psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   6e6c3e2db564d46f669bcaa586d2eebe1a0008d3
  2.   apache.if
Blob Blame History Raw 
## <summary>Various web servers.</summary>

########################################
## <summary>
##	Create a set of derived types for
##	httpd web content.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix to be used for deriving type names.
##	</summary>
## </param>
#
template(`apache_content_template',`
	gen_require(`
		attribute httpdcontent;
		attribute httpd_exec_scripts;
		attribute httpd_script_exec_type;
		type httpd_t, httpd_suexec_t, httpd_log_t;
	')

	########################################
	#
	# Declarations
	#

	# Determine whether the script domain type can
	# manage public file transfer services files.
	gen_tunable(allow_httpd_$1_script_anon_write, false)

	type httpd_$1_content_t, httpdcontent; # customizable
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
	files_type(httpd_$1_content_t)

	type httpd_$1_htaccess_t; # customizable;
	files_type(httpd_$1_htaccess_t)

	type httpd_$1_script_t;
	domain_type(httpd_$1_script_t)
	role system_r types httpd_$1_script_t;

	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
	corecmd_shell_entry_type(httpd_$1_script_t)
	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)

	type httpd_$1_rw_content_t, httpdcontent; # customizable
	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
	files_type(httpd_$1_rw_content_t)

	type httpd_$1_ra_content_t, httpdcontent; # customizable
	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
	files_type(httpd_$1_ra_content_t)

	########################################
	#
	# Policy
	#

	allow httpd_$1_script_t self:fifo_file rw_file_perms;
	allow httpd_$1_script_t self:unix_stream_socket connectto;

	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;

	allow httpd_$1_script_t httpd_t:fifo_file write;

	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;

	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)

	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;

	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)

	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)

	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })

	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

	dev_read_rand(httpd_$1_script_t)
	dev_read_urand(httpd_$1_script_t)

	corecmd_exec_all_executables(httpd_$1_script_t)

	files_exec_etc_files(httpd_$1_script_t)
	files_read_etc_files(httpd_$1_script_t)
	files_search_home(httpd_$1_script_t)

	libs_exec_ld_so(httpd_$1_script_t)
	libs_exec_lib_files(httpd_$1_script_t)

	logging_search_logs(httpd_$1_script_t)

	miscfiles_read_fonts(httpd_$1_script_t)
	miscfiles_read_public_files(httpd_$1_script_t)

	seutil_dontaudit_search_config(httpd_$1_script_t)

	tunable_policy(`httpd_enable_cgi && httpd_unified',`
		allow httpd_$1_script_t httpdcontent:file entrypoint;

		manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
		manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
		manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
		can_exec(httpd_$1_script_t, httpdcontent)
	')

	tunable_policy(`allow_httpd_$1_script_anon_write',`
		miscfiles_manage_public_files(httpd_$1_script_t)
	')

	tunable_policy(`httpd_builtin_scripting',`
		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
	')

	tunable_policy(`httpd_enable_cgi',`
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)

		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;

		allow httpd_$1_script_t self:process { setsched signal_perms };
		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;

		allow httpd_$1_script_t httpd_t:fd use;
		allow httpd_$1_script_t httpd_t:process sigchld;

		kernel_read_system_state(httpd_$1_script_t)

		fs_getattr_xattr_fs(httpd_$1_script_t)

		files_read_etc_runtime_files(httpd_$1_script_t)
		files_read_usr_files(httpd_$1_script_t)

		libs_read_lib_files(httpd_$1_script_t)

		miscfiles_read_localization(httpd_$1_script_t)
	')

	optional_policy(`
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
			nis_use_ypbind_uncond(httpd_$1_script_t)
		')
	')

	optional_policy(`
		mysql_read_config(httpd_$1_script_t)
		mysql_stream_connect(httpd_$1_script_t)
		mysql_rw_db_sockets(httpd_$1_script_t)

		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
			mysql_tcp_connect(httpd_$1_script_t)
		')
	')

	optional_policy(`
		postgresql_stream_connect(httpd_$1_script_t)
		postgresql_unpriv_client(httpd_$1_script_t)

