|
Chris PeBenito |
a996bd |
## <summary>Apache web server</summary>
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
b1421d |
########################################
|
|
Chris PeBenito |
b1421d |
## <summary>
|
|
Chris PeBenito |
b1421d |
## Create a set of derived types for apache
|
|
Chris PeBenito |
b1421d |
## web content.
|
|
Chris PeBenito |
b1421d |
## </summary>
|
|
Chris PeBenito |
b1421d |
## <param name="prefix">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
b1421d |
## The prefix to be used for deriving type names.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
b1421d |
## </param>
|
|
Chris PeBenito |
b1421d |
#
|
|
Chris PeBenito |
a996bd |
template(`apache_content_template',`
|
|
Chris PeBenito |
a3cf80 |
gen_require(`
|
|
Dominick Grift |
6bb4d4 |
attribute httpd_exec_scripts, httpd_script_exec_type;
|
|
Chris PeBenito |
a3cf80 |
type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
Dan Walsh |
3eaa99 |
type httpd_sys_content_t;
|
|
Chris PeBenito |
a3cf80 |
')
|
|
Dan Walsh |
f5b49a |
|
|
Chris PeBenito |
a996bd |
#This type is for webpages
|
|
Dan Walsh |
3eaa99 |
type httpd_$1_content_t; # customizable;
|
|
Chris PeBenito |
83caba |
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_content_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# This type is used for .htaccess files
|
|
Chris PeBenito |
a996bd |
type httpd_$1_htaccess_t; # customizable;
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_htaccess_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Type that CGI scripts run as
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
domain_type(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
role system_r types httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
689bfe |
search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
|
|
Dan Walsh |
f5b49a |
|
|
Chris PeBenito |
a996bd |
# This type is used for executable scripts files
|
|
Chris PeBenito |
123a99 |
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
Chris PeBenito |
0f27d9 |
corecmd_shell_entry_type(httpd_$1_script_t)
|
|
Chris PeBenito |
0bfccd |
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
3eaa99 |
type httpd_$1_rw_content_t; # customizable
|
|
Chris PeBenito |
83caba |
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
|
Chris PeBenito |
83caba |
files_type(httpd_$1_rw_content_t)
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
3eaa99 |
type httpd_$1_ra_content_t; # customizable
|
|
Chris PeBenito |
83caba |
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
|
Chris PeBenito |
83caba |
files_type(httpd_$1_ra_content_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
60def6 |
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
60def6 |
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
|
Dan Walsh |
3eaa99 |
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
2e0a88 |
allow httpd_$1_script_t self:unix_stream_socket connectto;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fifo_file write;
|
|
Chris PeBenito |
a996bd |
# apache should set close-on-exec
|
|
Chris PeBenito |
a996bd |
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Allow the script process to search the cgi directory, and users directory
|
|
Chris PeBenito |
c0868a |
allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
0bfccd |
append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
a996bd |
logging_search_logs(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
Chris PeBenito |
60def6 |
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
83caba |
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
|
Chris PeBenito |
83caba |
read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
83caba |
append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
83caba |
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
83caba |
allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
|
|
Chris PeBenito |
83caba |
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Chris PeBenito |
83caba |
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
83caba |
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
e749cd |
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
|
Chris PeBenito |
e749cd |
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
a996bd |
dev_read_rand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
dev_read_urand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
fb63d0 |
corecmd_exec_all_executables(httpd_$1_script_t)
|
|
Dan Walsh |
3eaa99 |
application_exec_all(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_exec_etc_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_read_etc_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_search_home(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
libs_exec_ld_so(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
libs_exec_lib_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
miscfiles_read_fonts(httpd_$1_script_t)
|
|
Chris PeBenito |
b1421d |
miscfiles_read_public_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
seutil_dontaudit_search_config(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Allow the web server to run scripts and serve pages
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_builtin_scripting',`
|
|
Chris PeBenito |
83caba |
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
83caba |
rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
83caba |
allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
|
Chris PeBenito |
83caba |
read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
83caba |
append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
83caba |
read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
83caba |
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
|
Chris PeBenito |
83caba |
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Chris PeBenito |
83caba |
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
Dan Walsh |
3eaa99 |
allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi',`
|
|
Chris PeBenito |
e749cd |
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
|
Chris PeBenito |
e749cd |
|
|
Dominick Grift |
b11ba4 |
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Dominick Grift |
b11ba4 |
|
|
Chris PeBenito |
e749cd |
# privileged users run the script:
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
e749cd |
|
|
Dan Walsh |
3eaa99 |
allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
e749cd |
# apache runs the script:
|
|
Chris PeBenito |
c0868a |
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
3eaa99 |
allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
|
Chris PeBenito |
c0868a |
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
d9845a |
allow httpd_$1_script_t self:process { setsched signal_perms };
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
|
Dan Walsh |
3eaa99 |
allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:process sigchld;
|
|
Chris PeBenito |
a996bd |
|
|
Dominick Grift |
f6bcb2 |
dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
|
Dominick Grift |
f6bcb2 |
|
|
Chris PeBenito |
a996bd |
kernel_read_system_state(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
dev_read_urand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
fs_getattr_xattr_fs(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_read_etc_runtime_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_read_usr_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
1815ba |
libs_read_lib_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
miscfiles_read_localization(httpd_$1_script_t)
|
|
Dan Walsh |
3eaa99 |
allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
dc1920 |
optional_policy(`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
|
Chris PeBenito |
a996bd |
nis_use_ypbind_uncond(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
bb7170 |
optional_policy(`
|
|
Chris PeBenito |
e8cb08 |
postgresql_unpriv_client(httpd_$1_script_t)
|
|
Chris PeBenito |
e8cb08 |
')
|
|
Chris PeBenito |
e8cb08 |
|
|
Chris PeBenito |
e8cb08 |
optional_policy(`
|
|
Chris PeBenito |
1815ba |
nscd_socket_use(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
296273 |
########################################
|
|
Chris PeBenito |
b1421d |
## <summary>
|
|
Chris PeBenito |
296273 |
## Role access for apache
|
|
Chris PeBenito |
b1421d |
## </summary>
|
|
Chris PeBenito |
296273 |
## <param name="role">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
296273 |
