Chris PeBenito a996bd
## <summary>Apache web server</summary>
Chris PeBenito a996bd
Chris PeBenito b1421d
########################################
Chris PeBenito b1421d
## <summary>
Chris PeBenito b1421d
##	Create a set of derived types for apache
Chris PeBenito b1421d
##	web content.
Chris PeBenito b1421d
## </summary>
Chris PeBenito b1421d
## <param name="prefix">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito b1421d
##	The prefix to be used for deriving type names.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
#
Chris PeBenito a996bd
template(`apache_content_template',`
Chris PeBenito a3cf80
	gen_require(`
Dominick Grift 6bb4d4
		attribute httpd_exec_scripts, httpd_script_exec_type;
Chris PeBenito a3cf80
		type httpd_t, httpd_suexec_t, httpd_log_t;
Dan Walsh 3eaa99
		type httpd_sys_content_t;
Chris PeBenito a3cf80
	')
Dan Walsh f5b49a
Chris PeBenito a996bd
	#This type is for webpages
Dan Walsh 3eaa99
	type httpd_$1_content_t; # customizable;
Chris PeBenito 83caba
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
Chris PeBenito a996bd
	files_type(httpd_$1_content_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# This type is used for .htaccess files
Chris PeBenito a996bd
	type httpd_$1_htaccess_t; # customizable;
Chris PeBenito a996bd
	files_type(httpd_$1_htaccess_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Type that CGI scripts run as
Chris PeBenito a996bd
	type httpd_$1_script_t;
Chris PeBenito a996bd
	domain_type(httpd_$1_script_t)
Chris PeBenito a996bd
	role system_r types httpd_$1_script_t;
Chris PeBenito a996bd
Dan Walsh 689bfe
	search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
Dan Walsh f5b49a
Chris PeBenito a996bd
	# This type is used for executable scripts files
Chris PeBenito 123a99
	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
Chris PeBenito 0f27d9
	corecmd_shell_entry_type(httpd_$1_script_t)
Chris PeBenito 0bfccd
	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
Chris PeBenito a996bd
Dan Walsh 3eaa99
	type httpd_$1_rw_content_t; # customizable
Chris PeBenito 83caba
	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
Chris PeBenito 83caba
	files_type(httpd_$1_rw_content_t)
Chris PeBenito a996bd
Dan Walsh 3eaa99
	type httpd_$1_ra_content_t; # customizable
Chris PeBenito 83caba
	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
Chris PeBenito 83caba
	files_type(httpd_$1_ra_content_t)
Chris PeBenito a996bd
Chris PeBenito 60def6
	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
Chris PeBenito a996bd
Chris PeBenito 60def6
	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
Dan Walsh 3eaa99
	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t self:fifo_file rw_file_perms;
Chris PeBenito 2e0a88
	allow httpd_$1_script_t self:unix_stream_socket connectto;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_t:fifo_file write;
Chris PeBenito a996bd
	# apache should set close-on-exec
Chris PeBenito a996bd
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Allow the script process to search the cgi directory, and users directory
Chris PeBenito c0868a
	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
Chris PeBenito a996bd
Chris PeBenito 0bfccd
	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
Chris PeBenito a996bd
	logging_search_logs(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
Chris PeBenito 60def6
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
Chris PeBenito c0868a
Chris PeBenito 83caba
	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
Chris PeBenito 83caba
	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito 83caba
	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito 83caba
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito c0868a
Chris PeBenito 83caba
	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
Chris PeBenito 83caba
	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
Chris PeBenito 83caba
	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
Chris PeBenito c0868a
Chris PeBenito 83caba
	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito a996bd
Chris PeBenito e749cd
	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
Chris PeBenito e749cd
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
Chris PeBenito e749cd
Chris PeBenito a996bd
	dev_read_rand(httpd_$1_script_t)
Chris PeBenito a996bd
	dev_read_urand(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito fb63d0
	corecmd_exec_all_executables(httpd_$1_script_t)
Dan Walsh 3eaa99
	application_exec_all(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	files_exec_etc_files(httpd_$1_script_t)
Chris PeBenito a996bd
	files_read_etc_files(httpd_$1_script_t)
Chris PeBenito a996bd
	files_search_home(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	libs_exec_ld_so(httpd_$1_script_t)
Chris PeBenito a996bd
	libs_exec_lib_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	miscfiles_read_fonts(httpd_$1_script_t)
Chris PeBenito b1421d
	miscfiles_read_public_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	seutil_dontaudit_search_config(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Allow the web server to run scripts and serve pages
Chris PeBenito a996bd
	tunable_policy(`httpd_builtin_scripting',`
Chris PeBenito 83caba
		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito 83caba
		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
Chris PeBenito c0868a
Chris PeBenito 83caba
		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
Chris PeBenito 83caba
		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito 83caba
		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito 83caba
		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
Chris PeBenito c0868a
Chris PeBenito 83caba
		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
Chris PeBenito 83caba
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
Chris PeBenito 83caba
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
Chris PeBenito c0868a
Chris PeBenito c0868a
		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
Chris PeBenito 0bfccd
		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
Chris PeBenito 0bfccd
		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
Dan Walsh 3eaa99
		allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	tunable_policy(`httpd_enable_cgi',`
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
Chris PeBenito e749cd
Dominick Grift b11ba4
