oreonproject/Oreon-Lime-R2
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/apache.te

1874 lines
51 KiB
Text
Raw Blame History

policy_module(apache, 2.7.2)
########################################
#
# Declarations
#
selinux_genbool(httpd_bool_t)
## <desc>
## <p>
## Allow Apache to modify public files
## used for public file transfer services. Directories/Files must
## be labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(httpd_anon_write, false)
## <desc>
## <p>
## Dontaudit Apache to search dirs.
## </p>
## </desc>
gen_tunable(httpd_dontaudit_search_dirs, false)
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(httpd_mod_auth_pam, false)
## <desc>
## <p>
## Allow Apache to use mod_auth_ntlm_winbind
## </p>
## </desc>
gen_tunable(httpd_mod_auth_ntlm_winbind, false)
## <desc>
## <p>
## Allow httpd scripts and modules execmem/execstack
## </p>
## </desc>
gen_tunable(httpd_execmem, false)
## <desc>
## <p>
## Allow httpd processes to manage IPA content
## </p>
## </desc>
gen_tunable(httpd_manage_ipa, false)
## <desc>
## <p>
## Allow httpd processes to run IPA helper.
## </p>
## </desc>
gen_tunable(httpd_run_ipa, false)
## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## </desc>
gen_tunable(httpd_builtin_scripting, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to the network using TCP.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to cobbler over the network.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_cobbler, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to server cobbler files.
## </p>
## </desc>
gen_tunable(httpd_serve_cobbler_files, false)
## <desc>
## <p>
## Allow HTTPD to connect to port 80 for graceful shutdown
## </p>
## </desc>
gen_tunable(httpd_graceful_shutdown, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
## Allow httpd to connect to memcache server
## </p>
## </desc>
gen_tunable(httpd_can_network_memcache, false)
## <desc>
## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
## Allow http daemon to connect to zabbix
## </p>
## </desc>
gen_tunable(httpd_can_connect_zabbix, false)
## <desc>
## <p>
## Allow http daemon to connect to mythtv
## </p>
## </desc>
gen_tunable(httpd_can_connect_mythtv, false)
## <desc>
## <p>
## Allow http daemon to check spam
## </p>
## </desc>
gen_tunable(httpd_can_check_spam, false)
## <desc>
## <p>
## Allow http daemon to send mail
## </p>
## </desc>
gen_tunable(httpd_can_sendmail, false)
## <desc>
## <p>
## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
gen_tunable(httpd_dbus_avahi, false)
## <desc>
## <p>
## Allow Apache to communicate with sssd service via dbus
## </p>
## </desc>
gen_tunable(httpd_dbus_sssd, false)
## <desc>
## <p>
## Allow httpd cgi support
## </p>
## </desc>
gen_tunable(httpd_enable_cgi, false)
## <desc>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server, false)
## <desc>
## <p>
## Allow httpd to act as a FTP client
## connecting to the ftp port and ephemeral ports
## </p>
## </desc>
gen_tunable(httpd_can_connect_ftp, false)
## <desc>
## <p>
## Allow httpd to manage the courier spool sock files.
## </p>
## </desc>
gen_tunable(httpd_can_manage_courier_spool, false)
## <desc>
## <p>
## Allow httpd to connect to the ldap port
## </p>
## </desc>
gen_tunable(httpd_can_connect_ldap, false)
## <desc>
## <p>
## Allow httpd to read home directories
## </p>
## </desc>
gen_tunable(httpd_enable_homedirs, false)
## <desc>
## <p>
## Allow httpd to read user content
## </p>
## </desc>
gen_tunable(httpd_read_user_content, false)
## <desc>
## <p>
## Allow Apache to run in stickshift mode, not transition to passenger
## </p>
## </desc>
gen_tunable(httpd_run_stickshift, false)
## <desc>
## <p>
## Allow Apache to run preupgrade
## </p>
## </desc>
gen_tunable(httpd_run_preupgrade, false)
## <desc>
## <p>
## Allow Apache to query NS records
## </p>
## </desc>
gen_tunable(httpd_verify_dns, false)
## <desc>
## <p>
## Allow httpd daemon to change its resource limits
## </p>
## </desc>
gen_tunable(httpd_setrlimit, false)