## Role allowed access
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
b1421d |
## </param>
|
|
Chris PeBenito |
296273 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
296273 |
## User domain for the role
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
b1421d |
## </param>
|
|
Chris PeBenito |
b1421d |
#
|
|
Chris PeBenito |
296273 |
interface(`apache_role',`
|
|
Chris PeBenito |
0efe52 |
gen_require(`
|
|
Chris PeBenito |
296273 |
attribute httpdcontent;
|
|
Dominick Grift |
6bb4d4 |
type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
|
|
Dominick Grift |
6bb4d4 |
type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
|
|
Chris PeBenito |
296273 |
')
|
|
Chris PeBenito |
296273 |
|
|
Chris PeBenito |
296273 |
role $1 types httpd_user_script_t;
|
|
Chris PeBenito |
296273 |
|
|
Chris PeBenito |
296273 |
allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
|
|
Chris PeBenito |
296273 |
|
|
Dominick Grift |
9fa4de |
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
|
|
Chris PeBenito |
296273 |
|
|
Chris PeBenito |
83caba |
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
Chris PeBenito |
83caba |
|
|
Dan Walsh |
3eaa99 |
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
83caba |
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
83caba |
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
83caba |
relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
83caba |
relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
83caba |
relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
Chris PeBenito |
3f67f7 |
|
|
Chris PeBenito |
3f67f7 |
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
3f67f7 |
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
3f67f7 |
manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
3f67f7 |
relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
3f67f7 |
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
3f67f7 |
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
ddcd5d |
apache_exec_modules($2)
|
|
Dan Walsh |
ddcd5d |
|
|
Chris PeBenito |
e749cd |
tunable_policy(`httpd_enable_cgi',`
|
|
Chris PeBenito |
e749cd |
# If a user starts a script by hand it gets the proper context
|
|
Chris PeBenito |
296273 |
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
e749cd |
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
Chris PeBenito |
296273 |
domtrans_pattern($2, httpdcontent, httpd_user_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Read httpd user scripts executables.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## <param name="domain">
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Domain allowed access.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## </param>
|
|
Chris PeBenito |
123a99 |
#
|
|
Chris PeBenito |
296273 |
interface(`apache_read_user_scripts',`
|
|
Chris PeBenito |
123a99 |
gen_require(`
|
|
Chris PeBenito |
296273 |
type httpd_user_script_exec_t;
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
296273 |
allow $1 httpd_user_script_exec_t:dir list_dir_perms;
|
|
Chris PeBenito |
296273 |
read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
296273 |
read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
########################################
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Read user web content.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## <param name="domain">
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Domain allowed access.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## </param>
|
|
Chris PeBenito |
123a99 |
#
|
|
Chris PeBenito |
296273 |
interface(`apache_read_user_content',`
|
|
Chris PeBenito |
123a99 |
gen_require(`
|
|
Chris PeBenito |
296273 |
type httpd_user_content_t;
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
296273 |
allow $1 httpd_user_content_t:dir list_dir_perms;
|
|
Chris PeBenito |
296273 |
read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
|
Chris PeBenito |
296273 |
read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
########################################
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
b1421d |
## Transition to apache.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_domtrans',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_t, httpd_exec_t;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
8021cb |
corecmd_search_bin($1)
|
|
Chris PeBenito |
0bfccd |
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Dan Walsh |
3eaa99 |
######################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Allow the specified domain to execute apache
|
|
Dominick Grift |
4b1644 |
## in the caller domain.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dominick Grift |
4b1644 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Domain allowed access.
|
|
Dominick Grift |
4b1644 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_exec',`
|
|
Dominick Grift |
4b1644 |
gen_require(`
|
|
Dominick Grift |
4b1644 |
type httpd_exec_t;
|
|
Dominick Grift |
4b1644 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
4b1644 |
can_exec($1, httpd_exec_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
60def6 |
#######################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Send a generic signal to apache.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Domain allowed access.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_signal',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Chris PeBenito |
60def6 |
type httpd_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
allow $1 httpd_t:process signal;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Send a null signal to apache.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_signull',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_t;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_t:process signull;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Send a SIGCHLD signal to apache.
|
|
Chris PeBenito |
799a0b |
## </summary>
|
|
Chris PeBenito |
799a0b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
799a0b |
## </param>
|
|
Chris PeBenito |
799a0b |
#
|
|
Chris PeBenito |
799a0b |
interface(`apache_sigchld',`
|
|
Chris PeBenito |
799a0b |
gen_require(`
|
|
Chris PeBenito |
799a0b |
type httpd_t;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
799a0b |
|
|
Chris PeBenito |
799a0b |
allow $1 httpd_t:process sigchld;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
799a0b |
|
|
Chris PeBenito |
799a0b |
########################################
|
|
Chris PeBenito |
799a0b |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Inherit and use file descriptors from Apache.
|
|
Chris PeBenito |
799a0b |
## </summary>
|
|
Chris PeBenito |
799a0b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
799a0b |
## </param>
|
|
Chris PeBenito |
799a0b |
#
|
|
Chris PeBenito |
1c1ac6 |
interface(`apache_use_fds',`
|
|
Chris PeBenito |
799a0b |
gen_require(`
|
|
Chris PeBenito |
799a0b |
type httpd_t;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
799a0b |
|
|
Chris PeBenito |
799a0b |
allow $1 httpd_t:fd use;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
799a0b |
|
|
Chris PeBenito |
799a0b |
########################################
|
|
Chris PeBenito |
799a0b |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Do not audit attempts to read and write Apache
|
|
Chris PeBenito |
60def6 |
## unnamed pipes.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain to not audit.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_dontaudit_rw_fifo_file',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Chris PeBenito |
60def6 |
type httpd_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Do not audit attempts to read and write Apache
|
|
Chris PeBenito |
e749cd |
## unix domain stream sockets.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
1815ba |
interface(`apache_dontaudit_rw_stream_sockets',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
type httpd_t;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
dontaudit $1 httpd_t:unix_stream_socket { read write };
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Do not audit attempts to read and write Apache
|
|
Chris PeBenito |
e749cd |
## TCP sockets.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
1815ba |
interface(`apache_dontaudit_rw_tcp_sockets',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
type httpd_t;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
dontaudit $1 httpd_t:tcp_socket { read write };
