Blob Blame History Raw

policy_module(apache,1.0)

#
# NOTES: 
#  This policy will work with SUEXEC enabled as part of the Apache
#  configuration. However, the user CGI scripts will run under the
#  system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
#  of the creating user.
#
#  The user CGI scripts must be labeled with the httpd_$1_script_exec_t
#  type, and the directory containing the scripts should also be labeled
#  with these types. This policy allows user_r role to perform that 
#  relabeling. If it is desired that only sysadm_r should be able to relabel
#  the user CGI scripts, then relabel rule for user_r should be removed.
#

########################################
#
# Declarations
#

attribute httpdcontent;

# domains that can exec all users scripts
attribute httpd_exec_scripts;

# user script domains
attribute httpd_script_domains;

type httpd_t;
type httpd_exec_t;
init_daemon_domain(httpd_t,httpd_exec_t)
role system_r types httpd_t;

# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)

# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_type(httpd_config_t)

type httpd_helper_t;
type httpd_helper_exec_t;
domain_type(httpd_helper_t)
domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
role system_r types httpd_helper_t;

type httpd_lock_t;
files_lock_file(httpd_lock_t)

type httpd_log_t;
logging_log_file(httpd_log_t)

# httpd_modules_t is the type given to module files (libraries) 
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)

type httpd_php_t;
type httpd_php_exec_t;
domain_type(httpd_php_t)
domain_entry_file(httpd_php_t,httpd_php_exec_t)
role system_r types httpd_php_t;

type httpd_php_tmp_t;
files_tmp_file(httpd_php_tmp_t)

type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)

# SUEXEC runs user scripts as their own user ID
type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
role system_r types httpd_suexec_t;

type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)

# setup the system domain for system CGI scripts
apache_content_template(sys)

type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)

type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)

# Unconfined domain for apache scripts.
# Only to be used as a last resort
type httpd_unconfined_script_t;
type httpd_unconfined_script_exec_t; # customizable
domain_type(httpd_unconfined_script_t)
domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
role system_r types httpd_unconfined_script_t;

# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)

type httpd_var_run_t;
files_pid_file(httpd_var_run_t)

# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)

# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
# This is a bug but it still exists in FC2
# cjp: probably can remove this
ifdef(`distro_redhat',`
	typealias httpd_log_t alias httpd_runtime_t;
')

ifdef(`targeted_policy',`
	typealias httpd_sys_content_t alias httpd_user_content_t;
	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')

########################################
#
# Apache server local policy
#

allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:fifo_file rw_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket create_socket_perms;
allow httpd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_t self:unix_dgram_socket sendto;
allow httpd_t self:unix_stream_socket connectto;
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom };

allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket { connect };
allow httpd_t self:tcp_socket connected_socket_perms;
allow httpd_t self:udp_socket connected_socket_perms;

# Allow httpd_t to put files in /var/cache/httpd etc
allow httpd_t httpd_cache_t:dir create_dir_perms;
allow httpd_t httpd_cache_t:file create_file_perms;
allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;

# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir r_dir_perms;
allow httpd_t httpd_config_t:file r_file_perms;
allow httpd_t httpd_config_t:lnk_file { getattr read };

can_exec(httpd_t, httpd_exec_t)

allow httpd_t httpd_lock_t:file create_file_perms;
files_create_lock(httpd_t,httpd_lock_t)

allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
allow httpd_t httpd_log_t:file { create ra_file_perms };
allow httpd_t httpd_log_t:lnk_file read;
# cjp: need to refine create interfaces to
# cut this back to add_name only
logging_create_log(httpd_t,httpd_log_t)

allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
allow httpd_t httpd_modules_t:lnk_file r_file_perms;

allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
allow httpd_t httpd_squirrelmail_t:file create_file_perms;

allow httpd_t httpd_sys_content_t:dir r_dir_perms;
allow httpd_t httpd_sys_content_t:file r_file_perms;

allow httpd_t httpd_tmp_t:dir create_dir_perms;
allow httpd_t httpd_tmp_t:file create_file_perms;
files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })

allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
allow httpd_t httpd_tmpfs_t:file create_file_perms;
allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

allow httpd_t httpd_var_lib_t:file create_file_perms;
allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
files_create_var_lib(httpd_t,httpd_var_lib_t)

allow httpd_t httpd_var_run_t:file create_file_perms;
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
allow httpd_t httpd_var_run_t:dir rw_dir_perms;
files_create_pid(httpd_t,httpd_var_run_t, { file sock_file })

allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
allow httpd_t squirrelmail_spool_t:file create_file_perms;
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;

kernel_read_kernel_sysctl(httpd_t)
kernel_tcp_recvfrom(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)

corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
corenet_raw_sendrecv_all_if(httpd_t)
corenet_tcp_sendrecv_all_nodes(httpd_t)
corenet_udp_sendrecv_all_nodes(httpd_t)
corenet_raw_sendrecv_all_nodes(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
corenet_udp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
# allow httpd to connect to mysql/posgresql 
corenet_tcp_connect_postgresql_port(httpd_t)
corenet_tcp_connect_mysqld_port(httpd_t)
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)

dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)

fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)

term_dontaudit_use_console(httpd_t)

auth_use_nsswitch(httpd_t)

# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_sbin(httpd_t)

domain_use_wide_inherit_fd(httpd_t)

files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
# Allow httpd_t to have access to files such as nisswitch.conf
files_read_etc_files(httpd_t)
# for tomcat
files_read_var_lib_symlinks(httpd_t)

init_use_fd(httpd_t)
init_use_script_pty(httpd_t)

libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
libs_read_lib(httpd_t)

logging_send_syslog_msg(httpd_t)

miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_certs(httpd_t)

seutil_dontaudit_search_config(httpd_t)

sysnet_use_ldap(httpd_t)
sysnet_read_config(httpd_t)

userdom_use_unpriv_users_fd(httpd_t)
userdom_dontaudit_search_sysadm_home_dir(httpd_t)

mta_send_mail(httpd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_tty(httpd_t)
	term_dontaudit_use_generic_pty(httpd_t)
	files_dontaudit_read_root_file(httpd_t)
')

tunable_policy(`allow_httpd_anon_write',`
	miscfiles_manage_public_files(httpd_t)
') 

tunable_policy(`httpd_can_network_connect',`
	allow httpd_t self:tcp_socket create_socket_perms;
	allow httpd_t self:udp_socket create_socket_perms;

	corenet_tcp_sendrecv_all_if(httpd_t)
	corenet_udp_sendrecv_all_if(httpd_t)
	corenet_raw_sendrecv_all_if(httpd_t)
	corenet_tcp_sendrecv_all_nodes(httpd_t)
	corenet_udp_sendrecv_all_nodes(httpd_t)
	corenet_raw_sendrecv_all_nodes(httpd_t)
	corenet_tcp_sendrecv_all_ports(httpd_t)
	corenet_udp_sendrecv_all_ports(httpd_t)
	corenet_tcp_bind_all_nodes(httpd_t)
	corenet_udp_bind_all_nodes(httpd_t)
	corenet_tcp_connect_all_ports(httpd_t)

	sysnet_read_config(httpd_t)
')

tunable_policy(`httpd_enable_cgi',`
	domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
	allow httpd_t httpd_unconfined_script_t:fd use;
	allow httpd_unconfined_script_t httpd_t:fd use;
	allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
	allow httpd_unconfined_script_t httpd_t:process sigchld;

	allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
	allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
')

tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
	domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
	allow httpd_t httpd_sys_script_t:fd use;
	allow httpd_sys_script_t httpd_t:fd use;
	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
	allow httpd_sys_script_t httpd_t:process sigchld;

	allow httpd_t httpdcontent:dir create_dir_perms;
	allow httpd_t httpdcontent:file create_file_perms;
	allow httpd_t httpdcontent:lnk_file create_lnk_perms;
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_read_nfs_files(httpd_t)
	fs_read_nfs_symlinks(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_read_cifs_files(httpd_t)
	fs_read_cifs_symlinks(httpd_t)
')

tunable_policy(`httpd_ssi_exec',`
	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
	allow httpd_t httpd_sys_script_t:fd use;
	allow httpd_sys_script_t httpd_t:fd use;
	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
	allow httpd_sys_script_t httpd_t:process sigchld;
')

# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here. 
tunable_policy(`httpd_tty_comm',`
	userdom_use_sysadm_terms(httpd_t)
',`
	userdom_dontaudit_use_sysadm_terms(httpd_t)
')

optional_policy(`kerberos.te',`
	kerberos_use(httpd_t)
')

optional_policy(`mailman.te',`
	mailman_signal_cgi(httpd_t)
	mailman_domtrans_cgi(httpd_t)
	# should have separate types for public and private archives
	mailman_read_archive(httpd_t)
')

optional_policy(`mta.te',`
	mta_stub()

	# apache should set close-on-exec
	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')

optional_policy(`mysql.te',`
	mysql_stream_connect(httpd_t)
	mysql_rw_db_socket(httpd_t)
')

optional_policy(`nscd.te',`
	nscd_use_socket(httpd_t)
')

optional_policy(`selinuxutil.te',`
	seutil_sigchld_newrole(httpd_t)
')

optional_policy(`udev.te', `
	udev_read_db(httpd_t)
')

ifdef(`TODO',`
optional_policy(`rhgb.te',`
	rhgb_domain(httpd_t)
')

can_tcp_connect(web_client_domain, httpd_t)

ifdef(`targeted_policy',`
	if (httpd_enable_homedirs) {
		allow httpd_t user_home_dir_t:dir { getattr search };
	}
	if (httpd_enable_homedirs) {
		allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
	}
	if (httpd_enable_homedirs) {
		allow httpd_suexec_t user_home_dir_t:dir { getattr search };
	}
')
') dnl end TODO