		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Dominick Grift b11ba4
Chris PeBenito e749cd
		# privileged users run the script:
Chris PeBenito c0868a
		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito e749cd
Dan Walsh 3eaa99
		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
Dan Walsh 3eaa99
Chris PeBenito e749cd
		# apache runs the script:
Chris PeBenito c0868a
		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito a996bd
Dan Walsh 3eaa99
		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
Dan Walsh 3eaa99
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
Chris PeBenito c0868a
		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
Chris PeBenito a996bd
Chris PeBenito d9845a
		allow httpd_$1_script_t self:process { setsched signal_perms };
Chris PeBenito a996bd
		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 3eaa99
		allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:process sigchld;
Chris PeBenito a996bd
Dominick Grift f6bcb2
		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
Dominick Grift f6bcb2
Chris PeBenito a996bd
		kernel_read_system_state(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		dev_read_urand(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		fs_getattr_xattr_fs(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		files_read_etc_runtime_files(httpd_$1_script_t)
Chris PeBenito a996bd
		files_read_usr_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito 1815ba
		libs_read_lib_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		miscfiles_read_localization(httpd_$1_script_t)
Dan Walsh 3eaa99
		allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito dc1920
	optional_policy(`
Chris PeBenito a996bd
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
Chris PeBenito a996bd
			nis_use_ypbind_uncond(httpd_$1_script_t)
Chris PeBenito a996bd
		')
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito bb7170
	optional_policy(`
Chris PeBenito e8cb08
		postgresql_unpriv_client(httpd_$1_script_t)
Chris PeBenito e8cb08
	')
Chris PeBenito e8cb08
Chris PeBenito e8cb08
	optional_policy(`
Chris PeBenito 1815ba
		nscd_socket_use(httpd_$1_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito 296273
########################################
Chris PeBenito b1421d
## <summary>
Chris PeBenito 296273
##	Role access for apache
Chris PeBenito b1421d
## </summary>
Chris PeBenito 296273
## <param name="role">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 296273
##	Role allowed access
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito 296273
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 296273
##	User domain for the role
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
#
Chris PeBenito 296273
interface(`apache_role',`
Chris PeBenito 0efe52
	gen_require(`
Chris PeBenito 296273
		attribute httpdcontent;
Dominick Grift 6bb4d4
		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
Dominick Grift 6bb4d4
		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
Chris PeBenito 296273
	')
Chris PeBenito 296273
Chris PeBenito 296273
	role $1 types httpd_user_script_t;
Chris PeBenito 296273
Chris PeBenito 296273
	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
Chris PeBenito 296273
Dominick Grift 9fa4de
	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
Chris PeBenito 296273
Chris PeBenito 83caba
	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
Chris PeBenito 83caba
Dan Walsh 3eaa99
	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
Dan Walsh 3eaa99
Chris PeBenito 83caba
	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 83caba
	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 83caba
	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 83caba
	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 83caba
	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 83caba
	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
Chris PeBenito 3f67f7
Chris PeBenito 3f67f7
	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 3f67f7
	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 3f67f7
	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 3f67f7
	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 3f67f7
	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 3f67f7
	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito a996bd
Dan Walsh ddcd5d
	apache_exec_modules($2)
Dan Walsh ddcd5d
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi',`
Chris PeBenito e749cd
		# If a user starts a script by hand it gets the proper context
Chris PeBenito 296273
		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
Chris PeBenito e749cd
	')
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito 296273
		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito 123a99
##	Read httpd user scripts executables.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
#
Chris PeBenito 296273
interface(`apache_read_user_scripts',`
Chris PeBenito 123a99
	gen_require(`
Chris PeBenito 296273
		type httpd_user_script_exec_t;
Chris PeBenito 123a99
	')
Chris PeBenito 123a99
Chris PeBenito 296273
	allow $1 httpd_user_script_exec_t:dir list_dir_perms;
Chris PeBenito 296273
	read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 296273
	read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
Chris PeBenito 123a99
')
Chris PeBenito 123a99
Chris PeBenito 123a99
########################################
Chris PeBenito 123a99
## <summary>
Chris PeBenito 123a99
##	Read user web content.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
#
Chris PeBenito 296273
interface(`apache_read_user_content',`
Chris PeBenito 123a99
	gen_require(`
Chris PeBenito 296273
		type httpd_user_content_t;
Chris PeBenito 123a99
	')
Chris PeBenito 123a99
Chris PeBenito 296273
	allow $1 httpd_user_content_t:dir list_dir_perms;
Chris PeBenito 296273
	read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
Chris PeBenito 296273
	read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
Chris PeBenito 123a99
')
Chris PeBenito 123a99
Chris PeBenito 123a99
########################################
Chris PeBenito 123a99
## <summary>
Chris PeBenito b1421d
##	Transition to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_domtrans',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_t, httpd_exec_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito 8021cb
	corecmd_search_bin($1)
Chris PeBenito 0bfccd
	domtrans_pattern($1, httpd_exec_t, httpd_t)