## <desc>
## <p>
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
## <p>
## Allow Apache to execute tmp content.
## </p>
## </desc>
gen_tunable(httpd_tmp_exec, false)
## <desc>
## <p>
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
## </p>
## </desc>
gen_tunable(httpd_tty_comm, false)
## <desc>
## <p>
## Unify HTTPD handling of all content files.
## </p>
## </desc>
gen_tunable(httpd_unified, false)
## <desc>
## <p>
## Allow httpd to access openstack ports
## </p>
## </desc>
gen_tunable(httpd_use_openstack, false)
## <desc>
## <p>
## Allow httpd to access cifs file systems
## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
## <desc>
## <p>
## Allow httpd to access FUSE file systems
## </p>
## </desc>
gen_tunable(httpd_use_fusefs, false)
## <desc>
## <p>
## Allow httpd to run gpg
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
## <desc>
## <p>
## Allow httpd to connect to sasl
## </p>
## </desc>
gen_tunable(httpd_use_sasl, false)
## <desc>
## <p>
## Allow httpd to access nfs file systems
## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
## <desc>
## <p>
## Allow httpd to use opencryptoki
## </p>
## </desc>
gen_tunable(httpd_use_opencryptoki, false)
## <desc>
## <p>
## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
## </p>
## </desc>
gen_tunable(httpd_sys_script_anon_write, false)
attribute httpdcontent;
attribute httpd_user_content_type;
attribute httpd_content_type;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
attribute httpd_script_type;
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
# user script domains
attribute httpd_script_domains;
type httpd_t;
type httpd_exec_t;
ifdef(`distro_redhat',`
typealias httpd_t alias phpfpm_t;
typealias httpd_exec_t alias phpfpm_exec_t;
')
init_daemon_domain(httpd_t, httpd_exec_t)
init_nnp_daemon_domain(httpd_t)
role system_r types httpd_t;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
domain_type(httpd_helper_t)
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
type httpd_unit_file_t;
ifdef(`distro_redhat',`
typealias httpd_unit_file_t alias phpfpm_unit_file_t;
')
systemd_unit_file(httpd_unit_file_t)
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
ifdef(`distro_redhat',`
typealias httpd_log_t alias phpfpm_log_t;
')
logging_log_file(httpd_log_t)
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
type httpd_php_t;
type httpd_php_exec_t;
domain_type(httpd_php_t)
domain_entry_file(httpd_php_t, httpd_php_exec_t)
role system_r types httpd_php_t;
type httpd_php_tmp_t;
files_tmp_file(httpd_php_tmp_t)
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
# SUEXEC runs user scripts as their own user ID
type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(httpd_sys)
typeattribute httpd_sys_content_t httpdcontent; # customizable
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
# Removal of fastcgi, will cause problems without the following
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
apache_user_content_template(httpd_user)
ubac_constrained(httpd_user_script_t)
typeattribute httpd_user_content_t httpdcontent;
typeattribute httpd_user_rw_content_t httpdcontent;
typeattribute httpd_user_ra_content_t httpdcontent;
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
systemd_mount_dir(httpd_var_lib_t)
type httpd_var_run_t;
ifdef(`distro_redhat',`
typealias httpd_var_run_t alias phpfpm_var_run_t;
')
files_pid_file(httpd_var_run_t)
files_mountpoint(httpd_var_run_t)
# Removal of fastcgi, will cause problems without the following
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
type httpd_passwd_t;
type httpd_passwd_exec_t;
application_domain(httpd_passwd_t, httpd_passwd_exec_t)
role system_r types httpd_passwd_t;
########################################
#
# Apache server local policy
#
allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
dontaudit httpd_t self:netlink_kobject_uevent_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
allow httpd_t httpd_cache_t:file map;
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_config_t:file map;
can_exec(httpd_t, httpd_exec_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
list_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
# cjp: need to refine create interfaces to
# cut this back to add_name only
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_t:process { signal signull };