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
013d74 |
## <summary>
|
|
Chris PeBenito |
013d74 |
## Create, read, write, and delete all web content.
|
|
Chris PeBenito |
013d74 |
## </summary>
|
|
Chris PeBenito |
013d74 |
## <param name="domain">
|
|
Chris PeBenito |
013d74 |
## <summary>
|
|
Chris PeBenito |
013d74 |
## Domain allowed access.
|
|
Chris PeBenito |
013d74 |
## </summary>
|
|
Chris PeBenito |
013d74 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
013d74 |
#
|
|
Chris PeBenito |
013d74 |
interface(`apache_manage_all_content',`
|
|
Chris PeBenito |
013d74 |
gen_require(`
|
|
Chris PeBenito |
123a99 |
attribute httpdcontent, httpd_script_exec_type;
|
|
Chris PeBenito |
013d74 |
')
|
|
Chris PeBenito |
013d74 |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpdcontent, httpdcontent)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpdcontent, httpdcontent)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
Chris PeBenito |
013d74 |
')
|
|
Chris PeBenito |
013d74 |
|
|
Chris PeBenito |
013d74 |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Allow domain to set the attributes
|
|
Chris PeBenito |
60def6 |
## of the APACHE cache directory.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Domain allowed access.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_setattr_cache_dirs',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Chris PeBenito |
60def6 |
type httpd_cache_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Dominick Grift |
9fa4de |
allow $1 httpd_cache_t:dir setattr_dir_perms;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Allow the specified domain to list
|
|
Chris PeBenito |
60def6 |
## Apache cache.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Domain allowed access.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_list_cache',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Chris PeBenito |
60def6 |
type httpd_cache_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Allow the specified domain to read
|
|
Chris PeBenito |
5bd9fd |
## and write Apache cache files.
|
|
Chris PeBenito |
5bd9fd |
## </summary>
|
|
Chris PeBenito |
5bd9fd |
## <param name="domain">
|
|
Chris PeBenito |
5bd9fd |
## <summary>
|
|
Chris PeBenito |
5bd9fd |
## Domain allowed access.
|
|
Chris PeBenito |
5bd9fd |
## </summary>
|
|
Chris PeBenito |
5bd9fd |
## </param>
|
|
Chris PeBenito |
5bd9fd |
#
|
|
Chris PeBenito |
5bd9fd |
interface(`apache_rw_cache_files',`
|
|
Chris PeBenito |
5bd9fd |
gen_require(`
|
|
Chris PeBenito |
5bd9fd |
type httpd_cache_t;
|
|
Chris PeBenito |
5bd9fd |
')
|
|
Chris PeBenito |
5bd9fd |
|
|
Chris PeBenito |
5bd9fd |
allow $1 httpd_cache_t:file rw_file_perms;
|
|
Chris PeBenito |
5bd9fd |
')
|
|
Chris PeBenito |
5bd9fd |
|
|
Chris PeBenito |
5bd9fd |
########################################
|
|
Chris PeBenito |
5bd9fd |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Allow the specified domain to delete
|
|
Dan Walsh |
3eaa99 |
## Apache cache dirs.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Domain allowed access.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_delete_cache_dirs',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_cache_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
########################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Allow the specified domain to delete
|
|
Chris PeBenito |
60def6 |
## Apache cache.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Domain allowed access.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_delete_cache_files',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Chris PeBenito |
60def6 |
type httpd_cache_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Dan Walsh |
3235a8 |
## Allow the specified domain to search
|
|
Dan Walsh |
3235a8 |
## apache configuration dirs.
|
|
Dan Walsh |
3235a8 |
## </summary>
|
|
Dan Walsh |
3235a8 |
## <param name="domain">
|
|
Dan Walsh |
3235a8 |
## <summary>
|
|
Dan Walsh |
3235a8 |
## Domain allowed access.
|
|
Dan Walsh |
3235a8 |
## </summary>
|
|
Dan Walsh |
3235a8 |
## </param>
|
|
Dan Walsh |
3235a8 |
## <rolecap/>
|
|
Dan Walsh |
3235a8 |
#
|
|
Dan Walsh |
3235a8 |
interface(`apache_search_config',`
|
|
Dan Walsh |
3235a8 |
gen_require(`
|
|
Dan Walsh |
3235a8 |
type httpd_config_t;
|
|
Dan Walsh |
3235a8 |
')
|
|
Dan Walsh |
3235a8 |
|
|
Dan Walsh |
3235a8 |
files_search_etc($1)
|
|
Dan Walsh |
3235a8 |
allow $1 httpd_config_t:dir search_dir_perms;
|
|
Dan Walsh |
3235a8 |
')
|
|
Dan Walsh |
3235a8 |
|
|
Dan Walsh |
3235a8 |
########################################
|
|
Dan Walsh |
3235a8 |
## <summary>
|
|
Chris PeBenito |
5bd9fd |
## Allow the specified domain to read
|
|
Chris PeBenito |
a996bd |
## apache configuration files.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_read_config',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_config_t;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_search_etc($1)
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_config_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
6e99a6 |
|
|
Chris PeBenito |
6e99a6 |
########################################
|
|
Chris PeBenito |
6e99a6 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Allow the specified domain to manage
|
|
Chris PeBenito |
123a99 |
## apache configuration files.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## <param name="domain">
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Domain allowed access.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## </param>
|
|
Chris PeBenito |
123a99 |
#
|
|
Chris PeBenito |
123a99 |
interface(`apache_manage_config',`
|
|
Chris PeBenito |
123a99 |
gen_require(`
|
|
Chris PeBenito |
123a99 |
type httpd_config_t;
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
files_search_etc($1)