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Dan Walsh 3eaa99
######################################
Dan Walsh 3eaa99
## <summary>
Dominick Grift 4b1644
##	Allow the specified domain to execute apache
Dominick Grift 4b1644
##	in the caller domain.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dominick Grift 4b1644
##	<summary>
Dominick Grift 4b1644
##	Domain allowed access.
Dominick Grift 4b1644
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_exec',`
Dominick Grift 4b1644
	gen_require(`
Dominick Grift 4b1644
		type httpd_exec_t;
Dominick Grift 4b1644
	')
Dan Walsh 3eaa99
Dominick Grift 4b1644
	can_exec($1, httpd_exec_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Chris PeBenito 60def6
#######################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito 60def6
##	Send a generic signal to apache.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Chris PeBenito 60def6
##	Domain allowed access.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_signal',`
Chris PeBenito 60def6
	gen_require(`
Chris PeBenito 60def6
		type httpd_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Chris PeBenito 60def6
	allow $1 httpd_t:process signal;
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito a996bd
##	Send a null signal to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_signull',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_t:process signull;
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito 799a0b
##	Send a SIGCHLD signal to apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 799a0b
interface(`apache_sigchld',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:process sigchld;
Chris PeBenito 799a0b
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito 799a0b
##	Inherit and use file descriptors from Apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 1c1ac6
interface(`apache_use_fds',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:fd use;
Chris PeBenito 799a0b
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito 60def6
##	unnamed pipes.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Dominick Grift 288845
##	Domain to not audit.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_dontaudit_rw_fifo_file',`
Chris PeBenito 60def6
	gen_require(`
Chris PeBenito 60def6
		type httpd_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Dan Walsh 3eaa99
	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito 60def6
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito 1815ba
interface(`apache_dontaudit_rw_stream_sockets',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:unix_stream_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	TCP sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito 1815ba
interface(`apache_dontaudit_rw_tcp_sockets',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:tcp_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito 013d74
## <summary>
Chris PeBenito 013d74
##	Create, read, write, and delete all web content.
Chris PeBenito 013d74
## </summary>
Chris PeBenito 013d74
## <param name="domain">
Chris PeBenito 013d74
##	<summary>
Chris PeBenito 013d74
##	Domain allowed access.
Chris PeBenito 013d74
##	</summary>
Chris PeBenito 013d74
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito 013d74
#
Chris PeBenito 013d74
interface(`apache_manage_all_content',`
Chris PeBenito 013d74
	gen_require(`
Chris PeBenito 123a99
		attribute httpdcontent, httpd_script_exec_type;
Chris PeBenito 013d74
	')
Chris PeBenito 013d74
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpdcontent, httpdcontent)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpdcontent, httpdcontent)
Chris PeBenito 0bfccd
	manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
Chris PeBenito 123a99
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
Chris PeBenito 0bfccd
	manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
Chris PeBenito 013d74
')
Chris PeBenito 013d74
Chris PeBenito 013d74
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito 60def6
##	Allow domain to  set the attributes
Chris PeBenito 60def6
##	of the APACHE cache directory.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Chris PeBenito 60def6
##	Domain allowed access.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_setattr_cache_dirs',`
Chris PeBenito 60def6
	gen_require(`
Chris PeBenito 60def6
		type httpd_cache_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Dominick Grift 9fa4de
	allow $1 httpd_cache_t:dir setattr_dir_perms;
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito 60def6
##	Allow the specified domain to list
Chris PeBenito 60def6
##	Apache cache.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Chris PeBenito 60def6
##	Domain allowed access.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_list_cache',`
Chris PeBenito 60def6
	gen_require(`
Chris PeBenito 60def6
		type httpd_cache_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Chris PeBenito 60def6
	list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito a996bd
##	Allow the specified domain to read
Chris PeBenito 5bd9fd
##	and write Apache cache files.
Chris PeBenito 5bd9fd
## </summary>
Chris PeBenito 5bd9fd
## <param name="domain">
Chris PeBenito 5bd9fd
##	<summary>
Chris PeBenito 5bd9fd
##	Domain allowed access.
Chris PeBenito 5bd9fd
##	</summary>
Chris PeBenito 5bd9fd
## </param>
Chris PeBenito 5bd9fd
#
Chris PeBenito 5bd9fd
interface(`apache_rw_cache_files',`
Chris PeBenito 5bd9fd
	gen_require(`
Chris PeBenito 5bd9fd
		type httpd_cache_t;
Chris PeBenito 5bd9fd
	')
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
	allow $1 httpd_cache_t:file rw_file_perms;
Chris PeBenito 5bd9fd
')
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
########################################
Chris PeBenito 5bd9fd
## <summary>
Chris PeBenito 60def6
##	Allow the specified domain to delete
Dan Walsh 3eaa99
##	Apache cache dirs.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_delete_cache_dirs',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type httpd_cache_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Allow the specified domain to delete
Chris PeBenito 60def6
##	Apache cache.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Chris PeBenito 60def6
##	Domain allowed access.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_delete_cache_files',`
Chris PeBenito 60def6
	gen_require(`
Chris PeBenito 60def6
		type httpd_cache_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Chris PeBenito 60def6
	delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Dan Walsh 3235a8
##	Allow the specified domain to search
Dan Walsh 3235a8
##	apache configuration dirs.
Dan Walsh 3235a8
## </summary>
Dan Walsh 3235a8
## <param name="domain">
Dan Walsh 3235a8
##	<summary>
Dan Walsh 3235a8
##	Domain allowed access.
Dan Walsh 3235a8
##	</summary>
Dan Walsh 3235a8
## </param>
Dan Walsh 3235a8
## <rolecap/>
Dan Walsh 3235a8
#
Dan Walsh 3235a8
interface(`apache_search_config',`
Dan Walsh 3235a8
	gen_require(`
Dan Walsh 3235a8
		type httpd_config_t;
Dan Walsh 3235a8
	')
Dan Walsh 3235a8
Dan Walsh 3235a8
	files_search_etc($1)
Dan Walsh 3235a8
	allow $1 httpd_config_t:dir search_dir_perms;
Dan Walsh 3235a8
')
Dan Walsh 3235a8
Dan Walsh 3235a8
########################################
Dan Walsh 3235a8
## <summary>
Chris PeBenito 5bd9fd
##	Allow the specified domain to read
Chris PeBenito a996bd
##	apache configuration files.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito a996bd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_read_config',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_config_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	files_search_etc($1)
Chris PeBenito c0868a
	allow $1 httpd_config_t:dir list_dir_perms;
Chris PeBenito 0bfccd
	read_files_pattern($1, httpd_config_t, httpd_config_t)
Chris PeBenito 0bfccd
	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
Chris PeBenito a996bd
')
Chris PeBenito 6e99a6
Chris PeBenito 6e99a6
########################################
Chris PeBenito 6e99a6
## <summary>
Chris PeBenito 123a99
##	Allow the specified domain to manage
Chris PeBenito 123a99
##	apache configuration files.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
#
Chris PeBenito 123a99
interface(`apache_manage_config',`
Chris PeBenito 123a99
	gen_require(`
Chris PeBenito 123a99
		type httpd_config_t;
Chris PeBenito 123a99
	')
Chris PeBenito 123a99
Chris PeBenito 123a99
	files_search_etc($1)
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_config_t, httpd_config_t)
Chris PeBenito 0bfccd
	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
Chris PeBenito 123a99
')
Chris PeBenito 123a99
Chris PeBenito 123a99
########################################
Chris PeBenito 123a99
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition.
Chris PeBenito 6e99a6
## </summary>
Chris PeBenito 6e99a6
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 6e99a6
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 6e99a6
## </param>
Chris PeBenito 6e99a6
#
Chris PeBenito c2b18f
interface(`apache_domtrans_helper',`
Chris PeBenito 6e99a6
	gen_require(`
Chris PeBenito c2b18f
		type httpd_helper_t, httpd_helper_exec_t;
Chris PeBenito 6e99a6
	')
Chris PeBenito 6e99a6
Chris PeBenito 8021cb
	corecmd_search_bin($1)
Chris PeBenito 0bfccd
	domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
Chris PeBenito c2b18f
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition, and allow the
Chris PeBenito 60def6
##	specified role the Apache helper domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
## <param name="role">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 60def6
##	Role allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
interface(`apache_run_helper',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		type httpd_helper_t;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	apache_domtrans_helper($1)
Chris PeBenito c2b18f
	role $2 types httpd_helper_t;
Chris PeBenito 6e99a6
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to read
Chris PeBenito be4690
##	apache log files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito be4690
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito be4690
#
Chris PeBenito be4690
interface(`apache_read_log',`
Chris PeBenito be4690
	gen_require(`
Chris PeBenito be4690
		type httpd_log_t;
Chris PeBenito be4690
	')
Chris PeBenito be4690
Chris PeBenito f1e604
	logging_search_logs($1)
Chris PeBenito c0868a
	allow $1 httpd_log_t:dir list_dir_perms;
Chris PeBenito 0bfccd
	read_files_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito 0bfccd
	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito be4690
')
Chris PeBenito be4690
Chris PeBenito be4690
########################################
Chris PeBenito be4690
## <summary>
Chris PeBenito f1e604
##	Allow the specified domain to append
Chris PeBenito f1e604
##	to apache log files.
Chris PeBenito f1e604
## </summary>
Chris PeBenito f1e604
## <param name="domain">
Chris PeBenito f1e604
##	<summary>
Chris PeBenito f1e604
##	Domain allowed access.
Chris PeBenito f1e604
##	</summary>
Chris PeBenito f1e604
## </param>
Chris PeBenito f1e604
#
Chris PeBenito f1e604
interface(`apache_append_log',`
Chris PeBenito f1e604
	gen_require(`
Chris PeBenito f1e604
		type httpd_log_t;
Chris PeBenito f1e604
	')
Chris PeBenito f1e604
Chris PeBenito f1e604
	logging_search_logs($1)
Chris PeBenito c0868a
	allow $1 httpd_log_t:dir list_dir_perms;
Chris PeBenito 0bfccd
	append_files_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito f1e604
')
Chris PeBenito f1e604
Chris PeBenito f1e604
########################################
Chris PeBenito f1e604
## <summary>
Chris PeBenito 799a0b
##	Do not audit attempts to append to the
Chris PeBenito 799a0b
##	Apache logs.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 799a0b
interface(`apache_dontaudit_append_log',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_log_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Dominick Grift 9fa4de
	dontaudit $1 httpd_log_t:file append_file_perms;
Chris PeBenito 799a0b
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito 123a99
##	Allow the specified domain to manage
Chris PeBenito 123a99
##	to apache log files.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
#
Chris PeBenito 123a99
interface(`apache_manage_log',`
Chris PeBenito 123a99
	gen_require(`
Chris PeBenito 123a99
		type httpd_log_t;
Chris PeBenito 123a99
	')
Chris PeBenito 123a99
Chris PeBenito 123a99
	logging_search_logs($1)
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito 0bfccd
	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
Chris PeBenito 123a99
')