		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
			postgresql_tcp_connect(httpd_$1_script_t)
		')
	')

	optional_policy(`
		nscd_socket_use(httpd_$1_script_t)
	')
')

########################################
## <summary>
##	Role access for apache.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`apache_role',`
	gen_require(`
		attribute httpdcontent;
		type httpd_user_content_t, httpd_user_htaccess_t;
		type httpd_user_script_t, httpd_user_script_exec_t;
		type httpd_user_ra_content_t, httpd_user_rw_content_t;
	')

	role $1 types httpd_user_script_t;

	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };

	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)

	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)

	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)

	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)

	tunable_policy(`httpd_enable_cgi',`
		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
	')

	tunable_policy(`httpd_enable_cgi && httpd_unified',`
		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
	')
')

########################################
## <summary>
##	Read user httpd script executable files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_user_scripts',`
	gen_require(`
		type httpd_user_script_exec_t;
	')

	allow $1 httpd_user_script_exec_t:dir list_dir_perms;
	read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
	read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
')

########################################
## <summary>
##	Read user httpd content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_user_content',`
	gen_require(`
		type httpd_user_content_t;
	')

	allow $1 httpd_user_content_t:dir list_dir_perms;
	read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
	read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
')

########################################
## <summary>
##	Execute httpd with a domain transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`apache_domtrans',`
	gen_require(`
		type httpd_t, httpd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, httpd_exec_t, httpd_t)
')

#######################################
## <summary>
##	Send generic signals to httpd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_signal',`
	gen_require(`
		type httpd_t;
	')

	allow $1 httpd_t:process signal;
')

########################################
## <summary>
##	Send null signals to httpd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_signull',`
	gen_require(`
		type httpd_t;
	')

	allow $1 httpd_t:process signull;
')

########################################
## <summary>
##	Send child terminated signals to httpd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_sigchld',`
	gen_require(`
		type httpd_t;
	')

	allow $1 httpd_t:process sigchld;
')

########################################
## <summary>
##	Inherit and use file descriptors
##	from httpd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_use_fds',`
	gen_require(`
		type httpd_t;
	')

	allow $1 httpd_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write httpd unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_rw_fifo_file',`
	gen_require(`
		type httpd_t;
	')

	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write httpd unix domain stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_rw_stream_sockets',`
	gen_require(`
		type httpd_t;
	')

	dontaudit $1 httpd_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write httpd TCP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_rw_tcp_sockets',`
	gen_require(`
		type httpd_t;
	')

	dontaudit $1 httpd_t:tcp_socket { read write };
')

########################################
## <summary>
##	Create, read, write, and delete
##	all httpd content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_content',`
	gen_require(`
		attribute httpdcontent, httpd_script_exec_type;
	')

	manage_dirs_pattern($1, httpdcontent, httpdcontent)
	manage_files_pattern($1, httpdcontent, httpdcontent)
	manage_lnk_files_pattern($1, httpdcontent, httpdcontent)

	manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
	manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
	manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
')

########################################
## <summary>
##	Set attributes httpd cache directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_setattr_cache_dirs',`
	gen_require(`
		type httpd_cache_t;
	')

	allow $1 httpd_cache_t:dir setattr_dir_perms;
')

########################################
## <summary>
##	List httpd cache directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_list_cache',`
	gen_require(`
		type httpd_cache_t;
	')

	list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
')

########################################
## <summary>
##	Read and write httpd cache files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_rw_cache_files',`
	gen_require(`
		type httpd_cache_t;
	')

	allow $1 httpd_cache_t:file rw_file_perms;
')

########################################
## <summary>
##	Delete httpd cache files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_delete_cache_files',`
	gen_require(`
		type httpd_cache_t;
	')

	delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
')

########################################
## <summary>
##	Read httpd configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_read_config',`
	gen_require(`
		type httpd_config_t;
	')

	files_search_etc($1)
	allow $1 httpd_config_t:dir list_dir_perms;
	read_files_pattern($1, httpd_config_t, httpd_config_t)
	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
')

