Chris PeBenito a996bd
## <summary>Apache web server</summary>
Chris PeBenito a996bd
Chris PeBenito b1421d
########################################
Chris PeBenito b1421d
## <summary>
Chris PeBenito b1421d
##	Create a set of derived types for apache
Chris PeBenito b1421d
##	web content.
Chris PeBenito b1421d
## </summary>
Chris PeBenito b1421d
## <param name="prefix">
Chris PeBenito b1421d
##	The prefix to be used for deriving type names.
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
#
Chris PeBenito a996bd
template(`apache_content_template',`
Chris PeBenito b1421d
	# allow write access to public file transfer
Chris PeBenito b1421d
	# services files.
Chris PeBenito b1421d
	gen_tunable(allow_httpd_$1_script_anon_write,false)
Chris PeBenito b1421d
Chris PeBenito a996bd
	#This type is for webpages
Chris PeBenito a996bd
	type httpd_$1_content_t, httpdcontent; # customizable
Chris PeBenito a996bd
	files_type(httpd_$1_content_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# This type is used for .htaccess files
Chris PeBenito a996bd
	type httpd_$1_htaccess_t; # customizable;
Chris PeBenito a996bd
	files_type(httpd_$1_htaccess_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Type that CGI scripts run as
Chris PeBenito a996bd
	type httpd_$1_script_t;
Chris PeBenito a996bd
	domain_type(httpd_$1_script_t)
Chris PeBenito a996bd
	role system_r types httpd_$1_script_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
	# This type is used for executable scripts files
Chris PeBenito a996bd
	type httpd_$1_script_exec_t; # customizable;
Chris PeBenito a996bd
	domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	# The following three are the only areas that 
Chris PeBenito a996bd
	# scripts can read, read/write, or append to
Chris PeBenito a996bd
	type httpd_$1_script_ro_t, httpdcontent; # customizable
Chris PeBenito a996bd
	files_type(httpd_$1_script_ro_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	type httpd_$1_script_rw_t, httpdcontent; # customizable
Chris PeBenito a996bd
	files_type(httpd_$1_script_rw_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	type httpd_$1_script_ra_t, httpdcontent; # customizable
Chris PeBenito a996bd
	files_type(httpd_$1_script_ra_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
	domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito a996bd
	allow httpd_suexec_t httpd_$1_script_t:fd use;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:fd use;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t self:fifo_file rw_file_perms;
Chris PeBenito 2e0a88
	allow httpd_$1_script_t self:unix_stream_socket connectto;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_t:fifo_file write;
Chris PeBenito a996bd
	# apache should set close-on-exec
Chris PeBenito a996bd
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Allow the script process to search the cgi directory, and users directory
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_log_t:file { getattr append };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_log_t:dir search;
Chris PeBenito a996bd
	logging_search_logs(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
Chris PeBenito 0500e0
	files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
Chris PeBenito a996bd
Chris PeBenito e749cd
	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
Chris PeBenito e749cd
	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
Chris PeBenito e749cd
Chris PeBenito a996bd
	dev_read_rand(httpd_$1_script_t)
Chris PeBenito a996bd
	dev_read_urand(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	corecmd_exec_bin(httpd_$1_script_t)
Chris PeBenito a996bd
	corecmd_exec_sbin(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	domain_exec_all_entry_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	files_exec_etc_files(httpd_$1_script_t)
Chris PeBenito a996bd
	files_read_etc_files(httpd_$1_script_t)
Chris PeBenito a996bd
	files_search_home(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	libs_use_ld_so(httpd_$1_script_t)
Chris PeBenito a996bd
	libs_use_shared_libs(httpd_$1_script_t)
Chris PeBenito a996bd
	libs_exec_ld_so(httpd_$1_script_t)
Chris PeBenito a996bd
	libs_exec_lib_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	miscfiles_read_fonts(httpd_$1_script_t)
Chris PeBenito b1421d
	miscfiles_read_public_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	seutil_dontaudit_search_config(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:file create_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
Chris PeBenito e749cd
		can_exec(httpd_$1_script_t, httpdcontent)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito b1421d
	tunable_policy(`allow_httpd_$1_script_anon_write',`
Chris PeBenito b1421d
		miscfiles_manage_public_files(httpd_$1_script_t)
Chris PeBenito b1421d
	') 
Chris PeBenito b1421d
Chris PeBenito a996bd
	# Allow the web server to run scripts and serve pages
Chris PeBenito a996bd
	tunable_policy(`httpd_builtin_scripting',`
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:file r_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	tunable_policy(`httpd_enable_cgi',`
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
Chris PeBenito e749cd
Chris PeBenito e749cd
		# privileged users run the script:
Chris PeBenito e749cd
		domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito e749cd
		allow httpd_exec_scripts httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
Chris PeBenito e749cd
Chris PeBenito e749cd
