define(`apache_domain', `

#This type is for webpages

#

type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;

# This type is used for .htaccess files

#

type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;

allow httpd_t httpd_$1_htaccess_t: file r_file_perms;

# This type is used for executable scripts files

#

type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;

# Type that CGI scripts run as

type httpd_$1_script_t, domain, privmail, nscd_client_domain;

role system_r types httpd_$1_script_t;

uses_shlib(httpd_$1_script_t)

if (httpd_enable_cgi) {

domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };

allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;

allow httpd_t httpd_$1_script_exec_t:file r_file_perms;

allow httpd_$1_script_t httpd_t:fd use;

allow httpd_$1_script_t httpd_t:process sigchld;

allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };

allow httpd_$1_script_t usr_t:lnk_file { getattr read };

allow httpd_$1_script_t self:process { fork signal_perms };

allow httpd_$1_script_t devtty_t:chr_file { getattr read write };

allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };

allow httpd_$1_script_t etc_runtime_t:file { getattr read };

read_locale(httpd_$1_script_t)

allow httpd_$1_script_t fs_t:filesystem getattr;

allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;

allow httpd_$1_script_t { self proc_t }:file r_file_perms;

allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;

allow httpd_$1_script_t { self proc_t }:lnk_file read;

allow httpd_$1_script_t device_t:dir { getattr search };

allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;

}

if (httpd_enable_cgi && httpd_can_network_connect) {

can_network(httpd_$1_script_t)

allow httpd_$1_script_t port_type:tcp_socket name_connect;

}

ifdef(`ypbind.te', `

if (httpd_enable_cgi && allow_ypbind) {

uncond_can_ypbind(httpd_$1_script_t)

}

')

# The following are the only areas that 

# scripts can read, read/write, or append to

#

type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;

type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;

type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;

file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)

#########################################################

# Permissions for running child processes and scripts

##########################################################

allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };

domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

allow httpd_$1_script_t httpd_t:fifo_file write;

allow httpd_$1_script_t self:fifo_file rw_file_perms;

allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;

###########################################################################

# Allow the script interpreters to run the scripts.  So

# the perl executable will be able to run a perl script

#########################################################################

can_exec_any(httpd_$1_script_t)

allow httpd_$1_script_t etc_t:file { getattr read };

dontaudit httpd_$1_script_t selinux_config_t:dir search;

############################################################################

# Allow the script process to search the cgi directory, and users directory

##############################################################################

allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };

can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)

allow httpd_$1_script_t home_root_t:dir { getattr search };

allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };

#############################################################################

# Allow the scripts to read, read/write, append to the specified directories

# or files

############################################################################

read_fonts(httpd_$1_script_t)

r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)

create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)

allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;

ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)

anonymous_domain(httpd_$1_script)

if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {

create_dir_file(httpd_$1_script_t, httpdcontent)

can_exec(httpd_$1_script_t, httpdcontent)

}

#

# If a user starts a script by hand it gets the proper context

#

ifdef(`targeted_policy', `', `

if (httpd_enable_cgi) {

domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)

}

')

role sysadm_r types httpd_$1_script_t;

dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;

dontaudit httpd_$1_script_t sysctl_t:dir search;

############################################

# Allow scripts to append to http logs

#########################################

allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir  search;

allow httpd_$1_script_t httpd_log_t:file { getattr append };

# apache should set close-on-exec

dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };

################################################################

# Allow the web server to run scripts and serve pages

##############################################################

if (httpd_builtin_scripting) {

r_dir_file(httpd_t, httpd_$1_script_ro_t)

create_dir_file(httpd_t, httpd_$1_script_rw_t)

allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;

ra_dir_file(httpd_t, httpd_$1_script_ra_t)

r_dir_file(httpd_t, httpd_$1_content_t)

}

')

define(`apache_user_domain', `

apache_domain($1)

typeattribute httpd_$1_content_t $1_file_type;

if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {

domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)

}

if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {

# If a user starts a script by hand it gets the proper context

domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)

}

role $1_r types httpd_$1_script_t;

#######################################

# Allow user to create or edit web content

#########################################

create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })

allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };

######################################################################

# Allow the user to create htaccess files

#####################################################################

allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };

#########################################################################

# Allow user to create files or directories 

# that scripts are able to read, write, or append to

###########################################################################

create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })

allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };

# allow accessing files/dirs below the users home dir

if (httpd_enable_homedirs) {

allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };

ifdef(`nfs_home_dirs', `

r_dir_file(httpd_$1_script_t, nfs_t)

')dnl end if nfs_home_dirs

}

ifdef(`crond.te', `

create_dir_file($1_crond_t, httpd_$1_content_t)

')

')