diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index d4d3dc6..04f3dc7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.13.9)
+policy_module(corenetwork, 1.13.10)
########################################
#
@@ -138,6 +138,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4f1e6e9..2dd4e3c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5166,6 +5166,25 @@ interface(`files_rw_generic_pids',`
########################################
## <summary>
+## Do not audit attempts to get the attributes of
+## daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index c915c73..953c829 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files, 1.12.4)
+policy_module(files, 1.12.5)
########################################
#
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 997b2b0..7bd97c4 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -49,10 +49,11 @@ template(`apache_content_template',`
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
- allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
@@ -69,7 +70,7 @@ template(`apache_content_template',`
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
@@ -173,50 +174,6 @@ template(`apache_content_template',`
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
- optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_$1_script_t)
- ')
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -355,6 +312,24 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+#######################################
+## <summary>
+## Send a generic signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signal;
+')
+
########################################
## <summary>
## Send a null signal to apache.
@@ -412,6 +387,25 @@ interface(`apache_use_fds',`
########################################
## <summary>
## Do not audit attempts to read and write Apache
+## unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
## unix domain stream sockets.
## </summary>
## <param name="domain">
@@ -474,6 +468,44 @@ interface(`apache_manage_all_content',`
########################################
## <summary>
+## Allow domain to set the attributes
+## of the APACHE cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_setattr_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to list
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_cache',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## and write Apache cache files.
## </summary>
@@ -493,6 +525,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
+## Allow the specified domain to delete
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_cache_files',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
@@ -560,7 +611,7 @@ interface(`apache_domtrans_helper',`
## <summary>
## Execute the Apache helper program with
## a domain transition, and allow the
-## specified role the dmidecode domain.
+## specified role the Apache helper domain.
## </summary>
## <param name="domain">
## <summary>
@@ -569,7 +620,7 @@ interface(`apache_domtrans_helper',`
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the dmidecode domain.
+## Role allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -1017,6 +1068,45 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
+## Allow the specified domain to read
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_tmp_files',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_write_tmp_files',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file write_file_perms;
+')
+
+########################################
+## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 91d8e08..68c3d73 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache, 2.1.1)
+policy_module(apache, 2.1.2)
#
# NOTES:
@@ -65,6 +65,20 @@ gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
+
+## <desc>
+## <p>
## Allow httpd cgi support
## </p>
## </desc>
@@ -108,6 +122,27 @@ gen_tunable(httpd_tty_comm, false)
## </desc>
gen_tunable(httpd_unified, false)
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow httpd to run gpg
+## </p>
+## </desc>
+gen_tunable(httpd_use_gpg, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -232,7 +267,7 @@ optional_policy(`
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -274,6 +309,7 @@ logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -289,9 +325,12 @@ allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -303,9 +342,11 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_fil
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -346,6 +387,7 @@ corecmd_exec_shell(httpd_t)
domain_use_interactive_fds(httpd_t)
+files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -374,8 +416,6 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
@@ -399,12 +439,21 @@ tunable_policy(`httpd_can_network_relay',`
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -431,6 +480,13 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -453,6 +509,10 @@ optional_policy(`
')
optional_policy(`
+ ccs_read_config(httpd_t)
+')
+
+optional_policy(`
cobbler_search_lib(httpd_t)
')
@@ -461,9 +521,27 @@ optional_policy(`
')
optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
+ optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans(httpd_t)
+ ')
+')
+
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
@@ -471,6 +549,7 @@ optional_policy(`
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
+ mailman_read_data_files(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
@@ -488,7 +567,6 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -569,16 +647,31 @@ files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
')
optional_policy(`
- nis_use_ypbind(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
optional_policy(`
@@ -600,7 +693,7 @@ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
@@ -629,6 +722,7 @@ logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -647,11 +741,9 @@ tunable_policy(`httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -677,15 +769,14 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
#
+allow httpd_sys_script_t self:process getsched;
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -708,6 +799,28 @@ ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_sys_script_t)
')
@@ -740,6 +853,8 @@ optional_policy(`
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
+
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,6 +869,23 @@ miscfiles_read_localization(httpd_rotatelogs_t)
########################################
#
+# Unconfined script local policy
+#
+
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
+########################################
+#
# User content local policy
#