|
 |
fdb13c |
# This policy module provides support for mod_fcgid using the httpd system script domain.
|
|
|
fdb13c |
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
|
|
|
fdb13c |
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
|
|
fdb13c |
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
|
|
fdb13c |
#
|
|
|
fdb13c |
# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
|
|
|
fdb13c |
#
|
|
|
fdb13c |
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
|
|
fdb13c |
# which is now an alias for httpd_sys_script_t.
|
|
|
fdb13c |
|
|
|
fdb13c |
policy_module(fastcgi, 0.2.6)
|
|
|
fdb13c |
|
|
|
fdb13c |
require {
|
|
|
fdb13c |
type devpts_t;
|
|
|
fdb13c |
type httpd_t;
|
|
|
fdb13c |
type httpd_log_t;
|
|
|
fdb13c |
type httpd_sys_content_t;
|
|
|
fdb13c |
type httpd_sys_content_ra_t;
|
|
|
fdb13c |
type httpd_sys_content_ro_t;
|
|
|
fdb13c |
type httpd_sys_content_rw_t;
|
|
|
fdb13c |
type httpd_sys_script_exec_t;
|
|
|
fdb13c |
type httpd_sys_script_ra_t;
|
|
|
fdb13c |
type httpd_sys_script_ro_t;
|
|
|
fdb13c |
type httpd_sys_script_rw_t;
|
|
|
fdb13c |
type httpd_sys_script_t;
|
|
|
fdb13c |
type httpd_tmp_t;
|
|
|
fdb13c |
type httpd_var_run_t;
|
|
|
fdb13c |
};
|
|
|
fdb13c |
|
|
|
fdb13c |
# Type aliases for contexts used with older policy modules
|
|
|
fdb13c |
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
|
|
fdb13c |
typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
|
|
|
fdb13c |
typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
|
|
|
fdb13c |
typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
|
|
fdb13c |
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
|
|
fdb13c |
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
|
|
fdb13c |
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
|
|
fdb13c |
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
|
|
fdb13c |
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
|
|
fdb13c |
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
|
|
fdb13c |
|
|
|
fdb13c |
# ==========================================================
|
|
|
fdb13c |
# Re-use httpd_sys_script_t for mod_fcgid apps
|
|
|
fdb13c |
# ==========================================================
|
|
|
fdb13c |
|
|
|
fdb13c |
# Allow web applications to call getpw* functions
|
|
|
fdb13c |
auth_use_nsswitch(httpd_sys_script_t)
|
|
|
fdb13c |
|
|
|
fdb13c |
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
|
|
fdb13c |
# Rules to do this are already in selinux-policy apart from dir setattr
|
|
|
fdb13c |
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
|
|
fdb13c |
|
|
|
fdb13c |
# Allow FastCGI applications to listen for FastCGI requests on their
|
|
|
fdb13c |
# sockets and respond to them
|
|
|
fdb13c |
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
|
|
fdb13c |
|
|
|
fdb13c |
# These are probably leaked file descriptors
|
|
|
fdb13c |
dontaudit httpd_t devpts_t:chr_file ioctl;
|
|
|
fdb13c |
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
|
|
fdb13c |
|
|
|
fdb13c |
# PHP uploads a file to /tmp and then execs programs to action them
|
|
|
fdb13c |
# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
|
|
|
fdb13c |
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|