########################################
## <summary>
##	Search httpd configuration directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_search_config',`
	gen_require(`
		type httpd_config_t;
	')

	files_search_etc($1)
	allow $1 httpd_config_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	httpd configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_manage_config',`
	gen_require(`
		type httpd_config_t;
	')

	files_search_etc($1)
	manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
	manage_files_pattern($1, httpd_config_t, httpd_config_t)
	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
')

########################################
## <summary>
##	Execute the Apache helper program
##	with a domain transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_domtrans_helper',`
	gen_require(`
		type httpd_helper_t, httpd_helper_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
')

########################################
## <summary>
##	Execute the Apache helper program with
##	a domain transition, and allow the
##	specified role the Apache helper domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_run_helper',`
	gen_require(`
		attribute_role httpd_helper_roles;
	')

	apache_domtrans_helper($1)
	roleattribute $2 httpd_helper_roles;
')

########################################
## <summary>
##	Read httpd log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_read_log',`
	gen_require(`
		type httpd_log_t;
	')

	logging_search_logs($1)
	allow $1 httpd_log_t:dir list_dir_perms;
	read_files_pattern($1, httpd_log_t, httpd_log_t)
	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')

########################################
## <summary>
##	Append httpd log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_append_log',`
	gen_require(`
		type httpd_log_t;
	')

	logging_search_logs($1)
	allow $1 httpd_log_t:dir list_dir_perms;
	append_files_pattern($1, httpd_log_t, httpd_log_t)
')

########################################
## <summary>
##	Do not audit attempts to append
##	httpd log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_append_log',`
	gen_require(`
		type httpd_log_t;
	')

	dontaudit $1 httpd_log_t:file append_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	httpd log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_manage_log',`
	gen_require(`
		type httpd_log_t;
	')

	logging_search_logs($1)
	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
	manage_files_pattern($1, httpd_log_t, httpd_log_t)
	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')

########################################
## <summary>
##	Do not audit attempts to search
##	httpd module directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_search_modules',`
	gen_require(`
		type httpd_modules_t;
	')

	dontaudit $1 httpd_modules_t:dir search_dir_perms;
')

########################################
## <summary>
##	List httpd module directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_list_modules',`
	gen_require(`
		type httpd_modules_t;
	')

	allow $1 httpd_modules_t:dir list_dir_perms;
')

########################################
## <summary>
##	Execute httpd module files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_exec_modules',`
	gen_require(`
		type httpd_modules_t;
	')

	allow $1 httpd_modules_t:dir list_dir_perms;
	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
	can_exec($1, httpd_modules_t)
')

########################################
## <summary>
##	Read httpd module files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_module_files',`
	gen_require(`
		type httpd_modules_t;
	')

	libs_search_lib($1)
	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
')

########################################
## <summary>
##	Execute a domain transition to
##	run httpd_rotatelogs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
	gen_require(`
		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')

########################################
## <summary>
##	List httpd system content directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_list_sys_content',`
	gen_require(`
		type httpd_sys_content_t;
	')

	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
	files_search_var($1)
')

########################################
## <summary>
##	Create, read, write, and delete
##	httpd system content files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_sys_content',`
	gen_require(`
		type httpd_sys_content_t;
	')

	files_search_var($1)
	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	httpd system rw content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_manage_sys_rw_content',`
	gen_require(`
		type httpd_sys_rw_content_t;
	')

	apache_search_sys_content($1)
	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')

########################################
## <summary>
##	Execute all httpd scripts in the
##	system script domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`apache_domtrans_sys_script',`
	gen_require(`
		attribute httpdcontent;
		type httpd_sys_script_t;
	')

	tunable_policy(`httpd_enable_cgi && httpd_unified',`
		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
	')
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write httpd system script unix
##	domain stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
	gen_require(`
		type httpd_sys_script_t;
	')

	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Execute all user scripts in the user
##	script domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`apache_domtrans_all_scripts',`
	gen_require(`
		attribute httpd_exec_scripts;
	')

	typeattribute $1 httpd_exec_scripts;
')

########################################
## <summary>
##	Execute all user scripts in the user
##	script domain. Add user script domains
##	to the specified role.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
#
interface(`apache_run_all_scripts',`
	gen_require(`
		attribute httpd_exec_scripts, httpd_script_domains;
	')

	role $2 types httpd_script_domains;
	apache_domtrans_all_scripts($1)
')

