Chris PeBenito a996bd
## <summary>Apache web server</summary>
Chris PeBenito a996bd
Chris PeBenito b1421d
Chris PeBenito b1421d
## <summary>
Chris PeBenito b1421d
##	Create a set of derived types for apache
Chris PeBenito b1421d
##	web content.
Chris PeBenito b1421d
## </summary>
Chris PeBenito b1421d
## <param name="prefix">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito b1421d
##	The prefix to be used for deriving type names.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
Chris PeBenito a996bd
Chris PeBenito a3cf80
Chris PeBenito a3cf80
		attribute httpdcontent;
Chris PeBenito a3cf80
		attribute httpd_exec_scripts;
Chris PeBenito 123a99
		attribute httpd_script_exec_type;
Chris PeBenito a3cf80
		type httpd_t, httpd_suexec_t, httpd_log_t;
Chris PeBenito a3cf80
Chris PeBenito b1421d
	# allow write access to public file transfer
Chris PeBenito b1421d
	# services files.
Chris PeBenito b1421d
Chris PeBenito b1421d
Chris PeBenito a996bd
	#This type is for webpages
Chris PeBenito a996bd
	type httpd_$1_content_t, httpdcontent; # customizable
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	# This type is used for .htaccess files
Chris PeBenito a996bd
	type httpd_$1_htaccess_t; # customizable;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Type that CGI scripts run as
Chris PeBenito a996bd
	type httpd_$1_script_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
	role system_r types httpd_$1_script_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
	# This type is used for executable scripts files
Chris PeBenito 123a99
	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
Chris PeBenito 0f27d9
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	# The following three are the only areas that 
Chris PeBenito a996bd
	# scripts can read, read/write, or append to
Chris PeBenito a996bd
	type httpd_$1_script_ro_t, httpdcontent; # customizable
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	type httpd_$1_script_rw_t, httpdcontent; # customizable
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	type httpd_$1_script_ra_t, httpdcontent; # customizable
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
	domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito a996bd
	allow httpd_suexec_t httpd_$1_script_t:fd use;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:fd use;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_suexec_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t self:fifo_file rw_file_perms;
Chris PeBenito 2e0a88
	allow httpd_$1_script_t self:unix_stream_socket connectto;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_t:fifo_file write;
Chris PeBenito a996bd
	# apache should set close-on-exec
Chris PeBenito a996bd
	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
Chris PeBenito a996bd
Chris PeBenito a996bd
	# Allow the script process to search the cgi directory, and users directory
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_log_t:file { getattr append };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_log_t:dir search;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
Chris PeBenito a996bd
	allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
Chris PeBenito 103fe2
	files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
Chris PeBenito a996bd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito fb63d0
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito b1421d
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito 522b59
		allow httpd_$1_script_t httpdcontent:file entrypoint;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:file create_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
Chris PeBenito e749cd
		can_exec(httpd_$1_script_t, httpdcontent)
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito b1421d
Chris PeBenito b1421d
Chris PeBenito b1421d
Chris PeBenito b1421d
Chris PeBenito a996bd
	# Allow the web server to run scripts and serve pages
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:file r_file_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
Chris PeBenito e749cd
Chris PeBenito e749cd
		# privileged users run the script:
Chris PeBenito e749cd
		domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito e749cd
		allow httpd_exec_scripts httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
Chris PeBenito e749cd
Chris PeBenito e749cd
		# apache runs the script:
Chris PeBenito a996bd
		domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
Chris PeBenito a996bd
		allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_$1_script_t self:process signal_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:fd use;
Chris PeBenito a996bd
		allow httpd_$1_script_t httpd_t:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito 0f27d9
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito 1815ba
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito 8cfa5a
	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
Chris PeBenito 8cfa5a
		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito 8cfa5a
		allow httpd_$1_script_t self:udp_socket create_socket_perms;
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 141cff
Chris PeBenito 141cff
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito 8cfa5a
Chris PeBenito a996bd
	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
Chris PeBenito a996bd
		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
Chris PeBenito a996bd
		allow httpd_$1_script_t self:udp_socket create_socket_perms;