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
########################################
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
c2b18f |
## Execute the Apache helper program with
|
|
Chris PeBenito |
c2b18f |
## a domain transition.
|
|
Chris PeBenito |
6e99a6 |
## </summary>
|
|
Chris PeBenito |
6e99a6 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
6e99a6 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
6e99a6 |
## </param>
|
|
Chris PeBenito |
6e99a6 |
#
|
|
Chris PeBenito |
c2b18f |
interface(`apache_domtrans_helper',`
|
|
Chris PeBenito |
6e99a6 |
gen_require(`
|
|
Chris PeBenito |
c2b18f |
type httpd_helper_t, httpd_helper_exec_t;
|
|
Chris PeBenito |
6e99a6 |
')
|
|
Chris PeBenito |
6e99a6 |
|
|
Chris PeBenito |
8021cb |
corecmd_search_bin($1)
|
|
Chris PeBenito |
0bfccd |
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c2b18f |
########################################
|
|
Chris PeBenito |
c2b18f |
## <summary>
|
|
Chris PeBenito |
c2b18f |
## Execute the Apache helper program with
|
|
Chris PeBenito |
c2b18f |
## a domain transition, and allow the
|
|
Chris PeBenito |
60def6 |
## specified role the Apache helper domain.
|
|
Chris PeBenito |
c2b18f |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## </param>
|
|
Chris PeBenito |
c2b18f |
## <param name="role">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Role allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
c2b18f |
#
|
|
Chris PeBenito |
c2b18f |
interface(`apache_run_helper',`
|
|
Chris PeBenito |
c2b18f |
gen_require(`
|
|
Chris PeBenito |
c2b18f |
type httpd_helper_t;
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c2b18f |
apache_domtrans_helper($1)
|
|
Chris PeBenito |
c2b18f |
role $2 types httpd_helper_t;
|
|
Chris PeBenito |
6e99a6 |
')
|
|
Chris PeBenito |
799a0b |
|
|
Chris PeBenito |
799a0b |
########################################
|
|
Chris PeBenito |
799a0b |
## <summary>
|
|
Chris PeBenito |
be4690 |
## Allow the specified domain to read
|
|
Chris PeBenito |
be4690 |
## apache log files.
|
|
Chris PeBenito |
be4690 |
## </summary>
|
|
Chris PeBenito |
be4690 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
be4690 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
be4690 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
be4690 |
#
|
|
Chris PeBenito |
be4690 |
interface(`apache_read_log',`
|
|
Chris PeBenito |
be4690 |
gen_require(`
|
|
Chris PeBenito |
be4690 |
type httpd_log_t;
|
|
Chris PeBenito |
be4690 |
')
|
|
Chris PeBenito |
be4690 |
|
|
Chris PeBenito |
f1e604 |
logging_search_logs($1)
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_log_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
be4690 |
')
|
|
Chris PeBenito |
be4690 |
|
|
Chris PeBenito |
be4690 |
########################################
|
|
Chris PeBenito |
be4690 |
## <summary>
|
|
Chris PeBenito |
f1e604 |
## Allow the specified domain to append
|
|
Chris PeBenito |
f1e604 |
## to apache log files.
|
|
Chris PeBenito |
f1e604 |
## </summary>
|
|
Chris PeBenito |
f1e604 |
## <param name="domain">
|
|
Chris PeBenito |
f1e604 |
## <summary>
|
|
Chris PeBenito |
f1e604 |
## Domain allowed access.
|
|
Chris PeBenito |
f1e604 |
## </summary>
|
|
Chris PeBenito |
f1e604 |
## </param>
|
|
Chris PeBenito |
f1e604 |
#
|
|
Chris PeBenito |
f1e604 |
interface(`apache_append_log',`
|
|
Chris PeBenito |
f1e604 |
gen_require(`
|
|
Chris PeBenito |
f1e604 |
type httpd_log_t;
|
|
Chris PeBenito |
f1e604 |
')
|
|
Chris PeBenito |
f1e604 |
|
|
Chris PeBenito |
f1e604 |
logging_search_logs($1)
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_log_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
append_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
f1e604 |
')
|
|
Chris PeBenito |
f1e604 |
|
|
Chris PeBenito |
f1e604 |
########################################
|
|
Chris PeBenito |
f1e604 |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Do not audit attempts to append to the
|
|
Chris PeBenito |
799a0b |
## Apache logs.
|
|
Chris PeBenito |
799a0b |
## </summary>
|
|
Chris PeBenito |
799a0b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
799a0b |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
799a0b |
## </param>
|
|
Chris PeBenito |
799a0b |
#
|
|
Chris PeBenito |
799a0b |
interface(`apache_dontaudit_append_log',`
|
|
Chris PeBenito |
799a0b |
gen_require(`
|
|
Chris PeBenito |
799a0b |
type httpd_log_t;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
799a0b |
|
|
Dominick Grift |
9fa4de |
dontaudit $1 httpd_log_t:file append_file_perms;
|
|
Chris PeBenito |
799a0b |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c2b18f |
########################################
|
|
Chris PeBenito |
c2b18f |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Allow the specified domain to manage
|
|
Chris PeBenito |
123a99 |
## to apache log files.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## <param name="domain">
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Domain allowed access.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## </param>
|
|
Chris PeBenito |
123a99 |
#
|
|
Chris PeBenito |
123a99 |
interface(`apache_manage_log',`
|
|
Chris PeBenito |
123a99 |
gen_require(`
|
|
Chris PeBenito |
123a99 |
type httpd_log_t;
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
logging_search_logs($1)
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
########################################
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Chris PeBenito |
c6d4c8 |
## Do not audit attempts to search Apache
|
|
Chris PeBenito |
c6d4c8 |
## module directories.
|
|
Chris PeBenito |
c6d4c8 |
## </summary>
|
|
Chris PeBenito |
c6d4c8 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
c6d4c8 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c6d4c8 |
## </param>
|
|
Chris PeBenito |
c6d4c8 |
#
|
|
Chris PeBenito |
c6d4c8 |
interface(`apache_dontaudit_search_modules',`
|
|
Chris PeBenito |
c6d4c8 |
gen_require(`
|
|
Chris PeBenito |
c6d4c8 |
type httpd_modules_t;
|
|
Chris PeBenito |
c6d4c8 |
')
|
|
Chris PeBenito |
c6d4c8 |
|
|
Chris PeBenito |
c31f67 |
dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
|
Chris PeBenito |
c6d4c8 |
')
|
|
Chris PeBenito |
c6d4c8 |
|
|
Chris PeBenito |
c6d4c8 |
########################################
|
|
Chris PeBenito |
c6d4c8 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Allow the specified domain to read
|
|
Dan Walsh |
3eaa99 |
## the apache module directories.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Domain allowed access.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_read_modules',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_modules_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
read_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
########################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Chris PeBenito |
