## Apache web server ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # template(`apache_user_content_template',` gen_require(` attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; attribute httpd_script_type, httpd_user_content_type; ') #This type is for webpages type $1_content_t; # customizable; typeattribute $1_content_t httpd_user_content_type; typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t }; files_type($1_content_t) # This type is used for .htaccess files type $1_htaccess_t, httpd_content_type; # customizable; typeattribute $1_htaccess_t httpd_user_content_type; typealias $1_htaccess_t alias {httpd_$1_htaccess_t }; files_type($1_htaccess_t) # Type that CGI scripts run as type $1_script_t, httpd_script_type; typealias $1_script_t alias { httpd_$1_script_t }; domain_type($1_script_t) role system_r types $1_script_t; kernel_read_system_state($1_script_t) # This type is used for executable scripts files type $1_script_exec_t, httpd_script_exec_type; # customizable; typeattribute $1_script_exec_t httpd_user_content_type; typealias $1_script_exec_t alias { httpd_$1_script_exec_t }; domain_entry_file($1_script_t, $1_script_exec_t) type $1_rw_content_t; # customizable typeattribute $1_rw_content_t httpd_user_content_type; typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t }; files_type($1_rw_content_t) type $1_ra_content_t, httpd_content_type; # customizable typeattribute $1_ra_content_t httpd_user_content_type; typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t }; files_type($1_ra_content_t) # Allow the script process to search the cgi directory, and users directory allow $1_script_t $1_content_t:dir search_dir_perms; can_exec($1_script_t, $1_script_exec_t) allow $1_script_t $1_script_exec_t:dir list_dir_perms; allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) allow $1_script_t $1_content_t:dir list_dir_perms; read_files_pattern($1_script_t, $1_content_t, $1_content_t) read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) allow $1_script_t $1_rw_content_t:file map; allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ') tunable_policy(`httpd_enable_cgi',` allow $1_script_t $1_script_exec_t:file entrypoint; domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) # privileged users run the script: domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) allow httpd_t $1_script_t:unix_dgram_socket sendto; ') ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # template(`apache_content_template',` gen_require(` attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; attribute httpd_script_type, httpd_content_type; ') #This type is for webpages type $1_content_t; # customizable; typeattribute $1_content_t httpd_content_type; typealias $1_content_t alias httpd_$1_script_ro_t; files_type($1_content_t) # This type is used for .htaccess files type $1_htaccess_t, httpd_content_type; # customizable; typeattribute $1_htaccess_t httpd_content_type; files_type($1_htaccess_t) # Type that CGI scripts run as type $1_script_t, httpd_script_type; typealias $1_script_t alias { httpd_$1_script_t }; domain_type($1_script_t) role system_r types $1_script_t; kernel_read_system_state($1_script_t) # This type is used for executable scripts files type $1_script_exec_t, httpd_script_exec_type; # customizable; typeattribute $1_script_exec_t httpd_content_type; domain_entry_file($1_script_t, $1_script_exec_t) type $1_rw_content_t; # customizable typeattribute $1_rw_content_t httpd_content_type; typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t }; files_type($1_rw_content_t) type $1_ra_content_t, httpd_content_type; # customizable typeattribute $1_ra_content_t httpd_content_type; typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; files_type($1_ra_content_t) # Allow the script process to search the cgi directory, and users directory allow $1_script_t $1_content_t:dir search_dir_perms; can_exec($1_script_t, $1_script_exec_t) allow $1_script_t $1_script_exec_t:dir list_dir_perms; allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) allow $1_script_t $1_content_t:dir list_dir_perms; read_files_pattern($1_script_t, $1_content_t, $1_content_t) read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown }; # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ') tunable_policy(`httpd_enable_cgi',` allow $1_script_t $1_script_exec_t:file entrypoint; domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) # privileged users run the script: domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) allow httpd_t $1_script_t:unix_dgram_socket sendto; ') ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving new type names. ## ## ## ## ## The prefix to be used for deriving old type names. ## ## # template(`apache_content_alias_template',` typealias $1_htaccess_t alias httpd_$2_htaccess_t; #typealias $1_script_t alias httpd_$2_script_t; typealias $1_script_exec_t alias httpd_$2_script_exec_t; typealias $1_content_t alias httpd_$2_content_t; typealias $1_rw_content_t alias httpd_$2_script_rw_content_t; typealias $1_ra_content_t alias httpd_$2_script_ra_content_t; ') ######################################## ## ## Role access for apache ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # interface(`apache_role',` gen_require(` attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; ') role $1 types httpd_user_script_t; allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) apache_exec_modules($2) apache_filetrans_home_content($2) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($2, httpdcontent, httpd_user_script_t) ') ') ######################################## ## ## Read httpd user scripts executables. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_user_scripts',` gen_require(` type httpd_user_script_exec_t; ') allow $1 httpd_user_script_exec_t:dir list_dir_perms; read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## ## ## Read user web content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_user_content',` gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir list_dir_perms; read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## ## ## Manage user web content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_user_content',` gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir manage_dir_perms; manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## ## ## Transition to apache. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans',` gen_require(` type httpd_t, httpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_exec_t, httpd_t) ') ###################################### ## ## Allow the specified domain to execute apache ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`apache_exec',` gen_require(` type httpd_exec_t; ') can_exec($1, httpd_exec_t) ') ###################################### ## ## Allow the specified domain to execute apache suexec ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`apache_exec_suexec',` gen_require(` type httpd_suexec_exec_t; ') can_exec($1, httpd_suexec_exec_t) ') ####################################### ## ## Send a generic signal to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_signal',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signal; ') ######################################## ## ## Send a null signal to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_signull',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signull; ') ######################################## ## ## Send a SIGCHLD signal to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_sigchld',` gen_require(` type httpd_t; ') allow $1 httpd_t:process sigchld; ') ######################################## ## ## Allow the domain to read apache state files in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_state',` gen_require(` type httpd_t; ') kernel_search_proc($1) ps_process_pattern($1, httpd_t) ') ######################################## ## ## Inherit and use file descriptors from Apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_use_fds',` gen_require(` type httpd_t; ') allow $1 httpd_t:fd use; ') ######################################## ## ## Do not audit attempts to read and write Apache ## unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_fifo_file',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Allow attempts to read and write Apache ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_rw_stream_sockets',` gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket { getattr read write }; ') ######################################## ## ## Do not audit attempts to read and write Apache ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_stream_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; ') ######################################## ## ## Do not audit attempts to read and write Apache ## TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_tcp_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:tcp_socket { read write }; ') ######################################## ## ## Create, read, write, and delete all web content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_content',` gen_require(` attribute httpdcontent, httpd_script_exec_type; ') manage_dirs_pattern($1, httpdcontent, httpdcontent) manage_files_pattern($1, httpdcontent, httpdcontent) manage_lnk_files_pattern($1, httpdcontent, httpdcontent) manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) ') ######################################## ## ## Allow domain to set the attributes ## of the APACHE cache directory. ## ## ## ## Domain allowed access. ## ## # interface(`apache_setattr_cache_dirs',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:dir setattr_dir_perms; ') ######################################## ## ## Allow the specified domain to list ## Apache cache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_cache',` gen_require(` type httpd_cache_t; ') list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Allow the specified domain to read ## and write Apache cache files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_rw_cache_files',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:file rw_file_perms; ') ######################################## ## ## Allow the specified domain to delete ## Apache cache dirs. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_cache_dirs',` gen_require(` type httpd_cache_t; ') delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Allow the specified domain to delete ## Apache cache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_cache_files',` gen_require(` type httpd_cache_t; ') delete_files_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Allow the specified domain to search ## apache configuration dirs. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir search_dir_perms; ') ######################################## ## ## Allow the specified domain to read ## apache configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir list_dir_perms; read_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## ## Allow the specified domain to manage ## apache configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) manage_dirs_pattern($1, httpd_config_t, httpd_config_t) manage_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## ## Execute the Apache helper program with ## a domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans_helper',` gen_require(` type httpd_helper_t, httpd_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) ') ######################################## ## ## Execute the Apache helper program with ## a domain transition, and allow the ## specified role the Apache helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apache_run_helper',` gen_require(` type httpd_helper_t; ') apache_domtrans_helper($1) role $2 types httpd_helper_t; ') ######################################## ## ## dontaudit attempts to read ## apache log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_dontaudit_read_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file read_file_perms; dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Allow the specified domain to read ## apache log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; read_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Allow the specified domain to append ## to apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; append_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Allow the specified domain to create # apache's log directories. ## ## ## ## Domain allowed access ## ## # interface(`apache_create_log_dirs',` gen_require(` type httpd_log_t; ') create_dirs_pattern($1, httpd_log_t, httpd_log_t) logging_search_logs($1) setattr_dirs_pattern($1, httpd_log_t, httpd_log_t) ') ####################################### ## ## Allow the specified domain to write ## to apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_write_log',` gen_require(` type httpd_log_t; ') allow $1 httpd_log_t:file write; ') ######################################## ## ## Do not audit attempts to append to the ## Apache logs. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_append_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file append_file_perms; ') ######################################## ## ## Allow the specified domain to manage ## to apache var lib files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_lib',` gen_require(` type httpd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ') ######################################## ## ## Allow the specified domain to manage ## to apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, httpd_log_t, httpd_log_t) manage_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Do not audit attempts to search Apache ## module directories. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_search_modules',` gen_require(` type httpd_modules_t; ') dontaudit $1 httpd_modules_t:dir search_dir_perms; ') ######################################## ## ## Allow the specified domain to read ## the apache module directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_modules',` gen_require(` type httpd_modules_t; ') read_files_pattern($1, httpd_modules_t, httpd_modules_t) allow $1 httpd_modules_t:file map; ') ######################################## ## ## Allow the specified domain to list ## the contents of the apache modules ## directory. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## ## ## Allow the specified domain to execute ## apache modules. ## ## ## ## Domain allowed access. ## ## # interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; can_exec($1, httpd_modules_t) ') ######################################## ## ## Execute a domain transition to run httpd_rotatelogs. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans_rotatelogs',` gen_require(` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') ####################################### ## ## Execute httpd_rotatelogs in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_exec_rotatelogs',` gen_require(` type httpd_rotatelogs_exec_t; ') can_exec($1, httpd_rotatelogs_exec_t) ') ####################################### ## ## Execute httpd system scripts in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_exec_sys_script',` gen_require(` type httpd_sys_script_exec_t; ') allow $1 httpd_sys_script_exec_t:dir search_dir_perms; can_exec($1, httpd_sys_script_exec_t) ') ######################################## ## ## Allow the specified domain to list ## apache system content files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_sys_content',` gen_require(` type httpd_sys_content_t; ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') ######################################## ## ## Allow the specified domain to manage ## apache system content files. ## ## ## ## Domain allowed access. ## ## ## # # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; ') files_search_var($1) manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ###################################### ## ## Allow the specified domain to read ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_sys_content_rw_files',` gen_require(` type httpd_sys_rw_content_t; ') read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ###################################### ## ## Allow the specified domain to read inherited ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_inherited_sys_content_rw_files',` gen_require(` type httpd_sys_content_t; type httpd_sys_rw_content_t; ') allow $1 httpd_sys_content_t:dir search_dir_perms; allow $1 httpd_sys_rw_content_t:file read_inherited_file_perms; ') ###################################### ## ## Allow the specified domain to read ## apache system content rw dirs. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_sys_content_rw_dirs',` gen_require(` type httpd_sys_rw_content_t; ') list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ###################################### ## ## Allow the specified domain to manage ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_sys_content_rw',` gen_require(` type httpd_sys_rw_content_t; ') files_search_var($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ######################################## ## ## Allow the specified domain to delete ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_delete_sys_content_rw',` gen_require(` type httpd_sys_rw_content_t; ') files_search_tmp($1) delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ######################################## ## ## Execute all web scripts in the system ## script domain. ## ## ## ## Domain allowed to transition. ## ## # # cjp: this interface specifically added to allow # sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_exec_t; type httpd_sys_script_t, httpd_sys_content_t; ') tunable_policy(`httpd_enable_cgi',` domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') ') ######################################## ## ## Do not audit attempts to read and write Apache ## system script unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_sys_script_stream_sockets',` gen_require(` type httpd_sys_script_t; ') dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write }; ') ######################################## ## ## Execute all user scripts in the user ## script domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans_all_scripts',` gen_require(` attribute httpd_exec_scripts; ') typeattribute $1 httpd_exec_scripts; ') ######################################## ## ## Execute all user scripts in the user ## script domain. Add user script domains ## to the specified role. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; ') role $2 types httpd_script_domains; apache_domtrans_all_scripts($1) ') ######################################## ## ## Allow the specified domain to read ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## ## ## Allow the specified domain to append ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file append_file_perms; ') ######################################## ## ## Search apache system content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir search_dir_perms; ') ######################################## ## ## Read apache system content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir list_dir_perms; read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ######################################## ## ## Search apache system CGI directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_scripts',` gen_require(` type httpd_sys_content_t, httpd_sys_script_exec_t; ') search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) ') ######################################## ## ## Create, read, write, and delete all user web content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_user_content',` gen_require(` attribute httpd_user_content_type, httpd_user_script_exec_type; ') manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ') ######################################## ## ## Search system script state directory. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_script_state',` gen_require(` type httpd_sys_script_t; ') allow $1 httpd_sys_script_t:dir search_dir_perms; ') ######################################## ## ## Allow the specified domain to read ## apache tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_tmp_dirs',` gen_require(` type httpd_tmp_t; ') files_search_tmp($1) list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t) ') ######################################## ## ## Allow the specified domain to read ## apache tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_tmp_files',` gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') ######################################## ## ## Allow the specified domain to read ## apache tmp lnk files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_tmp_symlinks',` gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') ###################################### ## ## Dontaudit attempts to read and write ## apache tmp files. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_tmp_files',` gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file { read write }; ') ######################################## ## ## Dontaudit attempts to write ## apache tmp files. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_write_tmp_files',` gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file write; ') ######################################## ## ## Execute CGI in the specified domain. ## ## ## ## Execute CGI in the specified domain. ## ## ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ## ## ## ## ## Domain run the cgi script in. ## ## ## ## ## Type of the executable to enter the cgi domain. ## ## # interface(`apache_cgi_domain',` gen_require(` type httpd_t, httpd_sys_script_exec_t; ') domtrans_pattern(httpd_t, $2, $1) apache_search_sys_scripts($1) allow httpd_t $1:process signal; ') ######################################## ## ## Execute httpd server in the httpd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_systemctl',` gen_require(` type httpd_t; type httpd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 httpd_unit_file_t:file read_file_perms; allow $1 httpd_unit_file_t:service manage_service_perms; ps_process_pattern($1, httpd_t) ') ######################################## ## ## All of the rules required to administrate an apache environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; type httpd_t, httpd_config_t, httpd_log_t; type httpd_modules_t, httpd_lock_t, httpd_bool_t; type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; type httpd_unit_file_t; ') allow $1 httpd_t:process signal_perms; ps_process_pattern($1, httpd_t) tunable_policy(`deny_ptrace',`',` allow $1 httpd_t:process ptrace; ') init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 httpd_initrc_exec_t system_r; allow $2 system_r; apache_manage_all_content($1) miscfiles_manage_public_files($1) files_list_etc($1) admin_pattern($1, httpd_config_t) logging_list_logs($1) admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) admin_pattern($1, httpd_lock_t) files_lock_filetrans($1, httpd_lock_t, file) admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) admin_pattern($1, httpdcontent) admin_pattern($1, httpd_script_exec_type) seutil_domtrans_setfiles($1) files_list_tmp($1) admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) apache_systemctl($1) admin_pattern($1, httpd_unit_file_t) allow $1 httpd_unit_file_t:service all_service_perms; apache_filetrans_named_content($1) ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_leaks',` gen_require(` type httpd_t; type httpd_tmp_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 httpd_t:tcp_socket { read write }; dontaudit $1 httpd_t:unix_dgram_socket { read write }; dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; dontaudit $1 httpd_tmp_t:file { read write }; ') ######################################## ## ## Transition to apache named content ## ## ## ## Domain allowed access. ## ## # interface(`apache_filetrans_named_content',` gen_require(` type httpd_sys_content_t, httpd_sys_rw_content_t; type httpd_tmp_t; ') apache_filetrans_home_content($1) files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2") files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push") files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push") files_etc_filetrans($1, httpd_sys_content_t, dir, "web") files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar") files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade") userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") ') ######################################## ## ## Allow any httpd_exec_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_entrypoint',` gen_require(` type httpd_exec_t; ') allow $1 httpd_exec_t:file entrypoint; ') ######################################## ## ## Execute a httpd_exec_t in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`apache_exec_domtrans',` gen_require(` type httpd_exec_t; ') domtrans_pattern($1, httpd_exec_t, $2) ') ######################################## ## ## Transition to apache home content ## ## ## ## Domain allowed access. ## ## # interface(`apache_filetrans_home_content',` gen_require(` type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; type httpd_user_content_ra_t; ') userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') ######################################## ## ## Read apache pid files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_pid_files',` gen_require(` type httpd_var_run_t; ') files_search_pids($1) read_files_pattern($1, httpd_var_run_t, httpd_var_run_t) ') ######################################## ## ## Manage apache pid objects. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_pid_files',` gen_require(` type httpd_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, httpd_var_run_t, httpd_var_run_t) manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t) ') ######################################## ## ## Send and receive messages from ## httpd over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`apache_dbus_chat',` gen_require(` type httpd_t; class dbus send_msg; ') allow $1 httpd_t:dbus send_msg; allow httpd_t $1:dbus send_msg; ps_process_pattern(httpd_t, $1) ') ######################################## ## ## Delete the httpd tmp. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_tmp',` gen_require(` type httpd_tmp_t; ') allow $1 httpd_tmp_t:file unlink; ') ######################################## ## ## Allow httpd noatsecure ## ## ## ## Domain allowed access. ## ## # interface(`apache_noatsecure',` gen_require(` type httpd_t; ') allow $1 httpd_t:process { noatsecure }; ') ####################################### ## ## Allow the specified domain to ioctl an ## httpd with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`apache_ioctl_stream_sockets',` gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket ioctl; ') ####################################### ## ## Allow the specified domain read httpd semaphores ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_semaphores',` gen_require(` type httpd_t; ') allow $1 httpd_t:sem r_sem_perms; ')
## Execute CGI in the specified domain. ##
## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##