Chris PeBenito bd7037
Chris PeBenito e9a408
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito 141cff
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito bb7170
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito bb7170
Chris PeBenito a996bd
		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito bb7170
Chris PeBenito 1815ba
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito b1421d
Chris PeBenito b1421d
## <summary>
Chris PeBenito b1421d
##	The per user domain template for the apache module.
Chris PeBenito b1421d
## </summary>
Chris PeBenito b1421d
## <desc>
Chris PeBenito b1421d

Chris PeBenito b1421d
##	This template creates types used for web pages
Chris PeBenito b1421d
##	and web cgi to be used from the user home directory.
Chris PeBenito b1421d

Chris PeBenito b1421d

Chris PeBenito b1421d
##	This template is invoked automatically for each user, and
Chris PeBenito b1421d
##	generally does not need to be invoked directly
Chris PeBenito b1421d
##	by policy writers.
Chris PeBenito b1421d

Chris PeBenito b1421d
## </desc>
Chris PeBenito b1421d
## <param name="userdomain_prefix">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito b1421d
##	The prefix of the user domain (e.g., user
Chris PeBenito b1421d
##	is the prefix for user_t).
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
## <param name="user_domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito b1421d
##	The type of the user domain.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
## <param name="user_role">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito b1421d
##	The role associated with the user domain.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito b1421d
## </param>
Chris PeBenito b1421d
Chris PeBenito a996bd
template(`apache_per_userdomain_template', `
Chris PeBenito 0efe52
Chris PeBenito 0efe52
		attribute httpdcontent, httpd_script_domains;
Chris PeBenito 0efe52
		attribute httpd_exec_scripts;
Chris PeBenito 0efe52
		type httpd_t, httpd_suexec_t, httpd_log_t;
Chris PeBenito 0efe52
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito e749cd
	typeattribute httpd_$1_content_t httpd_script_domains;
Chris PeBenito 103fe2
Chris PeBenito a996bd
Chris PeBenito a996bd
	role $3 types httpd_$1_script_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:file create_file_perms;
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
Chris PeBenito a996bd
	allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
Chris PeBenito a996bd
Chris PeBenito e749cd
Chris PeBenito e749cd
		# If a user starts a script by hand it gets the proper context
Chris PeBenito e749cd
		domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
Chris PeBenito e749cd
		allow $2 httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:process sigchld;
Chris PeBenito e749cd
Chris PeBenito a996bd
Chris PeBenito e749cd
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito e749cd
		allow httpd_$1_script_t httpdcontent:file entrypoint;
Chris PeBenito a996bd
Chris PeBenito e749cd
		domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
Chris PeBenito e749cd
		allow $2 httpd_$1_script_t:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fd use;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
Chris PeBenito e749cd
		allow httpd_$1_script_t $2:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	# allow accessing files/dirs below the users home dir
Chris PeBenito a996bd
Chris PeBenito 103fe2
Chris PeBenito 103fe2
Chris PeBenito 103fe2
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
## <summary>
Chris PeBenito 123a99
##	Read httpd user scripts executables.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain_prefix">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Prefix of the domain. Example, user would be
Chris PeBenito 123a99
##	the prefix for the uder_t domain.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
		type httpd_$1_script_exec_t;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
Chris PeBenito 123a99
	allow $2 httpd_$1_script_exec_t:file r_file_perms;
Chris PeBenito 123a99
	allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
## <summary>
Chris PeBenito 123a99
##	Read user web content.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain_prefix">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Prefix of the domain. Example, user would be
Chris PeBenito 123a99
##	the prefix for the uder_t domain.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
		type httpd_$1_content_t;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow $2 httpd_$1_content_t:dir r_dir_perms;
Chris PeBenito 123a99
	allow $2 httpd_$1_content_t:file r_file_perms;
Chris PeBenito 123a99
	allow $2 httpd_$1_content_t:lnk_file { getattr read };
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
## <summary>
Chris PeBenito b1421d
##	Transition to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito a996bd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
		type httpd_t, httpd_exec_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_t:fd use;
Chris PeBenito a996bd
	allow httpd_t $1:fd use;
Chris PeBenito a996bd
	allow httpd_t $1:fifo_file rw_file_perms;
Chris PeBenito a996bd
	allow httpd_t $1:process sigchld;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
## <summary>
Chris PeBenito a996bd
##	Send a null signal to apache.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
		type httpd_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_t:process signull;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
## <summary>
Chris PeBenito 799a0b
##	Send a SIGCHLD signal to apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:process sigchld;
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
## <summary>
Chris PeBenito 799a0b
##	Inherit and use file descriptors from Apache.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
Chris PeBenito 1c1ac6
Chris PeBenito 799a0b
Chris PeBenito 799a0b
		type httpd_t;
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
	allow $1 httpd_t:fd use;
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito 1815ba
Chris PeBenito e749cd
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:unix_stream_socket { read write };
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	TCP sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito 1815ba
Chris PeBenito e749cd
Chris PeBenito e749cd
		type httpd_t;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_t:tcp_socket { read write };