c2b18f |
## Allow the specified domain to list
|
|
Chris PeBenito |
c2b18f |
## the contents of the apache modules
|
|
Chris PeBenito |
c2b18f |
## directory.
|
|
Chris PeBenito |
c2b18f |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
c2b18f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## </param>
|
|
Chris PeBenito |
c2b18f |
#
|
|
Chris PeBenito |
c2b18f |
interface(`apache_list_modules',`
|
|
Chris PeBenito |
c2b18f |
gen_require(`
|
|
Chris PeBenito |
c2b18f |
type httpd_modules_t;
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
Dan Walsh |
3eaa99 |
read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c2b18f |
########################################
|
|
Chris PeBenito |
c2b18f |
## <summary>
|
|
Chris PeBenito |
2bcdbd |
## Allow the specified domain to execute
|
|
Chris PeBenito |
2bcdbd |
## apache modules.
|
|
Chris PeBenito |
2bcdbd |
## </summary>
|
|
Chris PeBenito |
2bcdbd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2bcdbd |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2bcdbd |
## </param>
|
|
Chris PeBenito |
2bcdbd |
#
|
|
Chris PeBenito |
2bcdbd |
interface(`apache_exec_modules',`
|
|
Chris PeBenito |
2bcdbd |
gen_require(`
|
|
Chris PeBenito |
2bcdbd |
type httpd_modules_t;
|
|
Chris PeBenito |
2bcdbd |
')
|
|
Chris PeBenito |
2bcdbd |
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
Chris PeBenito |
0b36a2 |
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
3f67f7 |
can_exec($1, httpd_modules_t)
|
|
Chris PeBenito |
2bcdbd |
')
|
|
Chris PeBenito |
2bcdbd |
|
|
Chris PeBenito |
2bcdbd |
########################################
|
|
Chris PeBenito |
2bcdbd |
## <summary>
|
|
Chris PeBenito |
123a99 |
## Execute a domain transition to run httpd_rotatelogs.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## <param name="domain">
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
123a99 |
## </summary>
|
|
Chris PeBenito |
123a99 |
## </param>
|
|
Chris PeBenito |
123a99 |
#
|
|
Chris PeBenito |
123a99 |
interface(`apache_domtrans_rotatelogs',`
|
|
Chris PeBenito |
123a99 |
gen_require(`
|
|
Chris PeBenito |
123a99 |
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
0bfccd |
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
|
Chris PeBenito |
123a99 |
')
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
123a99 |
########################################
|
|
Chris PeBenito |
123a99 |
## <summary>
|
|
Dominick Grift |
1031ee |
## Allow the specified domain to list
|
|
Dominick Grift |
1031ee |
## apache system content files.
|
|
Dominick Grift |
1031ee |
## </summary>
|
|
Dominick Grift |
1031ee |
## <param name="domain">
|
|
Dominick Grift |
1031ee |
## <summary>
|
|
Dominick Grift |
1031ee |
## Domain allowed access.
|
|
Dominick Grift |
1031ee |
## </summary>
|
|
Dominick Grift |
1031ee |
## </param>
|
|
Dominick Grift |
1031ee |
#
|
|
Dominick Grift |
1031ee |
interface(`apache_list_sys_content',`
|
|
Dominick Grift |
1031ee |
gen_require(`
|
|
Dominick Grift |
1031ee |
type httpd_sys_content_t;
|
|
Dominick Grift |
1031ee |
')
|
|
Dominick Grift |
1031ee |
|
|
Dominick Grift |
1031ee |
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Dan Walsh |
3eaa99 |
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Dominick Grift |
1031ee |
files_search_var($1)
|
|
Dominick Grift |
1031ee |
')
|
|
Dominick Grift |
1031ee |
|
|
Dominick Grift |
1031ee |
########################################
|
|
Dominick Grift |
1031ee |
## <summary>
|
|
Chris PeBenito |
be4690 |
## Allow the specified domain to manage
|
|
Chris PeBenito |
be4690 |
## apache system content files.
|
|
Chris PeBenito |
be4690 |
## </summary>
|
|
Chris PeBenito |
be4690 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
be4690 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
be4690 |
## </param>
|
|
Chris PeBenito |
bbcd3c |
## <rolecap/>
|
|
Chris PeBenito |
be4690 |
#
|
|
Chris PeBenito |
be4690 |
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
|
|
Chris PeBenito |
be4690 |
interface(`apache_manage_sys_content',`
|
|
Chris PeBenito |
be4690 |
gen_require(`
|
|
Chris PeBenito |
77f6e2 |
type httpd_sys_content_t;
|
|
Chris PeBenito |
be4690 |
')
|
|
Chris PeBenito |
be4690 |
|
|
Chris PeBenito |
be4690 |
files_search_var($1)
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Chris PeBenito |
be4690 |
')
|
|
Chris PeBenito |
be4690 |
|
|
Dan Walsh |
3eaa99 |
######################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Allow the specified domain to read
|
|
Dominick Grift |
4b1644 |
## apache system content rw files.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dominick Grift |
4b1644 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Domain allowed access.
|
|
Dominick Grift |
4b1644 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
## <rolecap/>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_read_sys_content_rw_files',`
|
|
Dominick Grift |
4b1644 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_sys_rw_content_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
4b1644 |
read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
######################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Allow the specified domain to manage
|
|
Dominick Grift |
4b1644 |
## apache system content rw files.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dominick Grift |
4b1644 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Domain allowed access.