Chris PeBenito 123a99
Chris PeBenito 123a99
########################################
Chris PeBenito 123a99
## <summary>
Chris PeBenito c6d4c8
##	Do not audit attempts to search Apache
Chris PeBenito c6d4c8
##	module directories.
Chris PeBenito c6d4c8
## </summary>
Chris PeBenito c6d4c8
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c6d4c8
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c6d4c8
## </param>
Chris PeBenito c6d4c8
#
Chris PeBenito c6d4c8
interface(`apache_dontaudit_search_modules',`
Chris PeBenito c6d4c8
	gen_require(`
Chris PeBenito c6d4c8
		type httpd_modules_t;
Chris PeBenito c6d4c8
	')
Chris PeBenito c6d4c8
Chris PeBenito c31f67
	dontaudit $1 httpd_modules_t:dir search_dir_perms;
Chris PeBenito c6d4c8
')
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
########################################
Chris PeBenito c6d4c8
## <summary>
Dan Walsh 3eaa99
##	Allow the specified domain to read
Dan Walsh 3eaa99
##	the apache module directories.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_read_modules',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type httpd_modules_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Chris PeBenito c2b18f
##	Allow the specified domain to list
Chris PeBenito c2b18f
##	the contents of the apache modules
Chris PeBenito c2b18f
##	directory.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
interface(`apache_list_modules',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		type httpd_modules_t;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c0868a
	allow $1 httpd_modules_t:dir list_dir_perms;
Dan Walsh 3eaa99
	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
Chris PeBenito c2b18f
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito 2bcdbd
##	Allow the specified domain to execute
Chris PeBenito 2bcdbd
##	apache modules.
Chris PeBenito 2bcdbd
## </summary>
Chris PeBenito 2bcdbd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 2bcdbd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 2bcdbd
## </param>
Chris PeBenito 2bcdbd
#
Chris PeBenito 2bcdbd
interface(`apache_exec_modules',`
Chris PeBenito 2bcdbd
	gen_require(`
Chris PeBenito 2bcdbd
		type httpd_modules_t;
Chris PeBenito 2bcdbd
	')
Chris PeBenito 2bcdbd
Chris PeBenito c0868a
	allow $1 httpd_modules_t:dir list_dir_perms;
Chris PeBenito 0b36a2
	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
Chris PeBenito 3f67f7
	can_exec($1, httpd_modules_t)
Chris PeBenito 2bcdbd
')
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
########################################
Chris PeBenito 2bcdbd
## <summary>
Chris PeBenito 123a99
##	Execute a domain transition to run httpd_rotatelogs.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
#
Chris PeBenito 123a99
interface(`apache_domtrans_rotatelogs',`
Chris PeBenito 123a99
	gen_require(`
Chris PeBenito 123a99
		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
Chris PeBenito 123a99
	')
Chris PeBenito 123a99
Chris PeBenito 0bfccd
	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
Chris PeBenito 123a99
')
Chris PeBenito 123a99
Chris PeBenito 123a99
########################################
Chris PeBenito 123a99
## <summary>
Dominick Grift 1031ee
##	Allow the specified domain to list
Dominick Grift 1031ee
##	apache system content files.
Dominick Grift 1031ee
## </summary>
Dominick Grift 1031ee
## <param name="domain">
Dominick Grift 1031ee
##	<summary>
Dominick Grift 1031ee
##	Domain allowed access.
Dominick Grift 1031ee
##	</summary>
Dominick Grift 1031ee
## </param>
Dominick Grift 1031ee
#
Dominick Grift 1031ee
interface(`apache_list_sys_content',`
Dominick Grift 1031ee
	gen_require(`
Dominick Grift 1031ee
		type httpd_sys_content_t;
Dominick Grift 1031ee
	')
Dominick Grift 1031ee
Dominick Grift 1031ee
	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Dan Walsh 3eaa99
	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Dominick Grift 1031ee
	files_search_var($1)
Dominick Grift 1031ee
')
Dominick Grift 1031ee
Dominick Grift 1031ee
########################################
Dominick Grift 1031ee
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to manage
Chris PeBenito be4690
##	apache system content files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito be4690
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito be4690
#
Chris PeBenito be4690
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
Chris PeBenito be4690
interface(`apache_manage_sys_content',`
Chris PeBenito be4690
	gen_require(`
Chris PeBenito 77f6e2
		type httpd_sys_content_t;
Chris PeBenito be4690
	')
Chris PeBenito be4690
Chris PeBenito be4690
	files_search_var($1)
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Chris PeBenito 0bfccd
	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Chris PeBenito be4690
')