		# apache runs the script:
Chris PeBenito a996bd
		domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_$1_script_t self:process signal_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
		kernel_read_system_state(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		dev_read_urand(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		fs_getattr_xattr_fs(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		files_read_etc_runtime_files(httpd_$1_script_t)
Chris PeBenito a996bd
		files_read_usr_files(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		libs_read_lib(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		miscfiles_read_localization(httpd_$1_script_t)
Chris PeBenito 4614e8
Chris PeBenito 4614e8
		# added back to make sediff nicer
Chris PeBenito 4614e8
		dev_rw_null_dev(httpd_$1_script_t)
Chris PeBenito 4614e8
		term_use_controlling_term(httpd_$1_script_t)
Chris PeBenito 4614e8
		allow httpd_$1_script_t self:dir r_dir_perms;
Chris PeBenito 4614e8
		allow httpd_$1_script_t self:file r_file_perms;
Chris PeBenito 4614e8
		allow httpd_$1_script_t self:lnk_file read;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
Chris PeBenito a996bd
		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t self:udp_socket create_socket_perms;
Chris PeBenito a996bd
		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_raw_sendrecv_all_if(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_tcp_bind_all_nodes(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_udp_bind_all_nodes(httpd_$1_script_t)
Chris PeBenito a996bd
		corenet_tcp_connect_all_ports(httpd_$1_script_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
		sysnet_read_config(httpd_$1_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	optional_policy(`mount.te',`
Chris PeBenito a996bd
		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
Chris PeBenito a996bd
			mount_send_nfs_client_request(httpd_$1_script_t)
Chris PeBenito a996bd
		')
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	optional_policy(`mta.te',`
Chris PeBenito a996bd
		mta_send_mail(httpd_$1_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	optional_policy(`nis.te',`
Chris PeBenito a996bd
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
Chris PeBenito a996bd
			nis_use_ypbind_uncond(httpd_$1_script_t)
Chris PeBenito a996bd
		')
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	optional_policy(`nscd.te',`
Chris PeBenito a996bd
		nscd_use_socket(httpd_$1_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito b1421d
#######################################
Chris PeBenito b1421d
## <summary>
Chris PeBenito b1421d
##	The per user domain template for the apache module.
Chris PeBenito b1421d
## </summary>
Chris PeBenito b1421d
## <desc>
Chris PeBenito b1421d
##	

Chris PeBenito b1421d
##	This template creates types used for web pages
Chris PeBenito b1421d
##	and web cgi to be used from the user home directory.
Chris PeBenito b1421d
##	

Chris PeBenito b1421d
##	

Chris PeBenito b1421d
##	This template is invoked automatically for each user, and
Chris PeBenito b1421d
##	generally does not need to be invoked directly
Chris PeBenito b1421d
##	by policy writers.
Chris PeBenito b1421d
##	

Chris PeBenito b1421d
## </desc>
Chris PeBenito b1421d
## <param name="userdomain_prefix">
Chris PeBenito b1421d
##	The prefix of the user domain (e.g., user
Chris PeBenito b1421d
##	is the prefix for user_t).
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
## <param name="user_domain">
Chris PeBenito b1421d
##	The type of the user domain.
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
## <param name="user_role">
Chris PeBenito b1421d
##	The role associated with the user domain.
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
#
Chris PeBenito a996bd
template(`apache_per_userdomain_template', `
Chris PeBenito 0efe52
	gen_require(`
Chris PeBenito 0efe52
		attribute httpdcontent, httpd_script_domains;
Chris PeBenito 0efe52
		attribute httpd_exec_scripts;
Chris PeBenito 0efe52
		type httpd_t, httpd_suexec_t, httpd_log_t;
Chris PeBenito 0efe52
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	apache_content_template($1)
Chris PeBenito a996bd
Chris PeBenito e749cd
	typeattribute httpd_$1_content_t httpd_script_domains;
Chris PeBenito a996bd
#	typeattribute httpd_$1_content_t $1_file_type;
Chris PeBenito a996bd
Chris PeBenito a996bd
	role $3 types httpd_$1_script_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:file create_file_perms;
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi',`
Chris PeBenito e749cd
		# If a user starts a script by hand it gets the proper context
Chris PeBenito e749cd
		domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito e749cd
		allow $2 httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:process sigchld;
Chris PeBenito e749cd
	')
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:file entrypoint;
Chris PeBenito a996bd
Chris PeBenito e749cd
		domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
Chris PeBenito e749cd
		allow $2 httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:process sigchld;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	# allow accessing files/dirs below the users home dir
Chris PeBenito a996bd
	tunable_policy(`httpd_enable_homedirs',`
Chris PeBenito a996bd
		userdom_search_user_home($1,httpd_t)
Chris PeBenito a996bd
		userdom_search_user_home($1,httpd_suexec_t)
Chris PeBenito a996bd
		userdom_search_user_home($1,httpd_$1_script_t)