|
|
Dominick Grift |
4b1644 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
## <rolecap/>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_manage_sys_content_rw',`
|
|
Dominick Grift |
4b1644 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_sys_rw_content_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
4b1644 |
files_search_var($1)
|
|
Dominick Grift |
4b1644 |
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dominick Grift |
4b1644 |
manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dominick Grift |
4b1644 |
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
########################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Allow the specified domain to delete
|
|
Dan Walsh |
3eaa99 |
## apache system content rw files.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## Domain allowed access.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
## <rolecap/>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_delete_sys_content_rw',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_sys_rw_content_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
files_search_tmp($1)
|
|
Dan Walsh |
3eaa99 |
delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
be4690 |
########################################
|
|
Chris PeBenito |
be4690 |
## <summary>
|
|
Chris PeBenito |
c2b18f |
## Execute all web scripts in the system
|
|
Chris PeBenito |
c2b18f |
## script domain.
|
|
Chris PeBenito |
c2b18f |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c2b18f |
## </param>
|
|
Chris PeBenito |
c2b18f |
#
|
|
Chris PeBenito |
c2b18f |
# cjp: this interface specifically added to allow
|
|
Chris PeBenito |
c2b18f |
# sysadm_t to run scripts
|
|
Chris PeBenito |
c2b18f |
interface(`apache_domtrans_sys_script',`
|
|
Chris PeBenito |
c2b18f |
gen_require(`
|
|
Chris PeBenito |
c2b18f |
attribute httpdcontent;
|
|
Dominick Grift |
6bb4d4 |
type httpd_sys_script_t, httpd_sys_content_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
tunable_policy(`httpd_enable_cgi',`
|
|
Dan Walsh |
3eaa99 |
domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
|
|
Chris PeBenito |
c2b18f |
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
Chris PeBenito |
c0868a |
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
c2b18f |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Do not audit attempts to read and write Apache
|
|
Chris PeBenito |
e749cd |
## system script unix domain stream sockets.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
1815ba |
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
type httpd_sys_script_t;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Execute all user scripts in the user
|
|
Chris PeBenito |
e749cd |
## script domain.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
e749cd |
interface(`apache_domtrans_all_scripts',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
attribute httpd_exec_scripts;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
typeattribute $1 httpd_exec_scripts;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Execute all user scripts in the user
|
|
Chris PeBenito |
e749cd |
## script domain. Add user script domains
|
|
Chris PeBenito |
e749cd |
## to the specified role.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
## <param name="role">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
3c484f |
## Role allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Dominick Grift |
25e284 |
## <rolecap/>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
e749cd |
interface(`apache_run_all_scripts',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
attribute httpd_exec_scripts, httpd_script_domains;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
role $2 types httpd_script_domains;
|
|
Chris PeBenito |
e749cd |
apache_domtrans_all_scripts($1)
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Allow the specified domain to read
|
|
Chris PeBenito |
e749cd |
## apache squirrelmail data.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
e749cd |
interface(`apache_read_squirrelmail_data',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
type httpd_squirrelmail_t;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Dan Walsh |
3eaa99 |
read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
e749cd |
########################################
|
|
Chris PeBenito |
e749cd |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Allow the specified domain to append
|
|
Chris PeBenito |
e749cd |
## apache squirrelmail data.
|
|
Chris PeBenito |
e749cd |
## </summary>
|
|
Chris PeBenito |
e749cd |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
e749cd |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e749cd |
## </param>
|
|
Chris PeBenito |
e749cd |
#
|
|
Chris PeBenito |
e749cd |
interface(`apache_append_squirrelmail_data',`
|
|
Chris PeBenito |
e749cd |
gen_require(`
|
|
Chris PeBenito |
e749cd |
type httpd_squirrelmail_t;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
e749cd |
|
|
Chris PeBenito |
82d277 |
allow $1 httpd_squirrelmail_t:file append_file_perms;
|
|
Chris PeBenito |
e749cd |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
########################################
|
|
Chris PeBenito |
9fd4b8 |
## <summary>
|
|
Chris PeBenito |
99c902 |
## Search apache system content.
|
|
Chris PeBenito |
99c902 |
## </summary>
|
|
Chris PeBenito |
99c902 |
## <param name="domain">
|
|
Chris PeBenito |
99c902 |
## <summary>
|
|
Chris PeBenito |
99c902 |
## Domain allowed access.
|
|
Chris PeBenito |
99c902 |
## </summary>
|
|
Chris PeBenito |
99c902 |
## </param>
|
|
Chris PeBenito |
99c902 |
#
|
|
Chris PeBenito |
99c902 |
interface(`apache_search_sys_content',`
|
|
Chris PeBenito |
99c902 |
gen_require(`
|
|
Chris PeBenito |
99c902 |
type httpd_sys_content_t;
|
|
Chris PeBenito |
99c902 |
')
|
|
Chris PeBenito |
99c902 |
|
|
Chris PeBenito |
99c902 |
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
|
Chris PeBenito |
99c902 |
')
|
|
Chris PeBenito |
99c902 |
|
|
Chris PeBenito |
99c902 |
########################################
|
|
Chris PeBenito |
99c902 |
## <summary>
|
|
Chris PeBenito |
99c902 |
## Read apache system content.
|
|
Chris PeBenito |
0f27d9 |
## </summary>
|
|
Chris PeBenito |
0f27d9 |
## <param name="domain">
|
|
Chris PeBenito |
0f27d9 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed access.
|
|
Chris PeBenito |
0f27d9 |
## </summary>
|
|
Chris PeBenito |
0f27d9 |
## </param>
|
|
Chris PeBenito |
0f27d9 |
#
|
|
Chris PeBenito |
0f27d9 |
interface(`apache_read_sys_content',`
|
|
Chris PeBenito |
0f27d9 |
gen_require(`
|
|
Chris PeBenito |
0f27d9 |
type httpd_sys_content_t;
|
|
Chris PeBenito |
0f27d9 |
')
|
|
Chris PeBenito |
0f27d9 |
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_sys_content_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccd |
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Chris PeBenito |
0bfccd |
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
Chris PeBenito |
0f27d9 |
')