Chris PeBenito be4690
Dan Walsh 3eaa99
######################################
Dan Walsh 3eaa99
## <summary>
Dominick Grift 4b1644
##	Allow the specified domain to read
Dominick Grift 4b1644
##	apache system content rw files.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dominick Grift 4b1644
##	<summary>
Dominick Grift 4b1644
##	Domain allowed access.
Dominick Grift 4b1644
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
## <rolecap/>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_read_sys_content_rw_files',`
Dominick Grift 4b1644
	gen_require(`
Dan Walsh 3eaa99
		type httpd_sys_rw_content_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dominick Grift 4b1644
	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
######################################
Dan Walsh 3eaa99
## <summary>
Dominick Grift 4b1644
##	Allow the specified domain to manage
Dominick Grift 4b1644
##	apache system content rw files.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dominick Grift 4b1644
##	<summary>
Dominick Grift 4b1644
##	Domain allowed access.
Dominick Grift 4b1644
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
## <rolecap/>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_manage_sys_content_rw',`
Dominick Grift 4b1644
	gen_require(`
Dan Walsh 3eaa99
		type httpd_sys_rw_content_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dominick Grift 4b1644
	files_search_var($1)
Dominick Grift 4b1644
	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dominick Grift 4b1644
	manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dominick Grift 4b1644
	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Allow the specified domain to delete
Dan Walsh 3eaa99
##	apache system content rw files.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
## <rolecap/>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_delete_sys_content_rw',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type httpd_sys_rw_content_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	files_search_tmp($1)
Dan Walsh 3eaa99
	delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
	delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
	delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
	delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
	delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Chris PeBenito be4690
########################################
Chris PeBenito be4690
## <summary>
Chris PeBenito c2b18f
##	Execute all web scripts in the system
Chris PeBenito c2b18f
##	script domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
# cjp: this interface specifically added to allow
Chris PeBenito c2b18f
# sysadm_t to run scripts
Chris PeBenito c2b18f
interface(`apache_domtrans_sys_script',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		attribute httpdcontent;
Dominick Grift 6bb4d4
		type httpd_sys_script_t, httpd_sys_content_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	tunable_policy(`httpd_enable_cgi',`
Dan Walsh 3eaa99
		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito c0868a
		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	system script unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito 1815ba
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_sys_script_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_domtrans_all_scripts',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		attribute httpd_exec_scripts;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	typeattribute $1 httpd_exec_scripts;
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.  Add user script domains
Chris PeBenito e749cd
##	to the specified role.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
## <param name="role">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 3c484f
##	Role allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Dominick Grift 25e284
## <rolecap/>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_run_all_scripts',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		attribute httpd_exec_scripts, httpd_script_domains;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	role $2 types httpd_script_domains;
Chris PeBenito e749cd
	apache_domtrans_all_scripts($1)
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to read
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_read_squirrelmail_data',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Dan Walsh 3eaa99
	read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to append
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_append_squirrelmail_data',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito 82d277
	allow $1 httpd_squirrelmail_t:file append_file_perms;
Chris PeBenito e749cd
')
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
########################################
Chris PeBenito 9fd4b8
## <summary>
Chris PeBenito 99c902
##	Search apache system content.
Chris PeBenito 99c902
## </summary>
Chris PeBenito 99c902
## <param name="domain">
Chris PeBenito 99c902
##	<summary>
Chris PeBenito 99c902
##	Domain allowed access.
Chris PeBenito 99c902
##	</summary>
Chris PeBenito 99c902
## </param>
Chris PeBenito 99c902
#
Chris PeBenito 99c902
interface(`apache_search_sys_content',`
Chris PeBenito 99c902
	gen_require(`
Chris PeBenito 99c902
		type httpd_sys_content_t;
Chris PeBenito 99c902
	')
Chris PeBenito 99c902
Chris PeBenito 99c902
	allow $1 httpd_sys_content_t:dir search_dir_perms;
Chris PeBenito 99c902
')
Chris PeBenito 99c902
Chris PeBenito 99c902
########################################
Chris PeBenito 99c902
## <summary>
Chris PeBenito 99c902
##	Read apache system content.
Chris PeBenito 0f27d9
## </summary>
Chris PeBenito 0f27d9
## <param name="domain">
Chris PeBenito 0f27d9
##	<summary>
Dominick Grift 288845
##	Domain allowed access.
Chris PeBenito 0f27d9
##	</summary>
Chris PeBenito 0f27d9
## </param>
Chris PeBenito 0f27d9
#
Chris PeBenito 0f27d9
interface(`apache_read_sys_content',`
Chris PeBenito 0f27d9
	gen_require(`
Chris PeBenito 0f27d9
		type httpd_sys_content_t;
Chris PeBenito 0f27d9
	')
Chris PeBenito 0f27d9
Chris PeBenito c0868a
	allow $1 httpd_sys_content_t:dir list_dir_perms;
Chris PeBenito 0bfccd
	read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Chris PeBenito 0bfccd
	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
Chris PeBenito 0f27d9
')
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
########################################
Chris PeBenito 0f27d9
## <summary>
Chris PeBenito 371d11
##	Search apache system CGI directories.
Chris PeBenito 371d11
## </summary>
Chris PeBenito 371d11
## <param name="domain">
Chris PeBenito 371d11
##	<summary>
Chris PeBenito 371d11
##	Domain allowed access.
Chris PeBenito 371d11
##	</summary>
Chris PeBenito 371d11
## </param>
Chris PeBenito 371d11
#
Chris PeBenito 371d11
interface(`apache_search_sys_scripts',`
Chris PeBenito 371d11
	gen_require(`
Chris PeBenito 371d11
		type httpd_sys_content_t, httpd_sys_script_exec_t;
Chris PeBenito 371d11
	')
Chris PeBenito 371d11
Chris PeBenito 371d11
	search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
Chris PeBenito 371d11
')
