|
Chris PeBenito |
a996bd |
## <summary>Apache web server</summary>
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
template(`apache_content_template',`
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
#This type is for webpages
|
|
Chris PeBenito |
a996bd |
type httpd_$1_content_t, httpdcontent; # customizable
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_content_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# This type is used for .htaccess files
|
|
Chris PeBenito |
a996bd |
type httpd_$1_htaccess_t; # customizable;
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_htaccess_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Type that CGI scripts run as
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
domain_type(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
role system_r types httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# This type is used for executable scripts files
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_exec_t; # customizable;
|
|
Chris PeBenito |
a996bd |
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# The following three are the only areas that
|
|
Chris PeBenito |
a996bd |
# scripts can read, read/write, or append to
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_ro_t, httpdcontent; # customizable
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_script_ro_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_rw_t, httpdcontent; # customizable
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_script_rw_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
type httpd_$1_script_ra_t, httpdcontent; # customizable
|
|
Chris PeBenito |
a996bd |
files_type(httpd_$1_script_ra_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow httpd_suexec_t httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_suexec_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_suexec_t:process sigchld;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fifo_file write;
|
|
Chris PeBenito |
a996bd |
# apache should set close-on-exec
|
|
Chris PeBenito |
a996bd |
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Allow the script process to search the cgi directory, and users directory
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_log_t:file { getattr append };
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_log_t:dir search;
|
|
Chris PeBenito |
a996bd |
logging_search_logs(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
|
Chris PeBenito |
a996bd |
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
dev_read_rand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
dev_read_urand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
corecmd_exec_bin(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corecmd_exec_sbin(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
domain_exec_all_entry_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_exec_etc_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_read_etc_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_search_home(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
libs_use_ld_so(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
libs_use_shared_libs(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
libs_exec_ld_so(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
libs_exec_lib_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
miscfiles_read_fonts(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
seutil_dontaudit_search_config(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
a996bd |
can_exec(httpd_$1_script_t, httpdcontent)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
a996bd |
can_exec(httpd_$1_script_t, httpdcontent)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# Allow the web server to run scripts and serve pages
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_builtin_scripting',`
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_content_t:dir r_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_content_t:file r_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi',`
|
|
Chris PeBenito |
a996bd |
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:process sigchld;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:process signal_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t httpd_t:process sigchld;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
kernel_read_system_state(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
dev_read_urand(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
fs_getattr_xattr_fs(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_read_etc_runtime_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
files_read_usr_files(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
libs_read_lib(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
miscfiles_read_localization(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
a996bd |
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_raw_sendrecv_all_if(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_tcp_bind_all_nodes(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_udp_bind_all_nodes(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
corenet_tcp_connect_all_ports(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
sysnet_read_config(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
optional_policy(`mount.te',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
Chris PeBenito |
a996bd |
mount_send_nfs_client_request(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
optional_policy(`mta.te',`
|
|
Chris PeBenito |
a996bd |
mta_send_mail(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
optional_policy(`nis.te',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
|
Chris PeBenito |
a996bd |
nis_use_ypbind_uncond(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
optional_policy(`nscd.te',`
|
|
Chris PeBenito |
a996bd |
nscd_use_socket(httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
ifdef(`TODO',`
|
|
Chris PeBenito |
a996bd |
anonymous_domain(httpd_$1_script)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
# If a user starts a script by hand it gets the proper context
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
a996bd |
if (httpd_enable_cgi) {
|
|
Chris PeBenito |
a996bd |
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
}
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
role sysadm_r types httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
|
|
Chris PeBenito |
a996bd |
dontaudit httpd_$1_script_t sysctl_t:dir search;
|
|
Chris PeBenito |
a996bd |
') dnl end TODO
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
template(`apache_per_userdomain_template', `
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
apache_content_template($1)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# typeattribute httpd_$1_content_t $1_file_type;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
role $3 types httpd_$1_script_t;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:file create_file_perms;
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
ifdef(`targeted_policy',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
|
|
Chris PeBenito |
a996bd |
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:process sigchld;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',`
|
|
Chris PeBenito |
a996bd |
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:process sigchld;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
',`
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi',`
|
|
Chris PeBenito |
a996bd |
# If a user starts a script by hand it gets the proper context
|
|
Chris PeBenito |
a996bd |
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:process sigchld;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
Chris PeBenito |
a996bd |
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
allow $2 httpd_$1_script_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_$1_script_t $2:process sigchld;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
# allow accessing files/dirs below the users home dir
|
|
Chris PeBenito |
a996bd |
tunable_policy(`httpd_enable_homedirs',`
|
|
Chris PeBenito |
a996bd |
userdom_search_user_home($1,httpd_t)
|
|
Chris PeBenito |
a996bd |
userdom_search_user_home($1,httpd_suexec_t)
|
|
Chris PeBenito |
a996bd |
userdom_search_user_home($1,httpd_$1_script_t)
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Transition to Apache.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
