1889 lines
51 KiB
Text
1889 lines
51 KiB
Text
policy_module(apache, 2.7.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
selinux_genbool(httpd_bool_t)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to modify public files
|
|
## used for public file transfer services. Directories/Files must
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Dontaudit Apache to search dirs.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_dontaudit_search_dirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to use mod_auth_pam
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_mod_auth_pam, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to use mod_auth_ntlm_winbind
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_mod_auth_ntlm_winbind, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd scripts and modules execmem/execstack
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_execmem, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd processes to manage IPA content
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_manage_ipa, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd processes to run IPA helper.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_run_ipa, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to use built in scripting (usually php)
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_builtin_scripting, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to connect to the network using TCP.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to connect to cobbler over the network.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect_cobbler, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to server cobbler files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_serve_cobbler_files, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD to connect to port 80 for graceful shutdown
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_graceful_shutdown, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD scripts and modules to connect to databases over the network.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect_db, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to connect to memcache server
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_memcache, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to connect to redis
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_redis, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to act as a relay
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_relay, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow http daemon to connect to zabbix
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_connect_zabbix, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow http daemon to connect to mythtv
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_connect_mythtv, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow http daemon to check spam
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_check_spam, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow http daemon to send mail
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_sendmail, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to communicate with avahi service via dbus
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_dbus_avahi, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to communicate with sssd service via dbus
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_dbus_sssd, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd cgi support
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_cgi, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to act as a FTP server by
|
|
## listening on the ftp port.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_ftp_server, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to act as a FTP client
|
|
## connecting to the ftp port and ephemeral ports
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_connect_ftp, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to manage the courier spool sock files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_manage_courier_spool, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to connect to the ldap port
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_connect_ldap, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to read home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_enable_homedirs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to read user content
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_read_user_content, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to run in stickshift mode, not transition to passenger
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_run_stickshift, false)
|
|
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to run preupgrade
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_run_preupgrade, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to query NS records
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_verify_dns, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd daemon to change its resource limits
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_setrlimit, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_ssi_exec, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Apache to execute tmp content.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_tmp_exec, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Unify HTTPD to communicate with the terminal.
|
|
## Needed for entering the passphrase for certificates at
|
|