allow httpd_t httpd_suexec_t:file read_file_perms;
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
allow httpd_t httpd_sys_content_t:file map;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
allow httpd_t httpd_tmp_t:file map;
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
allow httpd_t httpd_tmpfs_t:file map;
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
allow httpd_t httpd_var_lib_t:file map;
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
kernel_read_net_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_udp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_tcp_bind_ntop_port(httpd_t)
corenet_tcp_bind_jboss_management_port(httpd_t)
corenet_tcp_bind_jboss_messaging_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
tunable_policy(`httpd_graceful_shutdown',`
corenet_tcp_connect_http_port(httpd_t)
')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
dev_rw_zero(httpd_t)
files_dontaudit_write_all_mountpoints(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
fs_read_iso9660_files(httpd_t)
fs_rw_hugetlbfs_files(httpd_t)
fs_exec_hugetlbfs_files(httpd_t)
auth_use_nsswitch(httpd_t)
application_exec_all(httpd_t)
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
domain_use_interactive_fds(httpd_t)
domain_dontaudit_read_all_domains_state(httpd_t)
files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_read_mnt_symlinks(httpd_t)
files_search_all(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
# Allow httpd_t to have access to files such as nisswitch.conf
# for tomcat
files_read_var_lib_symlinks(httpd_t)
fs_rw_hugetlbfs_files(httpd_sys_script_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
# php uploads a file to /tmp and then execs programs to acton them
manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
ifdef(`hide_broken_symptoms',`
libs_exec_lib_files(httpd_t)
')
logging_send_syslog_msg(httpd_t)
init_dontaudit_read_utmp(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_map_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
miscfiles_dontaudit_access_check_cert(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
userdom_rw_inherited_user_tmp_files(httpd_t)
userdom_map_tmp_files(httpd_t)
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
')
tunable_policy(`httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
tunable_policy(`httpd_dontaudit_search_dirs',`
files_dontaudit_search_non_security_dirs(httpd_t)
')
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`httpd_mod_auth_pam',`
auth_domtrans_chkpwd(httpd_t)
logging_send_audit_msgs(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_mod_auth_ntlm_winbind',`
samba_domtrans_winbind_helper(httpd_t)
')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_gds_db_port(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
corenet_tcp_connect_mongod_port(httpd_t)
corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_oracle_port(httpd_t)
corenet_sendrecv_oracle_client_packets(httpd_t)
')
tunable_policy(`httpd_can_network_memcache',`
corenet_tcp_connect_memcache_port(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
corenet_tcp_connect_squid_port(httpd_t)
corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_sendrecv_squid_client_packets(httpd_t)
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
tunable_policy(`httpd_sys_script_anon_write',`
miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_can_connect_ftp',`
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_can_connect_ldap',`
corenet_tcp_connect_ldap_port(httpd_t)
')
tunable_policy(`httpd_can_connect_mythtv',`
corenet_tcp_connect_mythtv_port(httpd_t)
')
tunable_policy(`httpd_can_connect_zabbix',`
corenet_tcp_connect_zabbix_port(httpd_t)
')
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
can_exec(httpd_t, httpd_tmp_t)
')
tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_list_auto_mountpoints(httpd_t)
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
fs_manage_nfs_dirs(httpd_t)
fs_manage_nfs_files(httpd_t)
fs_manage_nfs_symlinks(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_use_nfs',`
automount_search_tmp_dirs(httpd_t)
')
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
corenet_tcp_connect_pop_port(httpd_t)