########################################
#
# Apache helper local policy
#

domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_t httpd_helper_t:fd use;
allow httpd_helper_t httpd_t:fd use;
allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
allow httpd_helper_t httpd_t:process sigchld;

allow httpd_helper_t httpd_config_t:file { getattr read };

allow httpd_helper_t httpd_log_t:file append;

libs_use_ld_so(httpd_helper_t)
libs_use_shared_libs(httpd_helper_t)

logging_send_syslog_msg(httpd_helper_t)

########################################
#
# Apache PHP script local policy
#

allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_php_t self:fd use;
allow httpd_php_t self:fifo_file rw_file_perms;
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_php_t self:unix_dgram_socket sendto;
allow httpd_php_t self:unix_stream_socket connectto;
allow httpd_php_t self:shm create_shm_perms;
allow httpd_php_t self:sem create_sem_perms;
allow httpd_php_t self:msgq create_msgq_perms;
allow httpd_php_t self:msg { send receive };

domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
allow httpd_t httpd_php_t:fd use;
allow httpd_php_t httpd_t:fd use;
allow httpd_php_t httpd_t:fifo_file rw_file_perms;
allow httpd_php_t httpd_t:process sigchld;

# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file ra_file_perms;

allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir })

fs_search_auto_mountpoints(httpd_php_t)

libs_exec_lib_files(httpd_php_t)
libs_use_ld_so(httpd_php_t)
libs_use_shared_libs(httpd_php_t)

userdom_use_unpriv_users_fd(httpd_php_t)

optional_policy(`mysql.te',`
	mysql_stream_connect(httpd_php_t)
')

optional_policy(`nis.te',`
	nis_use_ypbind(httpd_php_t)
')

########################################
#
# Apache suexec local policy
#

allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;

# cjp: need transitionbool
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
allow httpd_t httpd_suexec_t:fd use;
allow httpd_suexec_t httpd_t:fd use;
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
allow httpd_suexec_t httpd_t:process sigchld;

allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
allow httpd_suexec_t httpd_t:fifo_file getattr;

allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })

kernel_read_kernel_sysctl(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)

dev_read_urand(httpd_suexec_t)

fs_search_auto_mountpoints(httpd_suexec_t)

# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)

files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)

libs_use_ld_so(httpd_suexec_t)
libs_use_shared_libs(httpd_suexec_t)

logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)

miscfiles_read_localization(httpd_suexec_t)

tunable_policy(`httpd_can_network_connect',`
	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
	allow httpd_suexec_t self:udp_socket create_socket_perms;

	corenet_tcp_sendrecv_all_if(httpd_suexec_t)
	corenet_udp_sendrecv_all_if(httpd_suexec_t)
	corenet_raw_sendrecv_all_if(httpd_suexec_t)
	corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
	corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
	corenet_raw_sendrecv_all_nodes(httpd_suexec_t)
	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
	corenet_tcp_bind_all_nodes(httpd_suexec_t)
	corenet_udp_bind_all_nodes(httpd_suexec_t)
	corenet_tcp_connect_all_ports(httpd_suexec_t)

	sysnet_read_config(httpd_suexec_t)
')

tunable_policy(`httpd_enable_cgi',`
	domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
')

tunable_policy(`httpd_enable_cgi && httpd_unified',`
	domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
	allow httpd_suexec_t httpd_sys_script_t:fd use;
	allow httpd_sys_script_t httpd_suexec_t:fd use;
	allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
	allow httpd_sys_script_t httpd_suexec_t:process sigchld;
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_read_nfs_files(httpd_suexec_t)
	fs_read_nfs_symlinks(httpd_suexec_t)
	fs_execute_nfs_files(httpd_suexec_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_read_cifs_files(httpd_suexec_t)
	fs_read_cifs_symlinks(httpd_suexec_t)
	fs_execute_cifs_files(httpd_suexec_t)
')

optional_policy(`mailman.te',`
	mailman_domtrans_cgi(httpd_suexec_t)
')

optional_policy(`mount.te',`
	tunable_policy(`httpd_can_network_connect',`
		mount_send_nfs_client_request(httpd_suexec_t)
	')
')

optional_policy(`nis.te',`
	nis_use_ypbind(httpd_suexec_t)
')

########################################
#
# Apache system script local policy
#

allow httpd_sys_script_t httpd_t:tcp_socket { read write };

dontaudit httpd_sys_script_t httpd_config_t:dir search;

allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };

allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read };

kernel_read_kernel_sysctl(httpd_sys_script_t)

files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)

ifdef(`distro_redhat',`
	allow httpd_sys_script_t httpd_log_t:file { getattr append };
')

optional_policy(`mysql.te',`
	mysql_stream_connect(httpd_sys_script_t)
	mysql_rw_db_socket(httpd_sys_script_t)
')

########################################
#
# Apache unconfined script local policy
#

unconfined_domain_template(httpd_unconfined_script_t)

optional_policy(`nscd.te',`
	nscd_use_socket(httpd_unconfined_script_t)
')