Chris PeBenito 371d11
Chris PeBenito 371d11
########################################
Chris PeBenito 371d11
## <summary>
Chris PeBenito a334d2
##	Create, read, write, and delete all user web content.
Chris PeBenito a334d2
## </summary>
Chris PeBenito a334d2
## <param name="domain">
Chris PeBenito a334d2
##	<summary>
Chris PeBenito a334d2
##	Domain allowed access.
Chris PeBenito a334d2
##	</summary>
Chris PeBenito a334d2
## </param>
Chris PeBenito a334d2
## <rolecap/>
Chris PeBenito a334d2
#
Chris PeBenito a334d2
interface(`apache_manage_all_user_content',`
Chris PeBenito a334d2
	gen_require(`
Chris PeBenito a334d2
		attribute httpd_user_content_type, httpd_user_script_exec_type;
Chris PeBenito a334d2
	')
Chris PeBenito a334d2
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
Chris PeBenito 0bfccd
	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
Chris PeBenito a334d2
Chris PeBenito 0bfccd
	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
Chris PeBenito 0bfccd
	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
Chris PeBenito 0bfccd
	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
Chris PeBenito a334d2
')
Chris PeBenito a334d2
Chris PeBenito a334d2
########################################
Chris PeBenito a334d2
## <summary>
Chris PeBenito 9fd4b8
##	Search system script state directory.
Chris PeBenito 9fd4b8
## </summary>
Chris PeBenito 9fd4b8
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Dominick Grift 288845
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 9fd4b8
## </param>
Chris PeBenito 9fd4b8
#
Chris PeBenito 9fd4b8
interface(`apache_search_sys_script_state',`
Chris PeBenito 9fd4b8
	gen_require(`
Chris PeBenito 9fd4b8
		type httpd_sys_script_t;
Chris PeBenito 9fd4b8
	')
Chris PeBenito 9fd4b8
Chris PeBenito c0868a
	allow $1 httpd_sys_script_t:dir search_dir_perms;
Chris PeBenito 9fd4b8
')
Chris PeBenito 371d11
Chris PeBenito 371d11
########################################
Chris PeBenito 371d11
## <summary>
Chris PeBenito 60def6
##	Allow the specified domain to read
Chris PeBenito 60def6
##	apache tmp files.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Chris PeBenito 60def6
##	Domain allowed access.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_read_tmp_files',`
Chris PeBenito 60def6
	gen_require(`
Dominick Grift 6d9925
		type httpd_tmp_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Chris PeBenito 60def6
	files_search_tmp($1)
Chris PeBenito 60def6
	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Dan Walsh 3eaa99
######################################
Dan Walsh 3eaa99
## <summary>
Dominick Grift 4b1644
##	Dontaudit attempts to read and write
Dominick Grift 4b1644
##	apache tmp files.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dominick Grift 4b1644
##	<summary>
Dominick Grift 4b1644
##	Domain to not audit.
Dominick Grift 4b1644
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_dontaudit_rw_tmp_files',`
Dominick Grift 4b1644
	gen_require(`
Dominick Grift 4b1644
		type httpd_tmp_t;
Dominick Grift 4b1644
	')
Dan Walsh 3eaa99
Dominick Grift 4b1644
	dontaudit $1 httpd_tmp_t:file { read write };
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito 20fa70
##	Dontaudit attempts to write
Chris PeBenito 60def6
##	apache tmp files.
Chris PeBenito 60def6
## </summary>
Chris PeBenito 60def6
## <param name="domain">
Chris PeBenito 60def6
##	<summary>
Dominick Grift 288845
##	Domain to not audit.
Chris PeBenito 60def6
##	</summary>
Chris PeBenito 60def6
## </param>
Chris PeBenito 60def6
#
Chris PeBenito 60def6
interface(`apache_dontaudit_write_tmp_files',`
Chris PeBenito 60def6
	gen_require(`
Dominick Grift 6d9925
		type httpd_tmp_t;
Chris PeBenito 60def6
	')
Chris PeBenito 60def6
Dan Walsh 3eaa99
	dontaudit $1 httpd_tmp_t:file write;
Chris PeBenito 60def6
')
Chris PeBenito 60def6
Chris PeBenito 60def6
########################################
Chris PeBenito 60def6
## <summary>
Chris PeBenito 371d11
##	Execute CGI in the specified domain.
Chris PeBenito 371d11
## </summary>
Chris PeBenito 371d11
##	<desc>
Chris PeBenito 371d11
##	

Chris PeBenito 371d11
##	Execute CGI in the specified domain.
Chris PeBenito 371d11
##	

Chris PeBenito 371d11
##	

Chris PeBenito 371d11
##	This is an interface to support third party modules
Chris PeBenito 371d11
##	and its use is not allowed in upstream reference
Chris PeBenito 371d11
##	policy.
Chris PeBenito 371d11
##	