## the terminal.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_tty_comm, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Unify HTTPD handling of all content files.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_unified, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access openstack ports
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_openstack, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access cifs file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access FUSE file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_fusefs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to run gpg
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_gpg, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to connect to sasl
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_sasl, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to access nfs file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow httpd to use opencryptoki
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_opencryptoki, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_sys_script_anon_write, false)
|
|
|
|
attribute httpdcontent;
|
|
attribute httpd_user_content_type;
|
|
attribute httpd_content_type;
|
|
|
|
# domains that can exec all users scripts
|
|
attribute httpd_exec_scripts;
|
|
|
|
attribute httpd_script_type;
|
|
attribute httpd_script_exec_type;
|
|
attribute httpd_user_script_exec_type;
|
|
|
|
# user script domains
|
|
attribute httpd_script_domains;
|
|
|
|
type httpd_t;
|
|
type httpd_exec_t;
|
|
ifdef(`distro_redhat',`
|
|
typealias httpd_t alias phpfpm_t;
|
|
typealias httpd_exec_t alias phpfpm_exec_t;
|
|
')
|
|
init_daemon_domain(httpd_t, httpd_exec_t)
|
|
init_nnp_daemon_domain(httpd_t)
|
|
role system_r types httpd_t;
|
|
|
|
# httpd_cache_t is the type given to the /var/cache/httpd
|
|
# directory and the files under that directory
|
|
type httpd_cache_t;
|
|
files_type(httpd_cache_t)
|
|
|
|
# httpd_config_t is the type given to the configuration files
|
|
type httpd_config_t;
|
|
files_config_file(httpd_config_t)
|
|
|
|
type httpd_helper_t;
|
|
type httpd_helper_exec_t;
|
|
domain_type(httpd_helper_t)
|
|
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
|
role system_r types httpd_helper_t;
|
|
|
|
type httpd_initrc_exec_t;
|
|
init_script_file(httpd_initrc_exec_t)
|
|
|
|
type httpd_keytab_t;
|
|
files_type(httpd_keytab_t)
|
|
|
|
type httpd_unit_file_t;
|
|
ifdef(`distro_redhat',`
|
|
typealias httpd_unit_file_t alias phpfpm_unit_file_t;
|
|
')
|
|
systemd_unit_file(httpd_unit_file_t)
|
|
|
|
type httpd_lock_t;
|
|
files_lock_file(httpd_lock_t)
|
|
|
|
type httpd_log_t;
|
|
ifdef(`distro_redhat',`
|
|
typealias httpd_log_t alias phpfpm_log_t;
|
|
')
|
|
logging_log_file(httpd_log_t)
|
|
|
|
# httpd_modules_t is the type given to module files (libraries)
|
|
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
|
type httpd_modules_t;
|
|
files_type(httpd_modules_t)
|
|
|
|
type httpd_php_t;
|
|
type httpd_php_exec_t;
|
|
domain_type(httpd_php_t)
|
|
domain_entry_file(httpd_php_t, httpd_php_exec_t)
|
|
role system_r types httpd_php_t;
|
|
|
|
type httpd_php_tmp_t;
|
|
files_tmp_file(httpd_php_tmp_t)
|
|
|
|
type httpd_rotatelogs_t;
|
|
type httpd_rotatelogs_exec_t;
|
|
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
|
|
|
|
type httpd_squirrelmail_t;
|
|
files_type(httpd_squirrelmail_t)
|
|
|
|
# SUEXEC runs user scripts as their own user ID
|
|
type httpd_suexec_t; #, daemon;
|
|
type httpd_suexec_exec_t;
|
|
domain_type(httpd_suexec_t)
|
|
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
|
|
role system_r types httpd_suexec_t;
|
|
|
|
type httpd_suexec_tmp_t;
|
|
files_tmp_file(httpd_suexec_tmp_t)
|
|
|
|
# setup the system domain for system CGI scripts
|
|
apache_content_template(httpd_sys)
|
|
|
|
typeattribute httpd_sys_content_t httpdcontent; # customizable
|
|
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
|
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
|
|
|
|
# Removal of fastcgi, will cause problems without the following
|
|
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
|
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
|
|
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
|
|
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
|
|
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
|
|
|
type httpd_tmp_t;
|
|
files_tmp_file(httpd_tmp_t)
|
|
|
|
type httpd_tmpfs_t;
|
|
files_tmpfs_file(httpd_tmpfs_t)
|
|
|
|
apache_user_content_template(httpd_user)
|
|
ubac_constrained(httpd_user_script_t)
|
|
|
|
typeattribute httpd_user_content_t httpdcontent;
|
|
typeattribute httpd_user_rw_content_t httpdcontent;
|
|
typeattribute httpd_user_ra_content_t httpdcontent;
|
|
|
|
typeattribute httpd_user_script_t httpd_script_domains;
|
|
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
|
typealias httpd_user_content_t alias httpd_unconfined_content_t;
|
|
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
|
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
|
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
|
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
|
|
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
|
|
typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
|
|
typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
|
|
typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
|
|
typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
|
|
typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
|
|
typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
|
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
|
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
|
|
|
# for apache2 memory mapped files
|
|
type httpd_var_lib_t;
|
|
files_type(httpd_var_lib_t)
|
|
systemd_mount_dir(httpd_var_lib_t)
|
|
|
|
type httpd_var_run_t;
|
|
ifdef(`distro_redhat',`
|
|
typealias httpd_var_run_t alias phpfpm_var_run_t;
|
|
')
|
|
files_pid_file(httpd_var_run_t)
|
|
files_mountpoint(httpd_var_run_t)
|
|
|
|
# Removal of fastcgi, will cause problems without the following
|
|
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
|
|
|