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito b1421d
##	Transition to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito a996bd
##	Domain allowed access.
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_domtrans',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_t, httpd_exec_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	corecmd_search_sbin($1)
Chris PeBenito a996bd
	domain_auto_trans($1,httpd_exec_t,httpd_t)
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_t:fd use;
Chris PeBenito a996bd
	allow httpd_t $1:fd use;
Chris PeBenito a996bd
	allow httpd_t $1:fifo_file rw_file_perms;
Chris PeBenito a996bd
	allow httpd_t $1:process sigchld;
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito a996bd
##	Send a null signal to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_signull',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_t:process signull;
Chris PeBenito a996bd
')
Chris PeBenito a996bd
Chris PeBenito a996bd
########################################
Chris PeBenito a996bd
## <summary>
Chris PeBenito 799a0b
##	Send a SIGCHLD signal to apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 799a0b
interface(`apache_sigchld',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:process sigchld;
Chris PeBenito 799a0b
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito 799a0b
##	Inherit and use file descriptors from Apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 799a0b
interface(`apache_use_fd',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:fd use;
Chris PeBenito 799a0b
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_dontaudit_rw_stream_socket',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:unix_stream_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	TCP sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_dontaudit_rw_tcp_socket',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:tcp_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito a996bd
##	Allow the specified domain to read
Chris PeBenito a996bd
##	apache configuration files.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito a996bd
##	Domain allowed access.
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
#
Chris PeBenito a996bd
interface(`apache_read_config',`
Chris PeBenito a996bd
	gen_require(`
Chris PeBenito a996bd
		type httpd_config_t;
Chris PeBenito a996bd
	')
Chris PeBenito a996bd
Chris PeBenito a996bd
	files_search_etc($1)
Chris PeBenito a996bd
	allow $1 httpd_config_t:dir r_dir_perms;
Chris PeBenito a996bd
	allow $1 httpd_config_t:file r_file_perms;
Chris PeBenito a996bd
	allow $1 httpd_config_t:lnk_file { getattr read };
Chris PeBenito a996bd
')
Chris PeBenito 6e99a6
Chris PeBenito 6e99a6
########################################
Chris PeBenito 6e99a6
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition.
Chris PeBenito 6e99a6
## </summary>
Chris PeBenito 6e99a6
## <param name="domain">
Chris PeBenito 6e99a6
##	Domain allowed access.
Chris PeBenito 6e99a6
## </param>
Chris PeBenito 6e99a6
#
Chris PeBenito c2b18f
interface(`apache_domtrans_helper',`
Chris PeBenito 6e99a6
	gen_require(`
Chris PeBenito c2b18f
		type httpd_helper_t, httpd_helper_exec_t;
Chris PeBenito 6e99a6
	')
Chris PeBenito 6e99a6
Chris PeBenito c2b18f
	corecmd_search_sbin($1)
Chris PeBenito c2b18f
	domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	allow $1 httpd_helper_t:fd use;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:fd use;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:fifo_file rw_file_perms;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:process sigchld;