|
|
Chris PeBenito |
0f27d9 |
|
|
Chris PeBenito |
0f27d9 |
########################################
|
|
Chris PeBenito |
0f27d9 |
## <summary>
|
|
Chris PeBenito |
371d11 |
## Search apache system CGI directories.
|
|
Chris PeBenito |
371d11 |
## </summary>
|
|
Chris PeBenito |
371d11 |
## <param name="domain">
|
|
Chris PeBenito |
371d11 |
## <summary>
|
|
Chris PeBenito |
371d11 |
## Domain allowed access.
|
|
Chris PeBenito |
371d11 |
## </summary>
|
|
Chris PeBenito |
371d11 |
## </param>
|
|
Chris PeBenito |
371d11 |
#
|
|
Chris PeBenito |
371d11 |
interface(`apache_search_sys_scripts',`
|
|
Chris PeBenito |
371d11 |
gen_require(`
|
|
Chris PeBenito |
371d11 |
type httpd_sys_content_t, httpd_sys_script_exec_t;
|
|
Chris PeBenito |
371d11 |
')
|
|
Chris PeBenito |
371d11 |
|
|
Chris PeBenito |
371d11 |
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
|
|
Chris PeBenito |
371d11 |
')
|
|
Chris PeBenito |
371d11 |
|
|
Chris PeBenito |
371d11 |
########################################
|
|
Chris PeBenito |
371d11 |
## <summary>
|
|
Chris PeBenito |
a334d2 |
## Create, read, write, and delete all user web content.
|
|
Chris PeBenito |
a334d2 |
## </summary>
|
|
Chris PeBenito |
a334d2 |
## <param name="domain">
|
|
Chris PeBenito |
a334d2 |
## <summary>
|
|
Chris PeBenito |
a334d2 |
## Domain allowed access.
|
|
Chris PeBenito |
a334d2 |
## </summary>
|
|
Chris PeBenito |
a334d2 |
## </param>
|
|
Chris PeBenito |
a334d2 |
## <rolecap/>
|
|
Chris PeBenito |
a334d2 |
#
|
|
Chris PeBenito |
a334d2 |
interface(`apache_manage_all_user_content',`
|
|
Chris PeBenito |
a334d2 |
gen_require(`
|
|
Chris PeBenito |
a334d2 |
attribute httpd_user_content_type, httpd_user_script_exec_type;
|
|
Chris PeBenito |
a334d2 |
')
|
|
Chris PeBenito |
a334d2 |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
Chris PeBenito |
a334d2 |
|
|
Chris PeBenito |
0bfccd |
manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
Chris PeBenito |
0bfccd |
manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
Chris PeBenito |
0bfccd |
manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
Chris PeBenito |
a334d2 |
')
|
|
Chris PeBenito |
a334d2 |
|
|
Chris PeBenito |
a334d2 |
########################################
|
|
Chris PeBenito |
a334d2 |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Search system script state directory.
|
|
Chris PeBenito |
9fd4b8 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## </param>
|
|
Chris PeBenito |
9fd4b8 |
#
|
|
Chris PeBenito |
9fd4b8 |
interface(`apache_search_sys_script_state',`
|
|
Chris PeBenito |
9fd4b8 |
gen_require(`
|
|
Chris PeBenito |
9fd4b8 |
type httpd_sys_script_t;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
c0868a |
allow $1 httpd_sys_script_t:dir search_dir_perms;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
371d11 |
|
|
Chris PeBenito |
371d11 |
########################################
|
|
Chris PeBenito |
371d11 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Allow the specified domain to read
|
|
Chris PeBenito |
60def6 |
## apache tmp files.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
60def6 |
## Domain allowed access.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_read_tmp_files',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Dominick Grift |
6d9925 |
type httpd_tmp_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
files_search_tmp($1)
|
|
Chris PeBenito |
60def6 |
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Dan Walsh |
3eaa99 |
######################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Dontaudit attempts to read and write
|
|
Dominick Grift |
4b1644 |
## apache tmp files.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dominick Grift |
4b1644 |
## <summary>
|
|
Dominick Grift |
4b1644 |
## Domain to not audit.
|
|
Dominick Grift |
4b1644 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_dontaudit_rw_tmp_files',`
|
|
Dominick Grift |
4b1644 |
gen_require(`
|
|
Dominick Grift |
4b1644 |
type httpd_tmp_t;
|
|
Dominick Grift |
4b1644 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
4b1644 |
dontaudit $1 httpd_tmp_t:file { read write };
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
20fa70 |
## Dontaudit attempts to write
|
|
Chris PeBenito |
60def6 |
## apache tmp files.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## <param name="domain">
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain to not audit.
|
|
Chris PeBenito |
60def6 |
## </summary>
|
|
Chris PeBenito |
60def6 |
## </param>
|
|
Chris PeBenito |
60def6 |
#
|
|
Chris PeBenito |
60def6 |
interface(`apache_dontaudit_write_tmp_files',`
|
|
Chris PeBenito |
60def6 |
gen_require(`
|
|
Dominick Grift |
6d9925 |
type httpd_tmp_t;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 httpd_tmp_t:file write;
|
|
Chris PeBenito |
60def6 |
')
