diff options
Diffstat (limited to 'policy/modules/contrib/apache.te')
| -rw-r--r-- | policy/modules/contrib/apache.te | 915 |
1 files changed, 915 insertions, 0 deletions
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te new file mode 100644 index 00000000..18d44040 --- /dev/null +++ b/policy/modules/contrib/apache.te @@ -0,0 +1,915 @@ +policy_module(apache, 2.3.0) + +# +# NOTES: +# This policy will work with SUEXEC enabled as part of the Apache +# configuration. However, the user CGI scripts will run under the +# system_u:system_r:httpd_user_script_t. +# +# The user CGI scripts must be labeled with the httpd_user_script_exec_t +# type, and the directory containing the scripts should also be labeled +# with these types. This policy allows the user role to perform that +# relabeling. If it is desired that only admin role should be able to relabel +# the user CGI scripts, then relabel rule for user roles should be removed. +# + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow Apache to modify public files +## used for public file transfer services. Directories/Files must +## be labeled public_content_rw_t. +## </p> +## </desc> +gen_tunable(allow_httpd_anon_write, false) + +## <desc> +## <p> +## Allow Apache to use mod_auth_pam +## </p> +## </desc> +gen_tunable(allow_httpd_mod_auth_pam, false) + +## <desc> +## <p> +## Allow httpd to use built in scripting (usually php) +## </p> +## </desc> +gen_tunable(httpd_builtin_scripting, false) + +## <desc> +## <p> +## Allow HTTPD scripts and modules to connect to the network using TCP. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect, false) + +## <desc> +## <p> +## Allow HTTPD scripts and modules to connect to databases over the network. +## </p> +## </desc> +gen_tunable(httpd_can_network_connect_db, false) + +## <desc> +## <p> +## Allow httpd to act as a relay +## </p> +## </desc> +gen_tunable(httpd_can_network_relay, false) + +## <desc> +## <p> +## Allow http daemon to send mail +## </p> +## </desc> +gen_tunable(httpd_can_sendmail, false) + +## <desc> +## <p> +## Allow Apache to communicate with avahi service via dbus +## </p> +## </desc> +gen_tunable(httpd_dbus_avahi, false) + +## <desc> +## <p> +## Allow httpd cgi support +## </p> +## </desc> +gen_tunable(httpd_enable_cgi, false) + +## <desc> +## <p> +## Allow httpd to act as a FTP server by +## listening on the ftp port. +## </p> +## </desc> +gen_tunable(httpd_enable_ftp_server, false) + +## <desc> +## <p> +## Allow httpd to read home directories +## </p> +## </desc> +gen_tunable(httpd_enable_homedirs, false) + +## <desc> +## <p> +## Allow httpd daemon to change its resource limits +## </p> +## </desc> +gen_tunable(httpd_setrlimit, false) + +## <desc> +## <p> +## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. +## </p> +## </desc> +gen_tunable(httpd_ssi_exec, false) + +## <desc> +## <p> +## Unify HTTPD to communicate with the terminal. +## Needed for entering the passphrase for certificates at +## the terminal. +## </p> +## </desc> +gen_tunable(httpd_tty_comm, false) + +## <desc> +## <p> +## Unify HTTPD handling of all content files. +## </p> +## </desc> +gen_tunable(httpd_unified, false) + +## <desc> +## <p> +## Allow httpd to access cifs file systems +## </p> +## </desc> +gen_tunable(httpd_use_cifs, false) + +## <desc> +## <p> +## Allow httpd to run gpg +## </p> +## </desc> +gen_tunable(httpd_use_gpg, false) + +## <desc> +## <p> +## Allow httpd to access nfs file systems +## </p> +## </desc> +gen_tunable(httpd_use_nfs, false) + +attribute httpdcontent; +attribute httpd_ra_content; +attribute httpd_rw_content; +attribute httpd_user_content_type; + +# domains that can exec all users scripts +attribute httpd_exec_scripts; + +attribute httpd_script_exec_type; +attribute httpd_user_script_exec_type; + +# user script domains +attribute httpd_script_domains; + +type httpd_t; +type httpd_exec_t; +init_daemon_domain(httpd_t, httpd_exec_t) +role system_r types httpd_t; + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory +type httpd_cache_t; +files_type(httpd_cache_t) + +# httpd_config_t is the type given to the configuration files +type httpd_config_t; +files_type(httpd_config_t) + +type httpd_helper_t; +type httpd_helper_exec_t; +domain_type(httpd_helper_t) +domain_entry_file(httpd_helper_t, httpd_helper_exec_t) +role system_r types httpd_helper_t; + +type httpd_initrc_exec_t; +init_script_file(httpd_initrc_exec_t) + +type httpd_lock_t; +files_lock_file(httpd_lock_t) + +type httpd_log_t; +logging_log_file(httpd_log_t) + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache +type httpd_modules_t; +files_type(httpd_modules_t) + +type httpd_php_t; +type httpd_php_exec_t; +domain_type(httpd_php_t) +domain_entry_file(httpd_php_t, httpd_php_exec_t) +role system_r types httpd_php_t; + +type httpd_php_tmp_t; +files_tmp_file(httpd_php_tmp_t) + +type httpd_rotatelogs_t; +type httpd_rotatelogs_exec_t; +init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + +type httpd_squirrelmail_t; +files_type(httpd_squirrelmail_t) + +# SUEXEC