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito 013d74
## <summary>
Chris PeBenito 013d74
##	Create, read, write, and delete all web content.
Chris PeBenito 013d74
## </summary>
Chris PeBenito 013d74
## <param name="domain">
Chris PeBenito 013d74
##	<summary>
Chris PeBenito 013d74
##	Domain allowed access.
Chris PeBenito 013d74
##	</summary>
Chris PeBenito 013d74
## </param>
Chris PeBenito 013d74
Chris PeBenito 013d74
Chris PeBenito 013d74
Chris PeBenito 123a99
		attribute httpdcontent, httpd_script_exec_type;
Chris PeBenito 013d74
Chris PeBenito 013d74
Chris PeBenito 013d74
	allow $1 httpdcontent:dir manage_dir_perms;
Chris PeBenito 013d74
	allow $1 httpdcontent:file manage_file_perms;
Chris PeBenito 013d74
	allow $1 httpdcontent:lnk_file create_lnk_perms;
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow $1 httpd_script_exec_type:dir manage_dir_perms;
Chris PeBenito 123a99
	allow $1 httpd_script_exec_type:file manage_file_perms;
Chris PeBenito 123a99
	allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
Chris PeBenito 123a99
Chris PeBenito 013d74
Chris PeBenito 013d74
Chris PeBenito 013d74
Chris PeBenito e749cd
## <summary>
Chris PeBenito a996bd
##	Allow the specified domain to read
Chris PeBenito 5bd9fd
##	and write Apache cache files.
Chris PeBenito 5bd9fd
## </summary>
Chris PeBenito 5bd9fd
## <param name="domain">
Chris PeBenito 5bd9fd
##	<summary>
Chris PeBenito 5bd9fd
##	Domain allowed access.
Chris PeBenito 5bd9fd
##	</summary>
Chris PeBenito 5bd9fd
## </param>
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
		type httpd_cache_t;
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
	allow $1 httpd_cache_t:file rw_file_perms;
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
Chris PeBenito 5bd9fd
## <summary>
Chris PeBenito 5bd9fd
##	Allow the specified domain to read
Chris PeBenito a996bd
##	apache configuration files.
Chris PeBenito a996bd
## </summary>
Chris PeBenito a996bd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito a996bd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito a996bd
## </param>
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
		type httpd_config_t;
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
Chris PeBenito a996bd
	allow $1 httpd_config_t:dir r_dir_perms;
Chris PeBenito a996bd
	allow $1 httpd_config_t:file r_file_perms;
Chris PeBenito a996bd
	allow $1 httpd_config_t:lnk_file { getattr read };
Chris PeBenito a996bd
Chris PeBenito 6e99a6
Chris PeBenito 6e99a6
Chris PeBenito 6e99a6
## <summary>
Chris PeBenito 123a99
##	Allow the specified domain to manage
Chris PeBenito 123a99
##	apache configuration files.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
		type httpd_config_t;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow $1 httpd_config_t:dir manage_dir_perms;
Chris PeBenito 123a99
	allow $1 httpd_config_t:file manage_file_perms;
Chris PeBenito 123a99
	allow $1 httpd_config_t:lnk_file { getattr read };
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition.
Chris PeBenito 6e99a6
## </summary>
Chris PeBenito 6e99a6
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 6e99a6
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 6e99a6
## </param>
Chris PeBenito 6e99a6
Chris PeBenito c2b18f
Chris PeBenito 6e99a6
Chris PeBenito c2b18f
		type httpd_helper_t, httpd_helper_exec_t;
Chris PeBenito 6e99a6
Chris PeBenito 6e99a6
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	allow $1 httpd_helper_t:fd use;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:fd use;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:fifo_file rw_file_perms;
Chris PeBenito c2b18f
	allow httpd_helper_t $1:process sigchld;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
## <summary>
Chris PeBenito c2b18f
##	Execute the Apache helper program with
Chris PeBenito c2b18f
##	a domain transition, and allow the
Chris PeBenito c2b18f
##	specified role the dmidecode domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
## <param name="role">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	The role to be allowed the dmidecode domain.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
## <param name="terminal">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	The type of the terminal allow the dmidecode domain to use.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
		type httpd_helper_t;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	role $2 types httpd_helper_t;
Chris PeBenito c2b18f
	allow httpd_helper_t $3:chr_file rw_term_perms;
Chris PeBenito 6e99a6
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to read
Chris PeBenito be4690
##	apache log files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito be4690
## </param>
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
		type httpd_log_t;
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito f1e604
Chris PeBenito be4690
	allow $1 httpd_log_t:dir r_dir_perms;
Chris PeBenito be4690
	allow $1 httpd_log_t:file r_file_perms;
Chris PeBenito be4690
	allow $1 httpd_log_t:lnk_file { getattr read };