corenet_sendrecv_pop_client_packets(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_can_sendmail',`
postfix_rw_spool_maildrop_files(httpd_t)
')
')
tunable_policy(`httpd_use_cifs',`
fs_manage_cifs_dirs(httpd_t)
fs_manage_cifs_files(httpd_t)
fs_manage_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_use_fusefs',`
fs_manage_fusefs_dirs(httpd_t)
fs_manage_fusefs_files(httpd_t)
fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_use_opencryptoki',`
allow httpd_t self:capability fowner;
')
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
')
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
allow httpd_sys_script_t httpd_t:process sigchld;
')
# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_inherited_user_terminals(httpd_t)
userdom_use_inherited_user_terminals(httpd_suexec_t)
')
optional_policy(`
cobbler_list_config(httpd_t)
cobbler_read_config(httpd_t)
tunable_policy(`httpd_serve_cobbler_files',`
cobbler_manage_lib_files(httpd_t)
',`
cobbler_read_lib_files(httpd_t)
cobbler_search_lib(httpd_t)
')
tunable_policy(`httpd_can_network_connect_cobbler',`
corenet_tcp_connect_cobbler_port(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_use_sasl',`
sasl_connect(httpd_t)
')
')
optional_policy(`
# type transitions with a filename not allowed inside conditionals
pkcs_tmpfs_named_filetrans(httpd_t)
tunable_policy(`httpd_use_opencryptoki',`
pkcs_use_opencryptoki(httpd_t)
')
')
optional_policy(`
# Support for ABRT retrace server
# mod_wsgi
abrt_manage_spool_retrace(httpd_t)
abrt_domtrans_retrace_worker(httpd_t)
abrt_read_config(httpd_t)
')
optional_policy(`
bind_rw_cache(httpd_t)
')
optional_policy(`
calamaris_read_www_files(httpd_t)
')
optional_policy(`
ccs_read_config(httpd_t)
')
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
cvs_read_data(httpd_t)
')
optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
#needed by FreeIPA
dirsrv_stream_connect(httpd_t)
')
optional_policy(`
dirsrv_manage_config(httpd_t)
dirsrv_manage_log(httpd_t)
dirsrv_manage_var_run(httpd_t)
dirsrv_read_share(httpd_t)
dirsrv_signal(httpd_t)
dirsrv_signull(httpd_t)
dirsrvadmin_manage_config(httpd_t)
dirsrvadmin_manage_tmp(httpd_t)
dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
')
optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
tunable_policy(`httpd_dbus_sssd',`
sssd_dbus_chat(httpd_t)
')
')
optional_policy(`
git_read_generic_sys_content_files(httpd_t)
')
optional_policy(`
gitosis_read_lib_files(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
gpg_domtrans_web(httpd_t)
')
')
optional_policy(`
gssproxy_stream_connect(httpd_t)
')
optional_policy(`
ica_rw_map_tmpfs_files(httpd_t)
')
optional_policy(`
insights_client_write_tmp(httpd_t)
')
optional_policy(`
ipa_read_lib(httpd_t)
ipa_manage_pid_files(httpd_t)
')
optional_policy(`
ipa_custodia_stream_connect(httpd_t)
')
optional_policy(`
mirrormanager_manage_pid_files(httpd_t)
mirrormanager_manage_pid_sock_files(httpd_t)
mirrormanager_read_lib_files(httpd_t)
mirrormanager_read_log(httpd_t)
')
optional_policy(`
jetty_admin(httpd_t)
')
optional_policy(`
kerberos_manage_host_rcache(httpd_t)
kerberos_read_keytab(httpd_t)
kerberos_read_kdc_config(httpd_t)
kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
kerberos_use(httpd_t)
')
optional_policy(`
# needed by FreeIPA
ldap_stream_connect(httpd_t)
ldap_read_certs(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_signull_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
mediawiki_read_tmp_files(httpd_t)
mediawiki_delete_tmp_files(httpd_t)
')
optional_policy(`
memcached_stream_connect(httpd_t)
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_run_ipa',`
oddjob_dbus_chat(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_run_ipa',`
ipa_domtrans_helper(httpd_t)
')
ipa_cert_filetrans_named_content(httpd_t)
allow httpd_t httpd_config_t:dir write;
')
optional_policy(`
munin_read_config(httpd_t)
')
optional_policy(`
# Allow httpd to work with mysql
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
optional_policy(`
postgresql_stream_connect(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
')
')
optional_policy(`
nagios_read_config(httpd_t)
nagios_read_lib(httpd_t)
nagios_read_log(httpd_t)
')
optional_policy(`
openca_domtrans(httpd_t)
openca_signal(httpd_t)
openca_sigstop(httpd_t)