runs user scripts as their own user ID +type httpd_suexec_t; #, daemon; +type httpd_suexec_exec_t; +domain_type(httpd_suexec_t) +domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) +role system_r types httpd_suexec_t; + +type httpd_suexec_tmp_t; +files_tmp_file(httpd_suexec_tmp_t) + +# setup the system domain for system CGI scripts +apache_content_template(sys) +typealias httpd_sys_content_t alias ntop_http_content_t; + +type httpd_tmp_t; +files_tmp_file(httpd_tmp_t) + +type httpd_tmpfs_t; +files_tmpfs_file(httpd_tmpfs_t) + +apache_content_template(user) +ubac_constrained(httpd_user_script_t) +userdom_user_home_content(httpd_user_content_t) +userdom_user_home_content(httpd_user_htaccess_t) +userdom_user_home_content(httpd_user_script_exec_t) +userdom_user_home_content(httpd_user_ra_content_t) +userdom_user_home_content(httpd_user_rw_content_t) +typeattribute httpd_user_script_t httpd_script_domains; +typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; +typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; +typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; +typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; +typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t }; +typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t }; +typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t }; +typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t }; +typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t }; +typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t }; +typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; +typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + +# for apache2 memory mapped files +type httpd_var_lib_t; +files_type(httpd_var_lib_t) + +type httpd_var_run_t; +files_pid_file(httpd_var_run_t) + +# File Type of squirrelmail attachments +type squirrelmail_spool_t; +files_tmp_file(squirrelmail_spool_t) + +optional_policy(` + prelink_object_file(httpd_modules_t) +') + +######################################## +# +# Apache server local policy +# + +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +dontaudit httpd_t self:capability { net_admin sys_tty_config }; +allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_t self:fd use; +allow httpd_t self:sock_file read_sock_file_perms; +allow httpd_t self:fifo_file rw_fifo_file_perms; +allow httpd_t self:shm create_shm_perms; +allow httpd_t self:sem create_sem_perms; +allow httpd_t self:msgq create_msgq_perms; +allow httpd_t self:msg { send receive }; +allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow httpd_t self:tcp_socket create_stream_socket_perms; +allow httpd_t self:udp_socket create_socket_perms; + +# Allow httpd_t to put files in /var/cache/httpd etc +manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + +# Allow the httpd_t to read the web servers config files +allow httpd_t httpd_config_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) +read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + +can_exec(httpd_t, httpd_exec_t) + +allow httpd_t httpd_lock_t:file manage_file_perms; +files_lock_filetrans(httpd_t, httpd_lock_t, file) + +allow httpd_t httpd_log_t:dir setattr; +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +# cjp: need to refine create interfaces to +# cut this back to add_name only +logging_log_filetrans(httpd_t, httpd_log_t, file) + +allow httpd_t httpd_modules_t:dir list_dir_perms; +mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + +apache_domtrans_rotatelogs(httpd_t) +# Apache-httpd needs to be able to send signals to the log rotate procs. +allow httpd_t httpd_rotatelogs_t:process signal_perms; + +manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + +allow httpd_t httpd_suexec_exec_t:file read_file_perms; + +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) + +allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + +manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) + +manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) + +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) + +manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + +kernel_read_kernel_sysctls(httpd_t) +# for modules that want to access /proc/meminfo +kernel_read_system_state(httpd_t) + +corenet_all_recvfrom_unlabeled(httpd_t) +corenet_all_recvfrom_netlabel(httpd_t) +corenet_tcp_sendrecv_generic_if(httpd_t) +corenet_udp_sendrecv_generic_if(httpd_t) +corenet_tcp_sendrecv_generic_node(httpd_t) +corenet_udp_sendrecv_generic_node(httpd_t) +corenet_tcp_sendrecv_all_ports(httpd_t) +corenet_udp_sendrecv_all_ports(httpd_t) +corenet_tcp_bind_generic_node(httpd_t) +corenet_tcp_bind_http_port(httpd_t) +corenet_tcp_bind_http_cache_port(httpd_t) +corenet_sendrecv_http_server_packets(httpd_t) +# Signal self for shutdown +corenet_tcp_connect_http_port(httpd_t) + +dev_read_sysfs(httpd_t) +dev_read_rand(httpd_t) +dev_read_urand(httpd_t) +dev_rw_crypto(httpd_t) + +fs_getattr_all_fs(httpd_t) +fs_search_auto_mountpoints(httpd_t) + +auth_use_nsswitch(httpd_t) + +# execute