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
## <summary>
Chris PeBenito f1e604
##	Allow the specified domain to append
Chris PeBenito f1e604
##	to apache log files.
Chris PeBenito f1e604
## </summary>
Chris PeBenito f1e604
## <param name="domain">
Chris PeBenito f1e604
##	<summary>
Chris PeBenito f1e604
##	Domain allowed access.
Chris PeBenito f1e604
##	</summary>
Chris PeBenito f1e604
## </param>
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
		type httpd_log_t;
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
	allow $1 httpd_log_t:dir r_dir_perms;
Chris PeBenito f1e604
	allow $1 httpd_log_t:file append;
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
Chris PeBenito f1e604
## <summary>
Chris PeBenito 799a0b
##	Do not audit attempts to append to the
Chris PeBenito 799a0b
##	Apache logs.
Chris PeBenito 799a0b
## </summary>
Chris PeBenito 799a0b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 799a0b
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 799a0b
## </param>
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito 799a0b
		type httpd_log_t;
Chris PeBenito 799a0b
Chris PeBenito 799a0b
Chris PeBenito e749cd
	dontaudit $1 httpd_log_t:file { getattr append };
Chris PeBenito 799a0b
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
## <summary>
Chris PeBenito 123a99
##	Allow the specified domain to manage
Chris PeBenito 123a99
##	to apache log files.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
		type httpd_log_t;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow $1 httpd_log_t:dir manage_dir_perms;
Chris PeBenito 123a99
	allow $1 httpd_log_t:file manage_file_perms;
Chris PeBenito 123a99
	allow $1 httpd_log_t:lnk_file { getattr read };
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
## <summary>
Chris PeBenito c6d4c8
##	Do not audit attempts to search Apache
Chris PeBenito c6d4c8
##	module directories.
Chris PeBenito c6d4c8
## </summary>
Chris PeBenito c6d4c8
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c6d4c8
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c6d4c8
## </param>
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
		type httpd_modules_t;
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
	allow $1 httpd_modules_t:dir r_dir_perms;
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
Chris PeBenito c6d4c8
## <summary>
Chris PeBenito c2b18f
##	Allow the specified domain to list
Chris PeBenito c2b18f
##	the contents of the apache modules
Chris PeBenito c2b18f
##	directory.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
		type httpd_modules_t;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	allow $1 httpd_modules_t:dir r_dir_perms;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
## <summary>
Chris PeBenito 2bcdbd
##	Allow the specified domain to execute
Chris PeBenito 2bcdbd
##	apache modules.
Chris PeBenito 2bcdbd
## </summary>
Chris PeBenito 2bcdbd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 2bcdbd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 2bcdbd
## </param>
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
		type httpd_modules_t;
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
	allow $1 httpd_modules_t:dir r_dir_perms;
Chris PeBenito 2bcdbd
	allow $1 httpd_modules_t:lnk_file r_file_perms;
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
Chris PeBenito 2bcdbd
## <summary>
Chris PeBenito 123a99
##	Execute a domain transition to run httpd_rotatelogs.
Chris PeBenito 123a99
## </summary>
Chris PeBenito 123a99
## <param name="domain">
Chris PeBenito 123a99
##	<summary>
Chris PeBenito 123a99
##	Domain allowed access.
Chris PeBenito 123a99
##	</summary>
Chris PeBenito 123a99
## </param>
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
	allow httpd_rotatelogs_t $1:fd use;
Chris PeBenito 123a99
	allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
Chris PeBenito 123a99
	allow httpd_rotatelogs_t $1:process sigchld;
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
Chris PeBenito 123a99
## <summary>
Chris PeBenito be4690
##	Allow the specified domain to manage
Chris PeBenito be4690
##	apache system content files.
Chris PeBenito be4690
## </summary>
Chris PeBenito be4690
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito be4690
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito be4690
## </param>
Chris PeBenito be4690
Chris PeBenito be4690
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito 77f6e2
		type httpd_sys_content_t;
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:dir create_dir_perms;
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:file create_file_perms;