# File Type of squirrelmail attachments
|
|
type squirrelmail_spool_t;
|
|
files_tmp_file(squirrelmail_spool_t)
|
|
files_spool_file(squirrelmail_spool_t)
|
|
|
|
optional_policy(`
|
|
prelink_object_file(httpd_modules_t)
|
|
')
|
|
|
|
type httpd_passwd_t;
|
|
type httpd_passwd_exec_t;
|
|
application_domain(httpd_passwd_t, httpd_passwd_exec_t)
|
|
role system_r types httpd_passwd_t;
|
|
|
|
########################################
|
|
#
|
|
# Apache server local policy
|
|
#
|
|
|
|
allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
|
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow httpd_t self:fd use;
|
|
allow httpd_t self:sock_file read_sock_file_perms;
|
|
allow httpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow httpd_t self:shm create_shm_perms;
|
|
allow httpd_t self:sem create_sem_perms;
|
|
allow httpd_t self:msgq create_msgq_perms;
|
|
allow httpd_t self:msg { send receive };
|
|
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_t self:udp_socket create_socket_perms;
|
|
dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
|
|
dontaudit httpd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
# Allow httpd_t to put files in /var/cache/httpd etc
|
|
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
|
|
allow httpd_t httpd_cache_t:file map;
|
|
|
|
# Allow the httpd_t to read the web servers config files
|
|
allow httpd_t httpd_config_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
allow httpd_t httpd_config_t:file map;
|
|
|
|
can_exec(httpd_t, httpd_exec_t)
|
|
|
|
allow httpd_t httpd_keytab_t:file read_file_perms;
|
|
|
|
allow httpd_t httpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(httpd_t, httpd_lock_t, file)
|
|
|
|
allow httpd_t httpd_log_t:dir setattr;
|
|
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
list_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
# cjp: need to refine create interfaces to
|
|
# cut this back to add_name only
|
|
logging_log_filetrans(httpd_t, httpd_log_t, file)
|
|
|
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
|
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
|
|
apache_domtrans_rotatelogs(httpd_t)
|
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
|
allow httpd_t httpd_rotatelogs_t:process signal_perms;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
allow httpd_t httpd_squirrelmail_t:file map;
|
|
|
|
allow httpd_t httpd_suexec_t:process { signal signull };
|
|
allow httpd_t httpd_suexec_t:file read_file_perms;
|
|
|
|
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
allow httpd_t httpd_sys_content_t:file map;
|
|
|
|
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
|
|
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
|
|
allow httpd_t httpd_tmp_t:file map;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
|
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
allow httpd_t httpd_tmpfs_t:file map;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
|
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
|
allow httpd_t httpd_var_lib_t:file map;
|
|
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
|
|
|
|
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
|
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
|
|
|
|
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_t)
|
|
kernel_read_net_sysctls(httpd_t)
|
|
# for modules that want to access /proc/meminfo
|
|
kernel_read_system_state(httpd_t)
|
|
kernel_read_network_state(httpd_t)
|
|
kernel_search_network_sysctl(httpd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(httpd_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_t)
|
|
corenet_udp_sendrecv_generic_if(httpd_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_t)
|
|
corenet_udp_sendrecv_generic_node(httpd_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
|
corenet_tcp_bind_generic_node(httpd_t)
|
|
corenet_udp_bind_generic_node(httpd_t)
|
|
corenet_tcp_bind_http_port(httpd_t)
|
|
corenet_udp_bind_http_port(httpd_t)
|
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
|
corenet_tcp_bind_ntop_port(httpd_t)
|
|
corenet_tcp_bind_jboss_management_port(httpd_t)
|
|
corenet_tcp_bind_jboss_messaging_port(httpd_t)
|
|
corenet_sendrecv_http_server_packets(httpd_t)
|
|
corenet_tcp_bind_puppet_port(httpd_t)
|
|
# Signal self for shutdown
|
|
tunable_policy(`httpd_graceful_shutdown',`
|
|
corenet_tcp_connect_http_port(httpd_t)
|
|
')
|
|
|
|
dev_read_sysfs(httpd_t)
|
|
dev_read_rand(httpd_t)
|
|
dev_read_urand(httpd_t)
|
|
dev_rw_crypto(httpd_t)
|
|
dev_rw_zero(httpd_t)
|
|
|
|
files_dontaudit_write_all_mountpoints(httpd_t)
|
|
|
|
fs_getattr_all_fs(httpd_t)
|
|
fs_search_auto_mountpoints(httpd_t)
|
|
fs_read_iso9660_files(httpd_t)
|
|
fs_rw_hugetlbfs_files(httpd_t)
|
|
fs_exec_hugetlbfs_files(httpd_t)
|
|
|
|
auth_use_nsswitch(httpd_t)
|
|
|
|
application_exec_all(httpd_t)
|
|
|
|
# execute perl
|
|
corecmd_exec_bin(httpd_t)
|
|
corecmd_exec_shell(httpd_t)
|
|
|
|
domain_use_interactive_fds(httpd_t)
|
|
domain_dontaudit_read_all_domains_state(httpd_t)
|
|
|
|
files_dontaudit_search_all_pids(httpd_t)
|
|
files_dontaudit_getattr_all_pids(httpd_t)
|
|
files_exec_usr_files(httpd_t)
|
|
files_list_mnt(httpd_t)
|
|
files_read_mnt_symlinks(httpd_t)
|
|
files_search_all(httpd_t)
|
|
files_search_spool(httpd_t)
|
|
files_read_var_symlinks(httpd_t)
|
|
files_read_var_lib_files(httpd_t)
|
|
files_search_home(httpd_t)
|
|
files_getattr_home_dir(httpd_t)
|
|
# for modules that want to access /etc/mtab
|
|
files_read_etc_runtime_files(httpd_t)
|
|
# Allow httpd_t to have access to files such as nisswitch.conf
|
|
# for tomcat
|
|
files_read_var_lib_symlinks(httpd_t)
|
|
|
|
fs_rw_hugetlbfs_files(httpd_sys_script_t)
|
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
|
|
|
# php uploads a file to /tmp and then execs programs to acton them
|
|
manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