|
|
Chris PeBenito |
60def6 |
|
|
Chris PeBenito |
60def6 |
########################################
|
|
Chris PeBenito |
60def6 |
## <summary>
|
|
Chris PeBenito |
371d11 |
## Execute CGI in the specified domain.
|
|
Chris PeBenito |
371d11 |
## </summary>
|
|
Chris PeBenito |
371d11 |
## <desc>
|
|
Chris PeBenito |
371d11 |
##
|
|
Chris PeBenito |
371d11 |
## Execute CGI in the specified domain.
|
|
Chris PeBenito |
371d11 |
##
|
|
Chris PeBenito |
371d11 |
##
|
|
Chris PeBenito |
371d11 |
## This is an interface to support third party modules
|
|
Chris PeBenito |
371d11 |
## and its use is not allowed in upstream reference
|
|
Chris PeBenito |
371d11 |
## policy.
|
|
Chris PeBenito |
371d11 |
##
|
|
Chris PeBenito |
371d11 |
## </desc>
|
|
Chris PeBenito |
371d11 |
## <param name="domain">
|
|
Chris PeBenito |
371d11 |
## <summary>
|
|
Chris PeBenito |
371d11 |
## Domain run the cgi script in.
|
|
Chris PeBenito |
371d11 |
## </summary>
|
|
Chris PeBenito |
371d11 |
## </param>
|
|
Chris PeBenito |
371d11 |
## <param name="entrypoint">
|
|
Chris PeBenito |
371d11 |
## <summary>
|
|
Chris PeBenito |
371d11 |
## Type of the executable to enter the cgi domain.
|
|
Chris PeBenito |
371d11 |
## </summary>
|
|
Chris PeBenito |
371d11 |
## </param>
|
|
Chris PeBenito |
371d11 |
#
|
|
Chris PeBenito |
371d11 |
interface(`apache_cgi_domain',`
|
|
Chris PeBenito |
371d11 |
gen_require(`
|
|
Chris PeBenito |
371d11 |
type httpd_t, httpd_sys_script_exec_t;
|
|
Chris PeBenito |
371d11 |
')
|
|
Chris PeBenito |
371d11 |
|
|
Chris PeBenito |
371d11 |
domtrans_pattern(httpd_t, $2, $1)
|
|
Chris PeBenito |
371d11 |
apache_search_sys_scripts($1)
|
|
Chris PeBenito |
371d11 |
|
|
Chris PeBenito |
371d11 |
allow httpd_t $1:process signal;
|
|
Chris PeBenito |
371d11 |
')
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
4be3e1 |
########################################
|
|
Chris PeBenito |
4be3e1 |
## <summary>
|
|
Chris PeBenito |
4be3e1 |
## All of the rules required to administrate an apache environment
|
|
Chris PeBenito |
4be3e1 |
## </summary>
|
|
Chris PeBenito |
4be3e1 |
## <param name="prefix">
|
|
Chris PeBenito |
4be3e1 |
## <summary>
|
|
Chris PeBenito |
4be3e1 |
## Prefix of the domain. Example, user would be
|
|
Chris PeBenito |
4be3e1 |
## the prefix for the uder_t domain.
|
|
Chris PeBenito |
4be3e1 |
## </summary>
|
|
Chris PeBenito |
4be3e1 |
## </param>
|
|
Chris PeBenito |
4be3e1 |
## <param name="domain">
|
|
Chris PeBenito |
4be3e1 |
## <summary>
|
|
Chris PeBenito |
4be3e1 |
## Domain allowed access.
|
|
Chris PeBenito |
4be3e1 |
## </summary>
|
|
Chris PeBenito |
4be3e1 |
## </param>
|
|
Chris PeBenito |
4be3e1 |
## <param name="role">
|
|
Chris PeBenito |
4be3e1 |
## <summary>
|
|
Chris PeBenito |
4be3e1 |
## Role allowed access.
|
|
Chris PeBenito |
4be3e1 |
## </summary>
|
|
Chris PeBenito |
4be3e1 |
## </param>
|
|
Chris PeBenito |
4be3e1 |
## <rolecap/>
|
|
Chris PeBenito |
4be3e1 |
#
|
|
Chris PeBenito |
4be3e1 |
interface(`apache_admin',`
|
|
Chris PeBenito |
4be3e1 |
gen_require(`
|
|
Dominick Grift |
6bb4d4 |
attribute httpdcontent, httpd_script_exec_type;
|
|
Chris PeBenito |
4be3e1 |
type httpd_t, httpd_config_t, httpd_log_t;
|
|
Dominick Grift |
6bb4d4 |
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
|
|
Dominick Grift |
6bb4d4 |
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
|
|
Chris PeBenito |
4be3e1 |
type httpd_suexec_tmp_t, httpd_tmp_t;
|
|
Chris PeBenito |
4be3e1 |
')
|
|
Chris PeBenito |
4be3e1 |
|
|
Dominick Grift |
86f9f9 |
allow $1 httpd_t:process { ptrace signal_perms };
|
|
Chris PeBenito |
4be3e1 |
ps_process_pattern($1, httpd_t)
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
83caba |
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
|
Chris PeBenito |
83caba |
domain_system_change_exemption($1)
|
|
Chris PeBenito |
83caba |
role_transition $2 httpd_initrc_exec_t system_r;
|
|
Chris PeBenito |
83caba |
allow $2 system_r;
|
|
Chris PeBenito |
83caba |
|
|
Chris PeBenito |
4be3e1 |
apache_manage_all_content($1)
|
|
Chris PeBenito |
4be3e1 |
miscfiles_manage_public_files($1)
|
|
Chris PeBenito |
4be3e1 |
|
|
Dominick Grift |
61f406 |
files_list_etc($1)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_config_t)
|
|
Chris PeBenito |
4be3e1 |
|
|
Dominick Grift |
61f406 |
logging_list_logs($1)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_log_t)
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_modules_t)
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_lock_t)
|
|
Chris PeBenito |
4be3e1 |
files_lock_filetrans($1, httpd_lock_t, file)
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_var_run_t)
|
|
Chris PeBenito |
4be3e1 |
files_pid_filetrans($1, httpd_var_run_t, file)
|
|
Chris PeBenito |
4be3e1 |
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpdcontent)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_script_exec_type)
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
seutil_domtrans_setfiles($1)
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
61f406 |
files_list_tmp($1)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_tmp_t)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_php_tmp_t)
|
|
Chris PeBenito |
4be3e1 |
admin_pattern($1, httpd_suexec_tmp_t)
|
|
Dan Walsh |
3eaa99 |
|
|
Dominick Grift |
4b1644 |
ifdef(`TODO',`
|
|
Dominick Grift |
4b1644 |
apache_set_booleans($1, $2, $3, httpd_bool_t)
|
|
Dominick Grift |
4b1644 |
seutil_setsebool_role_template($1, $3, $2)
|
|
Dominick Grift |
4b1644 |
allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
|
|
Dominick Grift |
4b1644 |
allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
|
|
Dominick Grift |
4b1644 |
')
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
########################################
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dan Walsh |
3eaa99 |
## dontaudit read and write an leaked file descriptors
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## <param name="domain">
|
|
Dan Walsh |
3eaa99 |
## <summary>
|
|
Dominick Grift |
3c484f |
## Domain to not audit.
|
|
Dan Walsh |
3eaa99 |
## </summary>
|
|
Dan Walsh |
3eaa99 |
## </param>
|
|
Dan Walsh |
3eaa99 |
#
|
|
Dan Walsh |
3eaa99 |
interface(`apache_dontaudit_leaks',`
|
|
Dan Walsh |
3eaa99 |
gen_require(`
|
|
Dan Walsh |
3eaa99 |
type httpd_t;
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
|
Dominick Grift |
4b1644 |
dontaudit $1 httpd_t:tcp_socket { read write };
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 httpd_t:unix_dgram_socket { read write };
|
|
Dan Walsh |
3eaa99 |
dontaudit $1 httpd_t:unix_stream_socket { read write };
|
|
Chris PeBenito |
4be3e1 |
')
|