Chris PeBenito be4690
	allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
Chris PeBenito be4690
## <summary>
Chris PeBenito c2b18f
##	Execute all web scripts in the system
Chris PeBenito c2b18f
##	script domain.
Chris PeBenito c2b18f
## </summary>
Chris PeBenito c2b18f
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito c2b18f
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito c2b18f
## </param>
Chris PeBenito c2b18f
Chris PeBenito c2b18f
# cjp: this interface specifically added to allow
Chris PeBenito c2b18f
# sysadm_t to run scripts
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
		attribute httpdcontent;
Chris PeBenito c2b18f
		type httpd_sys_script_t;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito c2b18f
	tunable_policy(`httpd_enable_cgi && httpd_unified',`
Chris PeBenito c2b18f
		domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
Chris PeBenito c2b18f
Chris PeBenito c2b18f
		allow $1 httpd_sys_script_t:fd use;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:fd use;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:fifo_file rw_file_perms;
Chris PeBenito c2b18f
		allow httpd_sys_script_t $1:process sigchld;
Chris PeBenito c2b18f
Chris PeBenito c2b18f
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Do not audit attempts to read and write Apache
Chris PeBenito e749cd
##	system script unix domain stream sockets.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito 1815ba
Chris PeBenito e749cd
Chris PeBenito e749cd
		type httpd_sys_script_t;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
		attribute httpd_exec_scripts;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	typeattribute $1 httpd_exec_scripts;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Execute all user scripts in the user
Chris PeBenito e749cd
##	script domain.  Add user script domains
Chris PeBenito e749cd
##	to the specified role.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
## <param name="role">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	The role to be allowed the script domains.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito e749cd
# cjp: this is missing the terminal since scripts
Chris PeBenito e749cd
# do not output to the terminal
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
		attribute httpd_exec_scripts, httpd_script_domains;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	role $2 types httpd_script_domains;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to read
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	allow $1 httpd_squirrelmail_t:file { getattr read };
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
## <summary>
Chris PeBenito e749cd
##	Allow the specified domain to append
Chris PeBenito e749cd
##	apache squirrelmail data.
Chris PeBenito e749cd
## </summary>
Chris PeBenito e749cd
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito e749cd
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito e749cd
## </param>
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
		type httpd_squirrelmail_t;
Chris PeBenito e749cd
Chris PeBenito e749cd
Chris PeBenito e749cd
	allow $1 httpd_squirrelmail_t:file { getattr append };
Chris PeBenito e749cd
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
## <summary>
Chris PeBenito 99c902
##	Search apache system content.
Chris PeBenito 99c902
## </summary>
Chris PeBenito 99c902
## <param name="domain">
Chris PeBenito 99c902
##	<summary>
Chris PeBenito 99c902
##	Domain allowed access.
Chris PeBenito 99c902
##	</summary>
Chris PeBenito 99c902
## </param>
Chris PeBenito 99c902
Chris PeBenito 99c902
Chris PeBenito 99c902
Chris PeBenito 99c902
		type httpd_sys_content_t;
Chris PeBenito 99c902
Chris PeBenito 99c902
Chris PeBenito 99c902
	allow $1 httpd_sys_content_t:dir search_dir_perms;
Chris PeBenito 99c902
Chris PeBenito 99c902
Chris PeBenito 99c902
Chris PeBenito 99c902
## <summary>
Chris PeBenito 99c902
##	Read apache system content.
Chris PeBenito 0f27d9
## </summary>
Chris PeBenito 0f27d9
## <param name="domain">
Chris PeBenito 0f27d9
##	<summary>
Chris PeBenito 0f27d9
##	Domain to not audit.
Chris PeBenito 0f27d9
##	</summary>
Chris PeBenito 0f27d9
## </param>
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
		type httpd_sys_content_t;
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
	allow $1 httpd_sys_content_t:dir r_dir_perms;
Chris PeBenito 0f27d9
	allow $1 httpd_sys_content_t:file { getattr read };
Chris PeBenito 0c54fc
	allow $1 httpd_sys_content_t:lnk_file { getattr read };
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
Chris PeBenito 0f27d9
## <summary>
Chris PeBenito 9fd4b8
##	Search system script state directory.
Chris PeBenito 9fd4b8
## </summary>
Chris PeBenito 9fd4b8
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 9fd4b8
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 9fd4b8
## </param>
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
		type httpd_sys_script_t;
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
	allow $1 httpd_sys_script_t:dir search;
Chris PeBenito 9fd4b8