libs_read_lib_files(httpd_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
libs_exec_lib_files(httpd_t)
|
|
')
|
|
|
|
logging_send_syslog_msg(httpd_t)
|
|
|
|
init_dontaudit_read_utmp(httpd_t)
|
|
|
|
miscfiles_read_fonts(httpd_t)
|
|
miscfiles_read_public_files(httpd_t)
|
|
miscfiles_read_generic_certs(httpd_t)
|
|
miscfiles_map_generic_certs(httpd_t)
|
|
miscfiles_read_tetex_data(httpd_t)
|
|
miscfiles_dontaudit_access_check_cert(httpd_t)
|
|
|
|
userdom_use_unpriv_users_fds(httpd_t)
|
|
userdom_rw_inherited_user_tmp_files(httpd_t)
|
|
userdom_map_tmp_files(httpd_t)
|
|
|
|
tunable_policy(`httpd_setrlimit',`
|
|
allow httpd_t self:process setrlimit;
|
|
allow httpd_t self:capability sys_resource;
|
|
')
|
|
|
|
tunable_policy(`httpd_anon_write',`
|
|
miscfiles_manage_public_files(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_dontaudit_search_dirs',`
|
|
files_dontaudit_search_non_security_dirs(httpd_t)
|
|
')
|
|
|
|
#
|
|
# We need optionals to be able to be within booleans to make this work
|
|
#
|
|
tunable_policy(`httpd_mod_auth_pam',`
|
|
auth_domtrans_chkpwd(httpd_t)
|
|
logging_send_audit_msgs(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_mod_auth_ntlm_winbind',`
|
|
samba_domtrans_winbind_helper(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
corenet_tcp_connect_all_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
corenet_tcp_connect_gds_db_port(httpd_t)
|
|
corenet_tcp_connect_mssql_port(httpd_t)
|
|
corenet_tcp_connect_mongod_port(httpd_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_t)
|
|
corenet_tcp_connect_oracle_port(httpd_t)
|
|
corenet_sendrecv_oracle_client_packets(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_memcache',`
|
|
corenet_tcp_connect_memcache_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_redis',`
|
|
corenet_tcp_connect_redis_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_relay',`
|
|
# allow httpd to work as a relay
|
|
corenet_tcp_connect_gopher_port(httpd_t)
|
|
corenet_tcp_connect_ftp_port(httpd_t)
|
|
corenet_tcp_connect_http_port(httpd_t)
|
|
corenet_tcp_connect_http_cache_port(httpd_t)
|
|
corenet_tcp_connect_squid_port(httpd_t)
|
|
corenet_tcp_connect_memcache_port(httpd_t)
|
|
corenet_sendrecv_gopher_client_packets(httpd_t)
|
|
corenet_sendrecv_ftp_client_packets(httpd_t)
|
|
corenet_sendrecv_http_client_packets(httpd_t)
|
|
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
|
corenet_sendrecv_squid_client_packets(httpd_t)
|
|
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_execmem',`
|
|
allow httpd_t self:process { execmem execstack };
|
|
allow httpd_sys_script_t self:process { execmem execstack };
|
|
allow httpd_suexec_t self:process { execmem execstack };
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
|
|
filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
|
|
can_exec(httpd_sys_script_t, httpd_sys_content_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_sys_script_anon_write',`
|
|
miscfiles_manage_public_files(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
|
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
|
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
|
|
fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
|
filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
|
|
manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
|
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_connect_ftp',`
|
|
corenet_tcp_connect_ftp_port(httpd_t)
|
|
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_connect_ldap',`
|
|
corenet_tcp_connect_ldap_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_connect_mythtv',`
|
|
corenet_tcp_connect_mythtv_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_connect_zabbix',`
|
|
corenet_tcp_connect_zabbix_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_ftp_server',`
|
|
corenet_tcp_bind_ftp_port(httpd_t)
|
|
corenet_tcp_bind_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
|
|
can_exec(httpd_t, httpd_tmp_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
|
|
can_exec(httpd_sys_script_t, httpd_tmp_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_list_auto_mountpoints(httpd_t)
|
|
fs_read_nfs_files(httpd_t)
|
|
fs_read_nfs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_nfs',`
|
|
fs_list_auto_mountpoints(httpd_t)
|
|
fs_manage_nfs_dirs(httpd_t)
|
|
fs_manage_nfs_files(httpd_t)
|
|
fs_manage_nfs_symlinks(httpd_t)
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_use_nfs',`
|
|
automount_search_tmp_dirs(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_t)
|
|
fs_read_cifs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
# allow httpd to connect to mail servers
|
|
corenet_tcp_connect_smtp_port(httpd_t)
|
|
corenet_sendrecv_smtp_client_packets(httpd_t)
|
|
corenet_tcp_connect_pop_port(httpd_t)
|
|
corenet_sendrecv_pop_client_packets(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
mta_send_mail(httpd_t)
|
|
mta_signal_system_mail(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
postfix_rw_spool_maildrop_files(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_use_cifs',`
|
|
fs_manage_cifs_dirs(httpd_t)
|
|
fs_manage_cifs_files(httpd_t)
|
|
fs_manage_cifs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_fusefs',`
|
|
fs_manage_fusefs_dirs(httpd_t)
|
|
fs_manage_fusefs_files(httpd_t)
|
|
fs_manage_fusefs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_opencryptoki',`
|
|
allow httpd_t self:capability fowner;
|
|
')
|
|
|
|
tunable_policy(`httpd_setrlimit',`
|
|
allow httpd_t self:process setrlimit;
|
|
allow httpd_t self:capability sys_resource;
|
|
')
|
|
|
|
tunable_policy(`httpd_ssi_exec',`
|
|
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
|
allow httpd_sys_script_t httpd_t:fd use;
|
|
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
|
allow httpd_sys_script_t httpd_t:process sigchld;
|
|
')
