
|
manage_files_pattern($1, httpd_config_t, httpd_config_t)
|
||
|
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute the Apache helper program with
|
||
|
## a domain transition.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_domtrans_helper',`
|
||
|
gen_require(`
|
||
|
type httpd_helper_t, httpd_helper_exec_t;
|
||
|
')
|
||
|
|
||
|
corecmd_search_bin($1)
|
||
|
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute the Apache helper program with
|
||
|
## a domain transition, and allow the
|
||
|
## specified role the Apache helper domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="role">
|
||
|
## <summary>
|
||
|
## Role allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_run_helper',`
|
||
|
gen_require(`
|
||
|
type httpd_helper_t;
|
||
|
')
|
||
|
|
||
|
apache_domtrans_helper($1)
|
||
|
role $2 types httpd_helper_t;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## dontaudit attempts to read
|
||
|
## apache log files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_dontaudit_read_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_log_t:file read_file_perms;
|
||
|
dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache log files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_read_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
logging_search_logs($1)
|
||
|
allow $1 httpd_log_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to append
|
||
|
## to apache log files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_append_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
logging_search_logs($1)
|
||
|
allow $1 httpd_log_t:dir list_dir_perms;
|
||
|
append_files_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to create
|
||
|
# apache's log directories.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_create_log_dirs',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
create_dirs_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
logging_search_logs($1)
|
||
|
setattr_dirs_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to write
|
||
|
## to apache log files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_write_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_log_t:file write;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to append to the
|
||
|
## Apache logs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_append_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_log_t:file append_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to manage
|
||
|
## to apache var lib files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_manage_lib',`
|
||
|
gen_require(`
|
||
|
type httpd_var_lib_t;
|
||
|
')
|
||
|
|
||
|
files_search_var_lib($1)
|
||
|
manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
|
||
|
manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
|
||
|
read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to manage
|
||
|
## to apache log files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_manage_log',`
|
||
|
gen_require(`
|
||
|
type httpd_log_t;
|
||
|
')
|
||
|
|
||
|
logging_search_logs($1)
|
||
|
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
manage_files_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to search Apache
|
||
|
## module directories.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_search_modules',`
|
||
|
gen_require(`
|
||
|
type httpd_modules_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## the apache module directories.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_modules',`
|
||
|
gen_require(`
|
||
|
type httpd_modules_t;
|
||
|
')
|
||
|
|
||
|
read_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
||
|
allow $1 httpd_modules_t:file map;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to list
|
||
|
## the contents of the apache modules
|
||
|
## directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_list_modules',`
|
||
|
gen_require(`
|
||
|
type httpd_modules_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
||
|
read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to execute
|
||
|
## apache modules.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec_modules',`
|
||
|
gen_require(`
|
||
|
type httpd_modules_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
||
|
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
|
||
|
can_exec($1, httpd_modules_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute a domain transition to run httpd_rotatelogs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_domtrans_rotatelogs',`
|
||
|
gen_require(`
|
||
|
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
||
|
')
|
||
|
|
||
|
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Execute httpd_rotatelogs in the caller domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec_rotatelogs',`
|
||
|
gen_require(`
|
||
|
type httpd_rotatelogs_exec_t;
|
||
|
')
|
||
|
|
||
|
can_exec($1, httpd_rotatelogs_exec_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Execute httpd system scripts in the caller domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec_sys_script',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_script_exec_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
|
||
|
can_exec($1, httpd_sys_script_exec_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to list
|
||
|
## apache system content files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_list_sys_content',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t;
|
||
|
')
|
||
|
|
||
|
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
files_search_var($1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to manage
|
||
|
## apache system content files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
|
||
|
interface(`apache_manage_sys_content',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t;
|
||
|
')
|
||
|
|
||
|
files_search_var($1)
|
||
|
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache system content rw files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_read_sys_content_rw_files',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_rw_content_t;
|
||
|
')
|
||
|
|
||
|
read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read inherited
|
||
|
## apache system content rw files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_read_inherited_sys_content_rw_files',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t;
|
||
|
type httpd_sys_rw_content_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
||
|
allow $1 httpd_sys_rw_content_t:file read_inherited_file_perms;
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache system content rw dirs.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_read_sys_content_rw_dirs',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_rw_content_t;
|
||
|
')
|
||
|
|
||
|
list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to manage
|
||
|
## apache system content rw files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_manage_sys_content_rw',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_rw_content_t;
|
||
|
')
|
||
|
|
||
|