perl +corecmd_exec_bin(httpd_t) +corecmd_exec_shell(httpd_t) + +domain_use_interactive_fds(httpd_t) + +files_dontaudit_getattr_all_pids(httpd_t) +files_read_usr_files(httpd_t) +files_list_mnt(httpd_t) +files_search_spool(httpd_t) +files_read_var_lib_files(httpd_t) +files_search_home(httpd_t) +files_getattr_home_dir(httpd_t) +# for modules that want to access /etc/mtab +files_read_etc_runtime_files(httpd_t) +# Allow httpd_t to have access to files such as nisswitch.conf +files_read_etc_files(httpd_t) +# for tomcat +files_read_var_lib_symlinks(httpd_t) + +fs_search_auto_mountpoints(httpd_sys_script_t) + +libs_read_lib_files(httpd_t) + +logging_send_syslog_msg(httpd_t) + +miscfiles_read_localization(httpd_t) +miscfiles_read_fonts(httpd_t) +miscfiles_read_public_files(httpd_t) +miscfiles_read_generic_certs(httpd_t) + +seutil_dontaudit_search_config(httpd_t) + +userdom_use_unpriv_users_fds(httpd_t) + +tunable_policy(`allow_httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) +') + +ifdef(`TODO', ` +# +# We need optionals to be able to be within booleans to make this work +# +tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chk_passwd(httpd_t) +') +') + +tunable_policy(`httpd_can_network_connect',` + corenet_tcp_connect_all_ports(httpd_t) +') + +tunable_policy(`httpd_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` + fs_nfs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) +') + +tunable_policy(`httpd_enable_ftp_server',` + corenet_tcp_bind_ftp_port(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_read_user_home_content_files(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) +') + +tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) + corenet_sendrecv_smtp_client_packets(httpd_t) + mta_send_mail(httpd_t) +') + +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +') + +tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; +') + +# When the admin starts the server, the server wants to access +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +tunable_policy(`httpd_tty_comm',` + userdom_use_user_terminals(httpd_t) +',` + userdom_dontaudit_use_user_terminals(httpd_t) +') + +optional_policy(` + calamaris_read_www_files(httpd_t) +') + +optional_policy(` + ccs_read_config(httpd_t) +') + +optional_policy(` + cobbler_search_lib(httpd_t) +') + +optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) +') + +optional_policy(` + cvs_read_data(httpd_t) +') + +optional_policy(` + daemontools_service_domain(httpd_t, httpd_exec_t) +') + + optional_policy(` + dbus_system_bus_client(httpd_t) + + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') + +optional_policy(` + tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` + gpg_domtrans(httpd_t) + ') +') + +optional_policy(` + kerberos_keytab_template(httpd, httpd_t) +') + +optional_policy(` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) + # should have separate types for public and private archives + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) +') + +optional_policy(` + # Allow httpd to work with mysql + mysql_stream_connect(httpd_t) + mysql_rw_db_sockets(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + nagios_read_config(httpd_t) +') + +optional_policy(` + openca_domtrans(httpd_t) + openca_signal(httpd_t) + openca_sigstop(httpd_t) + openca_kill(httpd_t) +') + +optional_policy(` + # Allow httpd to work with postgresql + postgresql_stream_connect(httpd_t) + postgresql_unpriv_client(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) + ') +') + +optional_policy(` + seutil_sigchld_newrole(httpd_t) +') + +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) +') + +optional_policy(` + udev_read_db(httpd_t) +') + +optional_policy(` + yam_read_content(httpd_t) +') + +######################################## +# +# Apache helper local policy +# + +domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) + +allow httpd_helper_t httpd_config_t:file read_file_perms; + +allow httpd_helper_t httpd_log_t:file append_file_perms; + +logging_send_syslog_msg(httpd_helper_t) + +userdom_use_user_terminals(httpd_helper_t) + +######################################## +# +# Apache PHP script local policy +# + +allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow httpd_php_t self:fd use; +allow httpd_php_t self:fifo_file rw_fifo_file_perms; +allow httpd_php_t self:sock_file read_sock_file_perms; +allow httpd_php_t self:unix_dgram_socket create_socket_perms; +allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; +allow httpd_php_t self:unix_dgram_socket sendto; +allow httpd_php_t self:unix_stream_socket connectto; +allow httpd_php_t self:shm create_shm_perms; +allow httpd_php_t self:sem create_sem_perms; +allow httpd_php_t self:msgq create_msgq_perms; +allow httpd_php_t self:msg { send receive }; + +domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) + +# allow php to read and append to apache logfiles +allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; + +manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) +manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) +files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) + +fs_search_auto_mountpoints(httpd_php_t) + +auth_use_nsswitch(httpd_php_t) + +libs_exec_lib_files(httpd_php_t) + +userdom_use_unpriv_users_fds(httpd_php_t) + +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) + + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) +') + +optional_policy(` + mysql_stream_connect(httpd_php_t) + mysql_read_config(httpd_php_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_php_t) +') + +######################################## +# +# Apache suexec local policy +# + +allow httpd_suexec_t self:capability { setuid setgid }; +allow httpd_suexec_t self:process signal_perms; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + +create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + +allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; + +manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(httpd_suexec_t) +kernel_list_proc(httpd_suexec_t) +kernel_read_proc_symlinks(httpd_suexec_t) + +dev_read_urand(httpd_suexec_t) + +fs_search_auto_mountpoints(httpd_suexec_t) + +# for shell scripts +corecmd_exec_bin(httpd_suexec_t) +corecmd_exec_shell(httpd_suexec_t) + +files_read_etc_files(httpd_suexec_t) +files_read_usr_files(httpd_suexec_t) +files_dontaudit_search_pids(httpd_suexec_t) +files_search_home(httpd_suexec_t) + +auth_use_nsswitch(httpd_suexec_t) + +logging_search_logs(httpd_suexec_t) +logging_send_syslog_msg(httpd_suexec_t) + +miscfiles_read_localization(httpd_suexec_t) +miscfiles_read_public_files(httpd_suexec_t) + +tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_suexec_t) + corenet_all_recvfrom_netlabel(httpd_suexec_t) + corenet_tcp_sendrecv_generic_if(httpd_suexec_t) + corenet_udp_sendrecv_generic_if(httpd_suexec_t) + corenet_tcp_sendrecv_generic_node(httpd_suexec_t) + corenet_udp_sendrecv_generic_node(httpd_suexec_t) + corenet_tcp_sendrecv_all_ports(httpd_suexec_t) + corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpdcontent:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) +') + +optional_policy(` + mailman_domtrans_cgi(httpd_suexec_t) +') + +optional_policy(` + mta_stub(httpd_suexec_t) + + # apache should set close-on-exec + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +') + +######################################## +# +# Apache system script local policy +# + +allow httpd_sys_script_t self:process getsched; + +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +dontaudit httpd_sys_script_t httpd_config_t:dir search; + +allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; + +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) +read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) + +kernel_read_kernel_sysctls(httpd_sys_script_t) + +files_search_var_lib(httpd_sys_script_t) +files_search_spool(httpd_sys_script_t) + +# Should we add a boolean? +apache_domtrans_rotatelogs(httpd_sys_script_t) + +ifdef(`distro_redhat',` + allow httpd_sys_script_t httpd_log_t:file append_file_perms; +') + +tunable_policy(`httpd_can_sendmail',` + mta_send_mail(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; + + corenet_tcp_bind_all_nodes(httpd_sys_script_t) + corenet_udp_bind_all_nodes(httpd_sys_script_t) + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) + corenet_tcp_sendrecv_all_if(httpd_sys_script_t) + corenet_udp_sendrecv_all_if(httpd_sys_script_t) + corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs',` + userdom_read_user_home_content_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') + +optional_policy(` + clamav_domtrans_clamscan(httpd_sys_script_t) +') + +optional_policy(` + mysql_stream_connect(httpd_sys_script_t) + mysql_rw_db_sockets(httpd_sys_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_sys_script_t) +') + +######################################## +# +# httpd_rotatelogs local policy +# + +allow httpd_rotatelogs_t self:capability dac_override; + +manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + +kernel_read_kernel_sysctls(httpd_rotatelogs_t) +kernel_dontaudit_list_proc(httpd_rotatelogs_t) +kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) + +files_read_etc_files(httpd_rotatelogs_t) + +logging_search_logs(httpd_rotatelogs_t) + +miscfiles_read_localization(httpd_rotatelogs_t) + +######################################## +# +# Unconfined script local policy +# + +optional_policy(` + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; + domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + + role system_r types httpd_unconfined_script_t; + allow httpd_t httpd_unconfined_script_t:process signal_perms; +') + +######################################## +# +# User content local policy +# + +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; +') + +# allow accessing files/dirs below the users home dir +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_t) + userdom_search_user_home_dirs(httpd_suexec_t) + userdom_search_user_home_dirs(httpd_user_script_t) +') |