|
|
|
|
# When the admin starts the server, the server wants to access
|
|
# the TTY or PTY associated with the session. The httpd appears
|
|
# to run correctly without this permission, so the permission
|
|
# are dontaudited here.
|
|
tunable_policy(`httpd_tty_comm',`
|
|
userdom_use_inherited_user_terminals(httpd_t)
|
|
userdom_use_inherited_user_terminals(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cobbler_list_config(httpd_t)
|
|
cobbler_read_config(httpd_t)
|
|
|
|
tunable_policy(`httpd_serve_cobbler_files',`
|
|
cobbler_manage_lib_files(httpd_t)
|
|
',`
|
|
cobbler_read_lib_files(httpd_t)
|
|
cobbler_search_lib(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_cobbler',`
|
|
corenet_tcp_connect_cobbler_port(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_use_sasl',`
|
|
sasl_connect(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
# type transitions with a filename not allowed inside conditionals
|
|
pkcs_tmpfs_named_filetrans(httpd_t)
|
|
|
|
tunable_policy(`httpd_use_opencryptoki',`
|
|
pkcs_use_opencryptoki(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
# Support for ABRT retrace server
|
|
# mod_wsgi
|
|
abrt_manage_spool_retrace(httpd_t)
|
|
abrt_domtrans_retrace_worker(httpd_t)
|
|
abrt_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_rw_cache(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
calamaris_read_www_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(httpd_t, httpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cvs_read_data(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(httpd_t, httpd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#needed by FreeIPA
|
|
dirsrv_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dirsrv_manage_config(httpd_t)
|
|
dirsrv_manage_log(httpd_t)
|
|
dirsrv_manage_var_run(httpd_t)
|
|
dirsrv_read_share(httpd_t)
|
|
dirsrv_signal(httpd_t)
|
|
dirsrv_signull(httpd_t)
|
|
dirsrvadmin_manage_config(httpd_t)
|
|
dirsrvadmin_manage_tmp(httpd_t)
|
|
dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(httpd_t)
|
|
|
|
tunable_policy(`httpd_dbus_avahi',`
|
|
avahi_dbus_chat(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_dbus_sssd',`
|
|
sssd_dbus_chat(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
git_read_generic_sys_content_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gitosis_read_lib_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
|
|
gpg_domtrans_web(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
gssproxy_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ica_rw_map_tmpfs_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
insights_client_write_tmp(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipa_read_lib(httpd_t)
|
|
ipa_manage_pid_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipa_custodia_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mirrormanager_manage_pid_files(httpd_t)
|
|
mirrormanager_manage_pid_sock_files(httpd_t)
|
|
mirrormanager_read_lib_files(httpd_t)
|
|
mirrormanager_read_log(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
jetty_admin(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(httpd_t)
|
|
kerberos_read_keytab(httpd_t)
|
|
kerberos_read_kdc_config(httpd_t)
|
|
kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
|
|
kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
|
|
kerberos_use(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# needed by FreeIPA
|
|
ldap_stream_connect(httpd_t)
|
|
ldap_read_certs(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_signal_cgi(httpd_t)
|
|
mailman_signull_cgi(httpd_t)
|
|
mailman_domtrans_cgi(httpd_t)
|
|
mailman_read_data_files(httpd_t)
|
|
# should have separate types for public and private archives
|
|
mailman_search_data(httpd_t)
|
|
mailman_read_archive(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mediawiki_read_tmp_files(httpd_t)
|
|
mediawiki_delete_tmp_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
memcached_stream_connect(httpd_t)
|
|
|
|
tunable_policy(`httpd_manage_ipa',`
|
|
memcached_manage_pid_files(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_ipa',`
|
|
oddjob_dbus_chat(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_ipa',`
|
|
ipa_domtrans_helper(httpd_t)
|
|
')
|
|
ipa_cert_filetrans_named_content(httpd_t)
|
|
allow httpd_t httpd_config_t:dir write;
|
|
')
|
|
|
|
optional_policy(`
|
|
munin_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Allow httpd to work with mysql
|
|
mysql_read_config(httpd_t)
|
|
mysql_stream_connect(httpd_t)
|
|
mysql_rw_db_sockets(httpd_t)
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
nagios_read_config(httpd_t)
|
|
nagios_read_lib(httpd_t)
|
|
nagios_read_log(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openca_domtrans(httpd_t)
|
|
openca_signal(httpd_t)
|
|
openca_sigstop(httpd_t)
|
|
openca_kill(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openshift_search_lib(httpd_t)
|
|
openshift_initrc_signull(httpd_t)
|
|
openshift_initrc_signal(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
passenger_exec(httpd_t)
|
|
passenger_kill(httpd_t)
|
|
passenger_manage_pid_content(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcscd_read_pid_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pkcs11proxyd_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pki_apache_domain_signal(httpd_t)
|
|
pki_manage_apache_config_files(httpd_t)
|
|
pki_manage_apache_lib(httpd_t)
|
|
pki_manage_apache_log_files(httpd_t)
|
|
pki_manage_apache_run(httpd_t)
|
|
pki_read_tomcat_cert(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
puppet_read_lib(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pwauth_domtrans(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
realmd_read_var_lib(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_dontaudit_read_db(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_search_nfs_state_data(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Allow httpd to work with postgresql
|
|
postgresql_stream_connect(httpd_t)
|
|
postgresql_unpriv_client(httpd_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
postgresql_tcp_connect(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
redis_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
smokeping_read_lib_files(httpd_t)
|
|
smokeping_read_pid_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
files_dontaudit_rw_usr_dirs(httpd_t)
|
|
snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
thin_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
zarafa_manage_lib_files(httpd_t)
|
|
zarafa_stream_connect_server(httpd_t)
|
|
zarafa_search_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
zoneminder_append_log(httpd_t)
|
|
zoneminder_manage_lib_dirs(httpd_t)
|
|
zoneminder_manage_lib_files(httpd_t)
|
|
zoneminder_stream_connect(httpd_t)
|
|
zoneminder_manage_lib_sock_files(httpd_t)
|
|
zoneminder_manage_lib_sock_files(httpd_t)
|
|
zoneminder_exec(httpd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache helper local policy
|
|
#
|
|
|
|
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