Chris PeBenito c2b18f
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition, and allow the
Chris PeBenito c2b18f
##	specified role the dmidecode domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
## <param name="role">
Chris PeBenito c2b18f
##	The role to be allowed the dmidecode domain.
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
## <param name="terminal">
Chris PeBenito c2b18f
##	The type of the terminal allow the dmidecode domain to use.
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
interface(`apache_run_helper',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		type httpd_helper_t;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	apache_domtrans_helper($1)
Chris PeBenito c2b18f
	role $2 types httpd_helper_t;
Chris PeBenito c2b18f
	allow httpd_helper_t $3:chr_file rw_term_perms;
Chris PeBenito 6e99a6
')
Chris PeBenito 799a0b
Chris PeBenito 799a0b
########################################
Chris PeBenito 799a0b
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to read
Chris PeBenito be4690
##	apache log files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito be4690
## </param>
Chris PeBenito be4690
#
Chris PeBenito be4690
interface(`apache_read_log',`
Chris PeBenito be4690
	gen_require(`
Chris PeBenito be4690
		type httpd_log_t;
Chris PeBenito be4690
	')
Chris PeBenito be4690
Chris PeBenito be4690
	files_search_var($1)
Chris PeBenito be4690
	allow $1 httpd_log_t:dir r_dir_perms;
Chris PeBenito be4690
	allow $1 httpd_log_t:file r_file_perms;
Chris PeBenito be4690
	allow $1 httpd_log_t:lnk_file { getattr read };
Chris PeBenito be4690
')
Chris PeBenito be4690
Chris PeBenito be4690
########################################
Chris PeBenito be4690
## <summary>
Chris PeBenito 799a0b
##	Do not audit attempts to append to the
Chris PeBenito 799a0b
##	Apache logs.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 799a0b
##	Domain to not audit.
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
#
Chris PeBenito 799a0b
interface(`apache_dontaudit_append_log',`
Chris PeBenito 799a0b
	gen_require(`
Chris PeBenito 799a0b
		type httpd_log_t;
Chris PeBenito 799a0b
	')
Chris PeBenito 799a0b
Chris PeBenito e749cd
	dontaudit $1 httpd_log_t:file { getattr append };
Chris PeBenito 799a0b
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito c2b18f
##	Allow the specified domain to list
Chris PeBenito c2b18f
##	the contents of the apache modules
Chris PeBenito c2b18f
##	directory.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
interface(`apache_list_modules',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		type httpd_modules_t;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	allow $1 httpd_modules_t:dir r_dir_perms;
Chris PeBenito c2b18f
')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
########################################
Chris PeBenito c2b18f
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to manage
Chris PeBenito be4690
##	apache system content files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito be4690
## </param>
Chris PeBenito be4690
#
Chris PeBenito be4690
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
Chris PeBenito be4690
interface(`apache_manage_sys_content',`
Chris PeBenito be4690
	gen_require(`
Chris PeBenito 77f6e2
		type httpd_sys_content_t;
Chris PeBenito be4690
	')
Chris PeBenito be4690
Chris PeBenito be4690
	files_search_var($1)
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:dir create_dir_perms;
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:file create_file_perms;
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
Chris PeBenito be4690
')
Chris PeBenito be4690
Chris PeBenito be4690
########################################
Chris PeBenito be4690
## <summary>
Chris PeBenito c2b18f
##	Execute all web scripts in the system
Chris PeBenito c2b18f
##	script domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
#
Chris PeBenito c2b18f
# cjp: this interface specifically added to allow
Chris PeBenito c2b18f
# sysadm_t to run scripts
Chris PeBenito c2b18f
interface(`apache_domtrans_sys_script',`
Chris PeBenito c2b18f
	gen_require(`
Chris PeBenito c2b18f
		attribute httpdcontent;
Chris PeBenito c2b18f
		type httpd_sys_script_t;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito c2b18f
		domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
Chris PeBenito c2b18f
Chris PeBenito c2b18f
		allow $1 httpd_sys_script_t:fd use;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:fd use;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:fifo_file rw_file_perms;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:process sigchld;
Chris PeBenito c2b18f
	')
Chris PeBenito c2b18f
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	system script unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_dontaudit_rw_sys_script_stream_socket',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_sys_script_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_domtrans_all_scripts',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		attribute httpd_exec_scripts;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	typeattribute $1 httpd_exec_scripts;
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.  Add user script domains
Chris PeBenito e749cd
##	to the specified role.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
## <param name="role">
Chris PeBenito e749cd
##	The role to be allowed the script domains.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
# cjp: this is missing the terminal since scripts
Chris PeBenito e749cd
# do not output to the terminal
Chris PeBenito e749cd
interface(`apache_run_all_scripts',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		attribute httpd_exec_scripts, httpd_script_domains;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	role $2 types httpd_script_domains;
Chris PeBenito e749cd
	apache_domtrans_all_scripts($1)
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to read
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_read_squirrelmail_data',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	allow $1 httpd_squirrelmail_t:file { getattr read };
Chris PeBenito e749cd
')
Chris PeBenito e749cd
Chris PeBenito e749cd
########################################
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to append
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
#
Chris PeBenito e749cd
interface(`apache_append_squirrelmail_data',`
Chris PeBenito e749cd
	gen_require(`
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
	')
Chris PeBenito e749cd
Chris PeBenito e749cd
	allow $1 httpd_squirrelmail_t:file { getattr append };
Chris PeBenito e749cd
')