a996bd |
## Domain allowed access.
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_domtrans',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_t, httpd_exec_t;
|
|
Chris PeBenito |
a996bd |
class process sigchld;
|
|
Chris PeBenito |
a996bd |
class fd use;
|
|
Chris PeBenito |
a996bd |
class fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
corecmd_search_sbin($1)
|
|
Chris PeBenito |
a996bd |
domain_auto_trans($1,httpd_exec_t,httpd_t)
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_t:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_t $1:fd use;
|
|
Chris PeBenito |
a996bd |
allow httpd_t $1:fifo_file rw_file_perms;
|
|
Chris PeBenito |
a996bd |
allow httpd_t $1:process sigchld;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Send a null signal to apache.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
a996bd |
## The type of the process performing this action.
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_signull',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_t;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_t:process signull;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
########################################
|
|
Chris PeBenito |
a996bd |
## <summary>
|
|
Chris PeBenito |
a996bd |
## Allow the specified domain to read
|
|
Chris PeBenito |
a996bd |
## apache configuration files.
|
|
Chris PeBenito |
a996bd |
## </summary>
|
|
Chris PeBenito |
a996bd |
## <param name="domain">
|
|
Chris PeBenito |
a996bd |
## Domain allowed access.
|
|
Chris PeBenito |
a996bd |
## </param>
|
|
Chris PeBenito |
a996bd |
#
|
|
Chris PeBenito |
a996bd |
interface(`apache_read_config',`
|
|
Chris PeBenito |
a996bd |
gen_require(`
|
|
Chris PeBenito |
a996bd |
type httpd_config_t;
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
a996bd |
|
|
Chris PeBenito |
a996bd |
files_search_etc($1)
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_config_t:dir r_dir_perms;
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_config_t:file r_file_perms;
|
|
Chris PeBenito |
a996bd |
allow $1 httpd_config_t:lnk_file { getattr read };
|
|
Chris PeBenito |
a996bd |
')
|
|
Chris PeBenito |
6e99a6 |
|
|
Chris PeBenito |
6e99a6 |
########################################
|
|
Chris PeBenito |
6e99a6 |
## <summary>
|
|
Chris PeBenito |
6e99a6 |
## Allow the specified domain to list
|
|
Chris PeBenito |
6e99a6 |
## the contents of the apache modules
|
|
Chris PeBenito |
6e99a6 |
## directory.
|
|
Chris PeBenito |
6e99a6 |
## </summary>
|
|
Chris PeBenito |
6e99a6 |
## <param name="domain">
|
|
Chris PeBenito |
6e99a6 |
## Domain allowed access.
|
|
Chris PeBenito |
6e99a6 |
## </param>
|
|
Chris PeBenito |
6e99a6 |
#
|
|
Chris PeBenito |
6e99a6 |
interface(`apache_list_modules',`
|
|
Chris PeBenito |
6e99a6 |
gen_require(`
|
|
Chris PeBenito |
6e99a6 |
type httpd_modules_t;
|
|
Chris PeBenito |
6e99a6 |
')
|
|
Chris PeBenito |
6e99a6 |
|
|
Chris PeBenito |
6e99a6 |
allow $1 httpd_modules_t:dir r_dir_perms;
|
|
Chris PeBenito |
6e99a6 |
')
|