|
|
|
allow httpd_helper_t httpd_config_t:file read_file_perms;
|
|
|
|
allow httpd_helper_t httpd_log_t:file append_file_perms;
|
|
|
|
logging_send_syslog_msg(httpd_helper_t)
|
|
|
|
tunable_policy(`httpd_verify_dns',`
|
|
corenet_udp_bind_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_run_stickshift', `
|
|
allow httpd_t self:capability { fowner fsetid sys_resource };
|
|
dontaudit httpd_t self:capability sys_ptrace;
|
|
allow httpd_t self:process setexec;
|
|
|
|
files_dontaudit_getattr_all_files(httpd_t)
|
|
domain_getpgid_all_domains(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_stickshift', `
|
|
passenger_manage_lib_files(httpd_t)
|
|
passenger_getattr_log_files(httpd_t)
|
|
',`
|
|
passenger_domtrans(httpd_t)
|
|
passenger_read_lib_files(httpd_t)
|
|
passenger_stream_connect(httpd_t)
|
|
passenger_manage_tmp_files(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_stickshift', `
|
|
oddjob_dbus_chat(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_preupgrade', `
|
|
anaconda_manage_lib_files_preupgrade(httpd_t)
|
|
anaconda_domtrans_preupgrade(httpd_t)
|
|
',`
|
|
anaconda_read_lib_files_preupgrade(httpd_t)
|
|
anaconda_exec_preupgrade(httpd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_run_preupgrade', `
|
|
corenet_tcp_bind_preupgrade_port(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_tty_comm',`
|
|
userdom_use_inherited_user_terminals(httpd_helper_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache PHP script local policy
|
|
#
|
|
|
|
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow httpd_php_t self:fd use;
|
|
allow httpd_php_t self:fifo_file rw_fifo_file_perms;
|
|
allow httpd_php_t self:sock_file read_sock_file_perms;
|
|
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
|
|
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_php_t self:unix_dgram_socket sendto;
|
|
allow httpd_php_t self:unix_stream_socket connectto;
|
|
allow httpd_php_t self:shm create_shm_perms;
|
|
allow httpd_php_t self:sem create_sem_perms;
|
|
allow httpd_php_t self:msgq create_msgq_perms;
|
|
allow httpd_php_t self:msg { send receive };
|
|
|
|
domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
|
|
|
|
# allow php to read and append to apache logfiles
|
|
allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
|
|
|
|
manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
|
|
|
|
fs_search_auto_mountpoints(httpd_php_t)
|
|
|
|
auth_use_nsswitch(httpd_php_t)
|
|
|
|
libs_exec_lib_files(httpd_php_t)
|
|
|
|
userdom_use_unpriv_users_fds(httpd_php_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
corenet_tcp_connect_gds_db_port(httpd_php_t)
|
|
corenet_tcp_connect_mssql_port(httpd_php_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_php_t)
|
|
corenet_tcp_connect_oracle_port(httpd_php_t)
|
|
corenet_sendrecv_oracle_client_packets(httpd_php_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_php_t)
|
|
mysql_rw_db_sockets(httpd_php_t)
|
|
mysql_read_config(httpd_php_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_php_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_php_t)
|
|
postgresql_unpriv_client(httpd_php_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
postgresql_tcp_connect(httpd_php_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_private_tmp(httpd_php_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache suexec local policy
|
|
#
|
|
|
|
allow httpd_suexec_t self:capability { setuid setgid };
|
|
allow httpd_suexec_t self:process signal_perms;
|
|
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
|
|
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
|
|
|
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
|
|
allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
|
|
|
can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
|
|
|
|
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
|
|
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
|
kernel_list_proc(httpd_suexec_t)
|
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
|
|
|
dev_read_urand(httpd_suexec_t)
|
|
|
|
fs_read_iso9660_files(httpd_suexec_t)
|
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
|
|
|
application_exec_all(httpd_suexec_t)
|
|
|
|
# for shell scripts
|
|
corecmd_exec_bin(httpd_suexec_t)
|
|
corecmd_exec_shell(httpd_suexec_t)
|
|
|
|
files_dontaudit_search_pids(httpd_suexec_t)
|
|
files_search_home(httpd_suexec_t)
|
|
|
|
auth_use_nsswitch(httpd_suexec_t)
|
|
|
|
logging_search_logs(httpd_suexec_t)
|
|
logging_send_syslog_msg(httpd_suexec_t)
|
|
|
|
miscfiles_read_public_files(httpd_suexec_t)
|
|
|
|
corenet_all_recvfrom_netlabel(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
|
|
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
|
|
corenet_udp_sendrecv_generic_node(httpd_suexec_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
|
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
|
|
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
|
corenet_tcp_connect_oracle_port(httpd_suexec_t)
|
|
corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
|
|
')
|
|
|
|
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
mta_send_mail(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_sys_script_t httpdcontent:file { entrypoint map };
|
|
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
|
manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_can_manage_courier_spool',`
|
|
courier_manage_spool_sockets(httpd_sys_script_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_list_auto_mountpoints(httpd_suexec_t)
|
|
fs_read_nfs_files(httpd_suexec_t)
|
|
fs_read_nfs_symlinks(httpd_suexec_t)
|
|
fs_exec_nfs_files(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_suexec_t)
|
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
|
fs_exec_cifs_files(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_rw_stream_sockets(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_domtrans_cgi(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_stub(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_suexec_t)
|
|
mysql_rw_db_sockets(httpd_suexec_t)
|
|
mysql_read_config(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_suexec_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_suexec_t)
|
|
postgresql_unpriv_client(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
postgresql_tcp_connect(httpd_suexec_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Apache system script local policy
|
|
#
|
|
|
|
allow httpd_sys_script_t self:process getsched;
|
|
|
|
allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|
|
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
|
|
allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
|
|
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
|
|
|
dev_list_sysfs(httpd_sys_script_t)
|
|
|
|
files_read_var_symlinks(httpd_sys_script_t)
|
|
files_search_var_lib(httpd_sys_script_t)
|
|
files_search_spool(httpd_sys_script_t)
|
|
|
|
logging_send_syslog_msg(httpd_sys_script_t)
|
|
logging_inherit_append_all_logs(httpd_sys_script_t)