files_search_var($1)
|
||
|
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to delete
|
||
|
## apache system content rw files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_delete_sys_content_rw',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_rw_content_t;
|
||
|
')
|
||
|
|
||
|
files_search_tmp($1)
|
||
|
delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute all web scripts in the system
|
||
|
## script domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
# cjp: this interface specifically added to allow
|
||
|
# sysadm_t to run scripts
|
||
|
interface(`apache_domtrans_sys_script',`
|
||
|
gen_require(`
|
||
|
attribute httpdcontent;
|
||
|
type httpd_sys_script_exec_t;
|
||
|
type httpd_sys_script_t, httpd_sys_content_t;
|
||
|
')
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi',`
|
||
|
domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||
|
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Do not audit attempts to read and write Apache
|
||
|
## system script unix domain stream sockets.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_script_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute all user scripts in the user
|
||
|
## script domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_domtrans_all_scripts',`
|
||
|
gen_require(`
|
||
|
attribute httpd_exec_scripts;
|
||
|
')
|
||
|
|
||
|
typeattribute $1 httpd_exec_scripts;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute all user scripts in the user
|
||
|
## script domain. Add user script domains
|
||
|
## to the specified role.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="role">
|
||
|
## <summary>
|
||
|
## Role allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_run_all_scripts',`
|
||
|
gen_require(`
|
||
|
attribute httpd_exec_scripts, httpd_script_domains;
|
||
|
')
|
||
|
|
||
|
role $2 types httpd_script_domains;
|
||
|
apache_domtrans_all_scripts($1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache squirrelmail data.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_squirrelmail_data',`
|
||
|
gen_require(`
|
||
|
type httpd_squirrelmail_t;
|
||
|
')
|
||
|
|
||
|
read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to append
|
||
|
## apache squirrelmail data.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_append_squirrelmail_data',`
|
||
|
gen_require(`
|
||
|
type httpd_squirrelmail_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_squirrelmail_t:file append_file_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Search apache system content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_search_sys_content',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read apache system content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_sys_content',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_sys_content_t:dir list_dir_perms;
|
||
|
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Search apache system CGI directories.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_search_sys_scripts',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t, httpd_sys_script_exec_t;
|
||
|
')
|
||
|
|
||
|
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Create, read, write, and delete all user web content.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_manage_all_user_content',`
|
||
|
gen_require(`
|
||
|
attribute httpd_user_content_type, httpd_user_script_exec_type;
|
||
|
')
|
||
|
|
||
|
manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
||
|
manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
||
|
manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
||
|
|
||
|
manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
||
|
manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
||
|
manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Search system script state directory.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_search_sys_script_state',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_script_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_sys_script_t:dir search_dir_perms;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache tmp files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_tmp_dirs',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
files_search_tmp($1)
|
||
|
list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache tmp files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_tmp_files',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
files_search_tmp($1)
|
||
|
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to read
|
||
|
## apache tmp lnk files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_tmp_symlinks',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
files_search_tmp($1)
|
||
|
read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||
|
')
|
||
|
|
||
|
######################################
|
||
|
## <summary>
|
||
|
## Dontaudit attempts to read and write
|
||
|
## apache tmp files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_rw_tmp_files',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_tmp_t:file { read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Dontaudit attempts to write
|
||
|
## apache tmp files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_write_tmp_files',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_tmp_t:file write;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute CGI in the specified domain.
|
||
|
## </summary>
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Execute CGI in the specified domain.
|
||
|
## </p>
|
||
|
## <p>
|
||
|
## This is an interface to support third party modules
|
||
|
## and its use is not allowed in upstream reference
|
||
|
## policy.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain run the cgi script in.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="entrypoint">
|
||
|
## <summary>
|
||
|
## Type of the executable to enter the cgi domain.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_cgi_domain',`
|
||
|
gen_require(`
|
||
|
type httpd_t, httpd_sys_script_exec_t;
|
||
|
')
|
||
|
|
||
|
domtrans_pattern(httpd_t, $2, $1)
|
||
|
apache_search_sys_scripts($1)
|
||
|
|
||
|
allow httpd_t $1:process signal;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute httpd server in the httpd domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_systemctl',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
type httpd_unit_file_t;
|
||
|
')
|
||
|
|
||
|
systemd_exec_systemctl($1)
|
||
|
init_reload_services($1)
|
||
|
allow $1 httpd_unit_file_t:file read_file_perms;
|
||
|
allow $1 httpd_unit_file_t:service manage_service_perms;
|
||
|
|
||
|
ps_process_pattern($1, httpd_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## All of the rules required to administrate an apache environment
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="role">
|
||
|
## <summary>
|
||
|
## Role allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_admin',`
|
||
|
gen_require(`
|
||
|
attribute httpdcontent, httpd_script_exec_type;
|
||
|
type httpd_t, httpd_config_t, httpd_log_t;
