Blob Blame History Raw

define(`apache_domain', `

#This type is for webpages
#
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;

# This type is used for .htaccess files
#
type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
allow httpd_t httpd_$1_htaccess_t: file r_file_perms;

# This type is used for executable scripts files
#
type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;

# Type that CGI scripts run as
type httpd_$1_script_t, domain, privmail, nscd_client_domain;
role system_r types httpd_$1_script_t;
uses_shlib(httpd_$1_script_t)

if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;

allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;

allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_$1_script_t usr_t:lnk_file { getattr read };

allow httpd_$1_script_t self:process { fork signal_perms };

allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
read_locale(httpd_$1_script_t)
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };

allow httpd_$1_script_t { self proc_t }:file r_file_perms;
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
allow httpd_$1_script_t { self proc_t }:lnk_file read;

allow httpd_$1_script_t device_t:dir { getattr search };
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
}

if (httpd_enable_cgi && httpd_can_network_connect) {
can_network_client(httpd_$1_script_t)
allow httpd_$1_script_t port_type:tcp_socket name_connect;
}

ifdef(`ypbind.te', `
if (httpd_enable_cgi && allow_ypbind) {
uncond_can_ypbind(httpd_$1_script_t)
}
')
# The following are the only areas that 
# scripts can read, read/write, or append to
#
type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)

#########################################################
# Permissions for running child processes and scripts
##########################################################
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };

domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

allow httpd_$1_script_t httpd_t:fifo_file write;

allow httpd_$1_script_t self:fifo_file rw_file_perms;

allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;

###########################################################################
# Allow the script interpreters to run the scripts.  So
# the perl executable will be able to run a perl script
#########################################################################
allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
can_exec_any(httpd_$1_script_t)

allow httpd_$1_script_t etc_t:file { getattr read };
dontaudit httpd_$1_script_t selinux_config_t:dir search;

############################################################################
# Allow the script process to search the cgi directory, and users directory
##############################################################################
allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t home_root_t:dir { getattr search };
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };

#############################################################################
# Allow the scripts to read, read/write, append to the specified directories
# or files
############################################################################
read_fonts(httpd_$1_script_t)
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
anonymous_domain(httpd_$1_script)

if (httpd_enable_cgi && httpd_unified) {
create_dir_file(httpd_$1_script_t, httpdcontent)
can_exec(httpd_$1_script_t, httpdcontent)
}

#
# If a user starts a script by hand it gets the proper context
#
ifdef(`targeted_policy', `', `
if (httpd_enable_cgi) {
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
')
role sysadm_r types httpd_$1_script_t;

dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
dontaudit httpd_$1_script_t sysctl_t:dir search;

############################################
# Allow scripts to append to http logs
#########################################
allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir  search;
allow httpd_$1_script_t httpd_log_t:file { getattr append };

# apache should set close-on-exec
dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };

################################################################
# Allow the web server to run scripts and serve pages
##############################################################
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
r_dir_file(httpd_t, httpd_$1_content_t)
}

')
define(`apache_user_domain', `

apache_domain($1)

typeattribute httpd_$1_content_t $1_file_type;

if (httpd_enable_cgi && httpd_unified) {
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
}

if (httpd_enable_cgi) {
# If a user starts a script by hand it gets the proper context
domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
role $1_r types httpd_$1_script_t;

#######################################
# Allow user to create or edit web content
#########################################

create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };

######################################################################
# Allow the user to create htaccess files
#####################################################################

allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };

#########################################################################
# Allow user to create files or directories 
# that scripts are able to read, write, or append to
###########################################################################

create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };

# allow accessing files/dirs below the users home dir
if (httpd_enable_homedirs) {
allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
ifdef(`nfs_home_dirs', `
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
ifdef(`crond.te', `
create_dir_file($1_crond_t, httpd_$1_content_t)
')

ifdef(`ftpd.te', `
if (ftp_home_dir) {
create_dir_file(ftpd_t, httpd_$1_content_t)
}
')


')