|
|
|
|
# Should we add a boolean?
|
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
|
|
|
auth_use_nsswitch(httpd_sys_script_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
|
')
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
mta_send_mail(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
|
|
spamassassin_domtrans_client(httpd_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
|
|
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
|
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
|
corenet_tcp_connect_oracle_port(httpd_sys_script_t)
|
|
corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
|
|
corenet_tcp_connect_mongod_port(httpd_sys_script_t)
|
|
')
|
|
|
|
fs_cifs_entry_type(httpd_sys_script_t)
|
|
fs_read_iso9660_files(httpd_sys_script_t)
|
|
fs_nfs_entry_type(httpd_sys_script_t)
|
|
|
|
tunable_policy(`httpd_use_nfs',`
|
|
fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
fs_manage_nfs_dirs(httpd_sys_script_t)
|
|
fs_manage_nfs_files(httpd_sys_script_t)
|
|
fs_manage_nfs_symlinks(httpd_sys_script_t)
|
|
fs_exec_nfs_files(httpd_sys_script_t)
|
|
|
|
fs_list_auto_mountpoints(httpd_suexec_t)
|
|
fs_manage_nfs_dirs(httpd_suexec_t)
|
|
fs_manage_nfs_files(httpd_suexec_t)
|
|
fs_manage_nfs_symlinks(httpd_suexec_t)
|
|
fs_exec_nfs_files(httpd_suexec_t)
|
|
')
|
|
|
|
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
|
|
|
corenet_tcp_bind_generic_node(httpd_sys_script_t)
|
|
corenet_udp_bind_generic_node(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
|
|
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
|
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
|
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
|
corenet_sendrecv_all_client_packets(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_user_home_dirs(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
fs_read_nfs_files(httpd_sys_script_t)
|
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_read_user_content',`
|
|
userdom_read_user_home_content_files(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_cifs',`
|
|
fs_manage_cifs_dirs(httpd_sys_script_t)
|
|
fs_manage_cifs_files(httpd_sys_script_t)
|
|
fs_manage_cifs_symlinks(httpd_sys_script_t)
|
|
fs_manage_cifs_dirs(httpd_suexec_t)
|
|
fs_manage_cifs_files(httpd_suexec_t)
|
|
fs_manage_cifs_symlinks(httpd_suexec_t)
|
|
fs_exec_cifs_files(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_fusefs',`
|
|
fs_manage_fusefs_dirs(httpd_sys_script_t)
|
|
fs_manage_fusefs_files(httpd_sys_script_t)
|
|
fs_manage_fusefs_symlinks(httpd_sys_script_t)
|
|
fs_manage_fusefs_dirs(httpd_suexec_t)
|
|
fs_manage_fusefs_files(httpd_suexec_t)
|
|
fs_manage_fusefs_symlinks(httpd_suexec_t)
|
|
fs_exec_fusefs_files(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
fs_read_cifs_files(httpd_sys_script_t)
|
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_domtrans_clamscan(httpd_sys_script_t)
|
|
clamav_domtrans_clamscan(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_sys_script_t)
|
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
|
mysql_read_config(httpd_sys_script_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_sys_script_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(httpd_sys_script_t)
|
|
postgresql_unpriv_client(httpd_sys_script_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
postgresql_tcp_connect(httpd_sys_script_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_read_snmp_var_lib_files(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_dontaudit_read_unit_files(httpd_sys_script_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# httpd_rotatelogs local policy
|
|
#
|
|
|
|
allow httpd_rotatelogs_t self:capability { dac_read_search };
|
|
|
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms;
|
|
|
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
|
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
|
|
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
|
|
|
|
corecmd_exec_bin(httpd_rotatelogs_t)
|
|
|
|
logging_search_logs(httpd_rotatelogs_t)
|
|
|
|
|
|
########################################
|
|
#
|
|
# Unconfined script local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
type httpd_unconfined_script_t;
|
|
type httpd_unconfined_script_exec_t;
|
|
domain_type(httpd_unconfined_script_t)
|
|
domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
|
|
domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
|
unconfined_domain(httpd_unconfined_script_t)
|
|
|
|
role system_r types httpd_unconfined_script_t;
|
|
allow httpd_t httpd_unconfined_script_t:process signal_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# User content local policy
|
|
#
|
|
|
|
auth_use_nsswitch(httpd_user_script_t)
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_user_script_t httpdcontent:file entrypoint;
|
|
manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
|
manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