|
||
|
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
|
||
|
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
|
||
|
type httpd_suexec_tmp_t, httpd_tmp_t;
|
||
|
type httpd_unit_file_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:process signal_perms;
|
||
|
ps_process_pattern($1, httpd_t)
|
||
|
|
||
|
tunable_policy(`deny_ptrace',`',`
|
||
|
allow $1 httpd_t:process ptrace;
|
||
|
')
|
||
|
|
||
|
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
||
|
domain_system_change_exemption($1)
|
||
|
role_transition $2 httpd_initrc_exec_t system_r;
|
||
|
allow $2 system_r;
|
||
|
|
||
|
apache_manage_all_content($1)
|
||
|
miscfiles_manage_public_files($1)
|
||
|
|
||
|
files_list_etc($1)
|
||
|
admin_pattern($1, httpd_config_t)
|
||
|
|
||
|
logging_list_logs($1)
|
||
|
admin_pattern($1, httpd_log_t)
|
||
|
|
||
|
admin_pattern($1, httpd_modules_t)
|
||
|
|
||
|
admin_pattern($1, httpd_lock_t)
|
||
|
files_lock_filetrans($1, httpd_lock_t, file)
|
||
|
|
||
|
admin_pattern($1, httpd_var_run_t)
|
||
|
files_pid_filetrans($1, httpd_var_run_t, file)
|
||
|
|
||
|
admin_pattern($1, httpdcontent)
|
||
|
admin_pattern($1, httpd_script_exec_type)
|
||
|
|
||
|
seutil_domtrans_setfiles($1)
|
||
|
|
||
|
files_list_tmp($1)
|
||
|
admin_pattern($1, httpd_tmp_t)
|
||
|
admin_pattern($1, httpd_php_tmp_t)
|
||
|
admin_pattern($1, httpd_suexec_tmp_t)
|
||
|
|
||
|
apache_systemctl($1)
|
||
|
admin_pattern($1, httpd_unit_file_t)
|
||
|
allow $1 httpd_unit_file_t:service all_service_perms;
|
||
|
|
||
|
apache_filetrans_named_content($1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## dontaudit read and write an leaked file descriptors
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain to not audit.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dontaudit_leaks',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
||
|
dontaudit $1 httpd_t:tcp_socket { read write };
|
||
|
dontaudit $1 httpd_t:unix_dgram_socket { read write };
|
||
|
dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
|
||
|
dontaudit $1 httpd_tmp_t:file { read write };
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Transition to apache named content
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_filetrans_named_content',`
|
||
|
gen_require(`
|
||
|
type httpd_sys_content_t, httpd_sys_rw_content_t;
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
|
||
|
apache_filetrans_home_content($1)
|
||
|
files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
|
||
|
files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
|
||
|
files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
|
||
|
files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
|
||
|
files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
|
||
|
files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
|
||
|
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
|
||
|
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
|
||
|
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
|
||
|
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
|
||
|
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
|
||
|
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
|
||
|
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
|
||
|
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
|
||
|
userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow any httpd_exec_t to be an entrypoint of this domain
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <rolecap/>
|
||
|
#
|
||
|
interface(`apache_entrypoint',`
|
||
|
gen_require(`
|
||
|
type httpd_exec_t;
|
||
|
')
|
||
|
allow $1 httpd_exec_t:file entrypoint;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Execute a httpd_exec_t in the specified domain.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed to transition.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
## <param name="target_domain">
|
||
|
## <summary>
|
||
|
## The type of the new process.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_exec_domtrans',`
|
||
|
gen_require(`
|
||
|
type httpd_exec_t;
|
||
|
')
|
||
|
|
||
|
domtrans_pattern($1, httpd_exec_t, $2)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Transition to apache home content
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_filetrans_home_content',`
|
||
|
gen_require(`
|
||
|
type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
|
||
|
type httpd_user_content_ra_t;
|
||
|
')
|
||
|
|
||
|
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
|
||
|
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
|
||
|
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
|
||
|
filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
|
||
|
filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
|
||
|
filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Read apache pid files.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_pid_files',`
|
||
|
gen_require(`
|
||
|
type httpd_var_run_t;
|
||
|
')
|
||
|
|
||
|
files_search_pids($1)
|
||
|
read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Manage apache pid objects.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_manage_pid_files',`
|
||
|
gen_require(`
|
||
|
type httpd_var_run_t;
|
||
|
')
|
||
|
|
||
|
files_search_pids($1)
|
||
|
manage_dirs_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||
|
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||
|
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Send and receive messages from
|
||
|
## httpd over dbus.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_dbus_chat',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
class dbus send_msg;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:dbus send_msg;
|
||
|
allow httpd_t $1:dbus send_msg;
|
||
|
ps_process_pattern(httpd_t, $1)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Delete the httpd tmp.
|
||
|
## </summary>
|
||
|
## <param name="file_type">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_delete_tmp',`
|
||
|
gen_require(`
|
||
|
type httpd_tmp_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_tmp_t:file unlink;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
## <summary>
|
||
|
## Allow httpd noatsecure
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_noatsecure',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:process { noatsecure };
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain to ioctl an
|
||
|
## httpd with a unix domain stream sockets.
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_ioctl_stream_sockets',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:unix_stream_socket ioctl;
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
## <summary>
|
||
|
## Allow the specified domain read httpd semaphores
|
||
|
## </summary>
|
||
|
## <param name="domain">
|
||
|
## <summary>
|
||
|
## Domain allowed access.
|
||
|
## </summary>
|
||
|
## </param>
|
||
|
#
|
||
|
interface(`apache_read_semaphores',`
|
||
|
gen_require(`
|
||
|
type httpd_t;
|
||
|
')
|
||
|
|
||
|
allow $1 httpd_t:sem r_sem_perms;
|
||
|
')
|