openca_kill(httpd_t)
')
optional_policy(`
openshift_search_lib(httpd_t)
openshift_initrc_signull(httpd_t)
openshift_initrc_signal(httpd_t)
')
optional_policy(`
passenger_exec(httpd_t)
passenger_kill(httpd_t)
passenger_manage_pid_content(httpd_t)
')
optional_policy(`
pcscd_read_pid_files(httpd_t)
')
optional_policy(`
pkcs11proxyd_stream_connect(httpd_t)
')
optional_policy(`
pki_apache_domain_signal(httpd_t)
pki_manage_apache_config_files(httpd_t)
pki_manage_apache_lib(httpd_t)
pki_manage_apache_log_files(httpd_t)
pki_manage_apache_run(httpd_t)
pki_read_tomcat_cert(httpd_t)
')
optional_policy(`
puppet_read_lib(httpd_t)
')
optional_policy(`
pwauth_domtrans(httpd_t)
')
optional_policy(`
realmd_read_var_lib(httpd_t)
')
optional_policy(`
rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
')
')
optional_policy(`
redis_stream_connect(httpd_t)
')
optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
smokeping_read_lib_files(httpd_t)
smokeping_read_pid_files(httpd_t)
')
optional_policy(`
files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
')
optional_policy(`
thin_stream_connect(httpd_t)
')
optional_policy(`
udev_read_db(httpd_t)
')
optional_policy(`
zarafa_manage_lib_files(httpd_t)
zarafa_stream_connect_server(httpd_t)
zarafa_search_config(httpd_t)
')
optional_policy(`
zoneminder_append_log(httpd_t)
zoneminder_manage_lib_dirs(httpd_t)
zoneminder_manage_lib_files(httpd_t)
zoneminder_stream_connect(httpd_t)
zoneminder_manage_lib_sock_files(httpd_t)
zoneminder_manage_lib_sock_files(httpd_t)
zoneminder_exec(httpd_t)
')
########################################
#
# Apache helper local policy
#
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file read_file_perms;
allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_verify_dns',`
corenet_udp_bind_all_ephemeral_ports(httpd_t)
')
tunable_policy(`httpd_run_stickshift', `
allow httpd_t self:capability { fowner fsetid sys_resource };
dontaudit httpd_t self:capability sys_ptrace;
allow httpd_t self:process setexec;
files_dontaudit_getattr_all_files(httpd_t)
domain_getpgid_all_domains(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_run_stickshift', `
passenger_manage_lib_files(httpd_t)
passenger_getattr_log_files(httpd_t)
',`
passenger_domtrans(httpd_t)
passenger_read_lib_files(httpd_t)
passenger_stream_connect(httpd_t)
passenger_manage_tmp_files(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_run_stickshift', `
oddjob_dbus_chat(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_run_preupgrade', `
anaconda_manage_lib_files_preupgrade(httpd_t)
anaconda_domtrans_preupgrade(httpd_t)
',`
anaconda_read_lib_files_preupgrade(httpd_t)
anaconda_exec_preupgrade(httpd_t)
')
')
optional_policy(`
tunable_policy(`httpd_run_preupgrade', `
corenet_tcp_bind_preupgrade_port(httpd_t)
')
')
tunable_policy(`httpd_tty_comm',`
userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
#
# Apache PHP script local policy
#
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_php_t self:fd use;
allow httpd_php_t self:fifo_file rw_fifo_file_perms;
allow httpd_php_t self:sock_file read_sock_file_perms;
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_php_t self:unix_dgram_socket sendto;
allow httpd_php_t self:unix_stream_socket connectto;
allow httpd_php_t self:shm create_shm_perms;
allow httpd_php_t self:sem create_sem_perms;
allow httpd_php_t self:msgq create_msgq_perms;
allow httpd_php_t self:msg { send receive };
domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
fs_search_auto_mountpoints(httpd_php_t)
auth_use_nsswitch(httpd_php_t)
libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_gds_db_port(httpd_php_t)
corenet_tcp_connect_mssql_port(httpd_php_t)
corenet_sendrecv_mssql_client_packets(httpd_php_t)
corenet_tcp_connect_oracle_port(httpd_php_t)
corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
mysql_stream_connect(httpd_php_t)
mysql_rw_db_sockets(httpd_php_t)
mysql_read_config(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_php_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_php_t)
postgresql_unpriv_client(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_php_t)
')
')
########################################
#
# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
application_exec_all(httpd_suexec_t)
# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
corenet_udp_sendrecv_generic_node(httpd_suexec_t)
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_oracle_port(httpd_suexec_t)
corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file { entrypoint map };
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
optional_policy(`
tunable_policy(`httpd_can_manage_courier_spool',`
courier_manage_spool_sockets(httpd_sys_script_t)
')
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
optional_policy(`
apache_rw_stream_sockets(httpd_suexec_t)
')
optional_policy(`
mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
mta_stub(httpd_suexec_t)
')
optional_policy(`
mysql_stream_connect(httpd_suexec_t)
mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_suexec_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_suexec_t)
postgresql_unpriv_client(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_suexec_t)
')
')
########################################
#
# Apache system script local policy
#
allow httpd_sys_script_t self:process getsched;
allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_sys_script_t)
dev_list_sysfs(httpd_sys_script_t)
files_read_var_symlinks(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
logging_send_syslog_msg(httpd_sys_script_t)
logging_inherit_append_all_logs(httpd_sys_script_t)
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
auth_use_nsswitch(httpd_sys_script_t)
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
optional_policy(`
tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
spamassassin_domtrans_client(httpd_t)
')
')
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
corenet_tcp_connect_oracle_port(httpd_sys_script_t)
corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mongod_port(httpd_sys_script_t)
')
fs_cifs_entry_type(httpd_sys_script_t)
fs_read_iso9660_files(httpd_sys_script_t)
fs_nfs_entry_type(httpd_sys_script_t)
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_nfs_dirs(httpd_sys_script_t)
fs_manage_nfs_files(httpd_sys_script_t)
fs_manage_nfs_symlinks(httpd_sys_script_t)
fs_exec_nfs_files(httpd_sys_script_t)
fs_list_auto_mountpoints(httpd_suexec_t)
fs_manage_nfs_dirs(httpd_suexec_t)
fs_manage_nfs_files(httpd_suexec_t)
fs_manage_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
')
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
corenet_tcp_bind_generic_node(httpd_sys_script_t)
corenet_udp_bind_generic_node(httpd_sys_script_t)
corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_sys_script_t)
')
tunable_policy(`httpd_use_cifs',`
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
fs_manage_cifs_symlinks(httpd_sys_script_t)
fs_manage_cifs_dirs(httpd_suexec_t)
fs_manage_cifs_files(httpd_suexec_t)
fs_manage_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_use_fusefs',`
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
fs_manage_fusefs_symlinks(httpd_sys_script_t)
fs_manage_fusefs_dirs(httpd_suexec_t)
fs_manage_fusefs_files(httpd_suexec_t)
fs_manage_fusefs_symlinks(httpd_suexec_t)
fs_exec_fusefs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
')
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
clamav_domtrans_clamscan(httpd_t)
')
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
mysql_read_config(httpd_sys_script_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_sys_script_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_sys_script_t)
postgresql_unpriv_client(httpd_sys_script_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_sys_script_t)
')
')
optional_policy(`
snmp_read_snmp_var_lib_files(httpd_sys_script_t)
')
optional_policy(`
systemd_dontaudit_read_unit_files(httpd_sys_script_t)
')
########################################
#
# httpd_rotatelogs local policy
#
allow httpd_rotatelogs_t self:capability { dac_read_search };
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms;
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
corecmd_exec_bin(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
########################################
#
# Unconfined script local policy
#
optional_policy(`
type httpd_unconfined_script_t;
type httpd_unconfined_script_exec_t;
domain_type(httpd_unconfined_script_t)
domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