|
manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
')
|
|
|
|
# allow accessing files/dirs below the users home dir
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_user_home_content(httpd_t)
|
|
userdom_search_user_home_content(httpd_suexec_t)
|
|
userdom_search_user_home_content(httpd_user_script_t)
|
|
|
|
read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
|
|
read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
|
|
list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
|
|
allow httpd_t httpd_user_content_type:file map;
|
|
')
|
|
|
|
tunable_policy(`httpd_read_user_content',`
|
|
userdom_read_user_home_content_files(httpd_t)
|
|
userdom_read_user_home_content_files(httpd_suexec_t)
|
|
userdom_read_user_home_content_files(httpd_user_script_t)
|
|
userdom_mmap_user_home_content_files(httpd_t)
|
|
userdom_mmap_user_home_content_files(httpd_suexec_t)
|
|
userdom_mmap_user_home_content_files(httpd_user_script_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# httpd_passwd local policy
|
|
#
|
|
|
|
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
|
|
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
kernel_read_system_state(httpd_passwd_t)
|
|
|
|
corecmd_exec_bin(httpd_passwd_t)
|
|
corecmd_exec_shell(httpd_passwd_t)
|
|
|
|
dev_read_urand(httpd_passwd_t)
|
|
|
|
domain_use_interactive_fds(httpd_passwd_t)
|
|
|
|
auth_use_nsswitch(httpd_passwd_t)
|
|
|
|
init_dontaudit_read_state(httpd_passwd_t)
|
|
|
|
miscfiles_read_certs(httpd_passwd_t)
|
|
|
|
systemd_manage_passwd_run(httpd_passwd_t)
|
|
systemd_manage_passwd_run(httpd_t)
|
|
#systemd_passwd_agent_dev_template(httpd)
|
|
|
|
domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
|
dontaudit httpd_passwd_t httpd_config_t:file read;
|
|
|
|
search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
|
|
corecmd_shell_entry_type(httpd_script_type)
|
|
|
|
allow httpd_script_type self:fifo_file rw_file_perms;
|
|
allow httpd_script_type self:unix_stream_socket connectto;
|
|
|
|
allow httpd_script_type httpd_t:fifo_file write;
|
|
# apache should set close-on-exec
|
|
apache_dontaudit_leaks(httpd_script_type)
|
|
|
|
append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
|
|
logging_search_logs(httpd_script_type)
|
|
|
|
kernel_dontaudit_search_sysctl(httpd_script_type)
|
|
kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
|
|
|
|
dev_read_rand(httpd_script_type)
|
|
dev_read_urand(httpd_script_type)
|
|
|
|
corecmd_exec_all_executables(httpd_script_type)
|
|
application_exec_all(httpd_script_type)
|
|
|
|
files_exec_etc_files(httpd_script_type)
|
|
files_search_home(httpd_script_type)
|
|
|
|
libs_exec_ld_so(httpd_script_type)
|
|
libs_exec_lib_files(httpd_script_type)
|
|
|
|
miscfiles_read_fonts(httpd_script_type)
|
|
miscfiles_read_public_files(httpd_script_type)
|
|
|
|
allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
|
|
|
allow httpd_t httpd_script_exec_type:file read_file_perms;
|
|
allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
|
allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
|
|
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
|
|
|
allow httpd_script_type self:process { setsched signal_perms };
|
|
allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
|
allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
allow httpd_script_type httpd_t:fd use;
|
|
allow httpd_script_type httpd_t:process sigchld;
|
|
|
|
dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
|
dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
|
|
|
|
fs_getattr_xattr_fs(httpd_script_type)
|
|
|
|
files_read_etc_runtime_files(httpd_script_type)
|
|
|
|
libs_read_lib_files(httpd_script_type)
|
|
|
|
allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
|
|
|
|
tunable_policy(`httpd_enable_cgi && nis_enabled',`
|
|
nis_use_ypbind_uncond(httpd_script_type)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(httpd_script_type)
|
|
')
|
|
|
|
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
allow httpd_t httpd_content_type:file map;
|
|
|
|
tunable_policy(`httpd_builtin_scripting',`
|
|
allow httpd_t httpd_content_type:dir search_dir_perms;
|
|
allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
|
|
|
|
allow httpd_t httpd_content_type:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_openstack',`
|
|
corenet_tcp_connect_keystone_port(httpd_sys_script_t)
|
|
corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
corenet_tcp_connect_glance_port(httpd_sys_script_t)
|
|
corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_openstack',`
|
|
corenet_tcp_connect_osapi_compute_port(httpd_t)
|
|
corenet_tcp_bind_commplex_main_port(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_use_opencryptoki',`
|
|
dev_rw_crypto(httpd_passwd_t)
|
|
pkcs_manage_lock(httpd_passwd_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`httpd_use_openstack',`
|
|
keystone_read_log(httpd_t)
|
|
')
|
|
')
|