########################################
## <summary>
##	Read httpd squirrelmail data files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_squirrelmail_data',`
	gen_require(`
		type httpd_squirrelmail_t;
	')

	allow $1 httpd_squirrelmail_t:file read_file_perms;
')

########################################
## <summary>
##	Append httpd squirrelmail data files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_append_squirrelmail_data',`
	gen_require(`
		type httpd_squirrelmail_t;
	')

	allow $1 httpd_squirrelmail_t:file append_file_perms;
')

########################################
## <summary>
##	Search httpd system content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_search_sys_content',`
	gen_require(`
		type httpd_sys_content_t;
	')

	files_search_var($1)
	allow $1 httpd_sys_content_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read httpd system content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_sys_content',`
	gen_require(`
		type httpd_sys_content_t;
	')

	allow $1 httpd_sys_content_t:dir list_dir_perms;
	read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')

########################################
## <summary>
##	Search httpd system CGI directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_search_sys_scripts',`
	gen_require(`
		type httpd_sys_content_t, httpd_sys_script_exec_t;
	')

	search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
')

########################################
## <summary>
##	Create, read, write, and delete all
##	user httpd content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
	gen_require(`
		attribute httpd_user_content_type, httpd_user_script_exec_type;
	')

	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)

	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
')

########################################
## <summary>
##	Search system script state directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_search_sys_script_state',`
	gen_require(`
		type httpd_sys_script_t;
	')

	allow $1 httpd_sys_script_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read httpd tmp files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_tmp_files',`
	gen_require(`
		type httpd_tmp_t;
	')

	files_search_tmp($1)
	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')

########################################
## <summary>
##	Do not audit attempts to write
##	httpd tmp files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`apache_dontaudit_write_tmp_files',`
	gen_require(`
		type httpd_tmp_t;
	')

	dontaudit $1 httpd_tmp_t:file write_file_perms;
')

########################################
## <summary>
##	Execute CGI in the specified domain.
## </summary>
##	<desc>
##	<p>
##	This is an interface to support third party modules
##	and its use is not allowed in upstream reference
##	policy.
##	</p>
##	</desc>
## <param name="domain">
##	<summary>
##	Domain run the cgi script in.
##	</summary>
## </param>
## <param name="entrypoint">
##	<summary>
##	Type of the executable to enter the cgi domain.
##	</summary>
## </param>
#
interface(`apache_cgi_domain',`
	gen_require(`
		type httpd_t, httpd_sys_script_exec_t;
	')

	domtrans_pattern(httpd_t, $2, $1)
	apache_search_sys_scripts($1)

	allow httpd_t $1:process signal;
')

########################################
## <summary>
##	All of the rules required to
##	administrate an apache environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`apache_admin',`
	gen_require(`
		attribute httpdcontent;
		attribute httpd_script_exec_type;

		type httpd_t, httpd_config_t, httpd_log_t;
		type httpd_modules_t, httpd_lock_t;
		type httpd_var_run_t, httpd_php_tmp_t;
		type httpd_suexec_tmp_t, httpd_tmp_t;
		type httpd_initrc_exec_t;
	')

	allow $1 httpd_t:process { ptrace signal_perms };
	ps_process_pattern($1, httpd_t)

	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 httpd_initrc_exec_t system_r;
	allow $2 system_r;

	apache_manage_all_content($1)
	miscfiles_manage_public_files($1)

	files_search_etc($1)
	admin_pattern($1, httpd_config_t)

	logging_search_logs($1)
	admin_pattern($1, httpd_log_t)

	admin_pattern($1, httpd_modules_t)

	admin_pattern($1, httpd_lock_t)
	files_lock_filetrans($1, httpd_lock_t, file)

	admin_pattern($1, httpd_var_run_t)
	files_pid_filetrans($1, httpd_var_run_t, file)

	admin_pattern($1, httpdcontent)
	admin_pattern($1, httpd_script_exec_type)
	admin_pattern($1, httpd_tmp_t)
	admin_pattern($1, httpd_php_tmp_t)
	admin_pattern($1, httpd_suexec_tmp_t)
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.