unconfined_domain(httpd_unconfined_script_t)
role system_r types httpd_unconfined_script_t;
allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
########################################
#
# User content local policy
#
auth_use_nsswitch(httpd_user_script_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_content(httpd_t)
userdom_search_user_home_content(httpd_suexec_t)
userdom_search_user_home_content(httpd_user_script_t)
read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
allow httpd_t httpd_user_content_type:file map;
')
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_t)
userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
userdom_mmap_user_home_content_files(httpd_t)
userdom_mmap_user_home_content_files(httpd_suexec_t)
userdom_mmap_user_home_content_files(httpd_user_script_t)
')
########################################
#
# httpd_passwd local policy
#
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
corecmd_exec_shell(httpd_passwd_t)
dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
auth_use_nsswitch(httpd_passwd_t)
init_dontaudit_read_state(httpd_passwd_t)
miscfiles_read_certs(httpd_passwd_t)
systemd_manage_passwd_run(httpd_passwd_t)
systemd_manage_passwd_run(httpd_t)
#systemd_passwd_agent_dev_template(httpd)
domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
dontaudit httpd_passwd_t httpd_config_t:file read;
search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
corecmd_shell_entry_type(httpd_script_type)
allow httpd_script_type self:fifo_file rw_file_perms;
allow httpd_script_type self:unix_stream_socket connectto;
allow httpd_script_type httpd_t:fifo_file write;
# apache should set close-on-exec
apache_dontaudit_leaks(httpd_script_type)
append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
logging_search_logs(httpd_script_type)
kernel_dontaudit_search_sysctl(httpd_script_type)
kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
dev_read_rand(httpd_script_type)
dev_read_urand(httpd_script_type)
corecmd_exec_all_executables(httpd_script_type)
application_exec_all(httpd_script_type)
files_exec_etc_files(httpd_script_type)
files_search_home(httpd_script_type)
libs_exec_ld_so(httpd_script_type)
libs_exec_lib_files(httpd_script_type)
miscfiles_read_fonts(httpd_script_type)
miscfiles_read_public_files(httpd_script_type)
allow httpd_t httpd_script_type:unix_stream_socket connectto;
allow httpd_t httpd_script_exec_type:file read_file_perms;
allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
allow httpd_script_type self:process { setsched signal_perms };
allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
allow httpd_script_type self:unix_dgram_socket create_socket_perms;
allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_script_type httpd_t:fd use;
allow httpd_script_type httpd_t:process sigchld;
dontaudit httpd_script_type httpd_t:tcp_socket { read write };
dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
fs_getattr_xattr_fs(httpd_script_type)
files_read_etc_runtime_files(httpd_script_type)
libs_read_lib_files(httpd_script_type)
allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
tunable_policy(`httpd_enable_cgi && nis_enabled',`
nis_use_ypbind_uncond(httpd_script_type)
')
optional_policy(`
nscd_socket_use(httpd_script_type)
')
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
allow httpd_t httpd_content_type:file map;
tunable_policy(`httpd_builtin_scripting',`
allow httpd_t httpd_content_type:dir search_dir_perms;
allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
allow httpd_t httpd_content_type:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
')
tunable_policy(`httpd_use_openstack',`
corenet_tcp_connect_keystone_port(httpd_sys_script_t)
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
corenet_tcp_connect_glance_port(httpd_sys_script_t)
corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
')
tunable_policy(`httpd_use_openstack',`
corenet_tcp_connect_osapi_compute_port(httpd_t)
corenet_tcp_bind_commplex_main_port(httpd_t)
')
optional_policy(`
tunable_policy(`httpd_use_opencryptoki',`
dev_rw_crypto(httpd_passwd_t)
pkcs_manage_lock(httpd_passwd_t)
')
')
optional_policy(`
tunable_policy(`httpd_use_openstack',`
keystone_read_log(httpd_t)
')
')
Reference in a new issue View git blame Copy permalink