Chris PeBenito 371d11
##	</desc>
Chris PeBenito 371d11
## <param name="domain">
Chris PeBenito 371d11
##	<summary>
Chris PeBenito 371d11
##	Domain run the cgi script in.
Chris PeBenito 371d11
##	</summary>
Chris PeBenito 371d11
## </param>
Chris PeBenito 371d11
## <param name="entrypoint">
Chris PeBenito 371d11
##	<summary>
Chris PeBenito 371d11
##	Type of the executable to enter the cgi domain.
Chris PeBenito 371d11
##	</summary>
Chris PeBenito 371d11
## </param>
Chris PeBenito 371d11
#
Chris PeBenito 371d11
interface(`apache_cgi_domain',`
Chris PeBenito 371d11
	gen_require(`
Chris PeBenito 371d11
		type httpd_t, httpd_sys_script_exec_t;
Chris PeBenito 371d11
	')
Chris PeBenito 371d11
Chris PeBenito 371d11
	domtrans_pattern(httpd_t, $2, $1)
Chris PeBenito 371d11
	apache_search_sys_scripts($1)
Chris PeBenito 371d11
Chris PeBenito 371d11
	allow httpd_t $1:process signal;
Chris PeBenito 371d11
')
Chris PeBenito 4be3e1
Chris PeBenito 4be3e1
########################################
Chris PeBenito 4be3e1
## <summary>
Chris PeBenito 4be3e1
##	All of the rules required to administrate an apache environment
Chris PeBenito 4be3e1
## </summary>
Chris PeBenito 4be3e1
## <param name="prefix">
Chris PeBenito 4be3e1
##	<summary>
Chris PeBenito 4be3e1
##	Prefix of the domain. Example, user would be
Chris PeBenito 4be3e1
##	the prefix for the uder_t domain.
Chris PeBenito 4be3e1
##	</summary>
Chris PeBenito 4be3e1
## </param>
Chris PeBenito 4be3e1
## <param name="domain">
Chris PeBenito 4be3e1
##	<summary>
Chris PeBenito 4be3e1
##	Domain allowed access.
Chris PeBenito 4be3e1
##	</summary>
Chris PeBenito 4be3e1
## </param>
Chris PeBenito 4be3e1
## <param name="role">
Chris PeBenito 4be3e1
##	<summary>
Chris PeBenito 4be3e1
##	Role allowed access.
Chris PeBenito 4be3e1
##	</summary>
Chris PeBenito 4be3e1
## </param>
Chris PeBenito 4be3e1
## <rolecap/>
Chris PeBenito 4be3e1
#
Chris PeBenito 4be3e1
interface(`apache_admin',`
Chris PeBenito 4be3e1
	gen_require(`
Dominick Grift 6bb4d4
		attribute httpdcontent, httpd_script_exec_type;
Chris PeBenito 4be3e1
		type httpd_t, httpd_config_t, httpd_log_t;
Dominick Grift 6bb4d4
		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
Dominick Grift 6bb4d4
		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
Chris PeBenito 4be3e1
		type httpd_suexec_tmp_t, httpd_tmp_t;
Chris PeBenito 4be3e1
	')
Chris PeBenito 4be3e1
Dominick Grift 86f9f9
	allow $1 httpd_t:process { ptrace signal_perms };
Chris PeBenito 4be3e1
	ps_process_pattern($1, httpd_t)
Chris PeBenito 4be3e1
Chris PeBenito 83caba
	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
Chris PeBenito 83caba
	domain_system_change_exemption($1)
Chris PeBenito 83caba
	role_transition $2 httpd_initrc_exec_t system_r;
Chris PeBenito 83caba
	allow $2 system_r;
Chris PeBenito 83caba
Chris PeBenito 4be3e1
	apache_manage_all_content($1)
Chris PeBenito 4be3e1
	miscfiles_manage_public_files($1)
Chris PeBenito 4be3e1
Dominick Grift 61f406
	files_list_etc($1)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_config_t)
Chris PeBenito 4be3e1
Dominick Grift 61f406
	logging_list_logs($1)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_log_t)
Chris PeBenito 4be3e1
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_modules_t)
Chris PeBenito 4be3e1
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_lock_t)
Chris PeBenito 4be3e1
	files_lock_filetrans($1, httpd_lock_t, file)
Chris PeBenito 4be3e1
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_var_run_t)
Chris PeBenito 4be3e1
	files_pid_filetrans($1, httpd_var_run_t, file)
Chris PeBenito 4be3e1
Chris PeBenito 4be3e1
	admin_pattern($1, httpdcontent)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_script_exec_type)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	seutil_domtrans_setfiles($1)
Dan Walsh 3eaa99
Dominick Grift 61f406
	files_list_tmp($1)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_tmp_t)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_php_tmp_t)
Chris PeBenito 4be3e1
	admin_pattern($1, httpd_suexec_tmp_t)
Dan Walsh 3eaa99
Dominick Grift 4b1644
	ifdef(`TODO',`
Dominick Grift 4b1644
		apache_set_booleans($1, $2, $3, httpd_bool_t)
Dominick Grift 4b1644
		seutil_setsebool_role_template($1, $3, $2)
Dominick Grift 4b1644
		allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
Dominick Grift 4b1644
		allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
Dominick Grift 4b1644
	')
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	dontaudit read and write an leaked file descriptors
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dominick Grift 3c484f
##	Domain to not audit.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`apache_dontaudit_leaks',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type httpd_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
Dominick Grift 4b1644
	dontaudit $1 httpd_t:tcp_socket { read write };
Dan Walsh 3eaa99
	dontaudit $1 httpd_t:unix_dgram_socket { read write };
Dan Walsh 3eaa99
	dontaudit $1 httpd_t:unix_stream_socket { read write };
Chris PeBenito 4be3e1
')