diff --git a/Changelog b/Changelog
index 2c8b537..f1d19ab 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add infrastructure for managing all user web content.
- Deprecate some old file and dir permission set macros in favor of the
newer, more consistently-named macros.
- Patch to clean up unescaped periods in several file context entries from
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2c8a6b7..5bc5074 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -265,12 +265,19 @@ template(`apache_content_template',`
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts;
+ attribute httpd_exec_scripts, httpd_user_content_type;
+ attribute httpd_user_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
apache_content_template($1)
+ typeattribute httpd_$1_content_t httpd_user_content_type;
+ typeattribute httpd_$1_script_ra_t httpd_user_content_type;
+ typeattribute httpd_$1_script_rw_t httpd_user_content_type;
+ typeattribute httpd_$1_script_ro_t httpd_user_content_type;
+ typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
+
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
@@ -1005,6 +1012,31 @@ interface(`apache_search_sys_scripts',`
########################################
##
+## Create, read, write, and delete all user web content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_manage_all_user_content',`
+ gen_require(`
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
+ ')
+
+ manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type)
+ manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
+ manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
+
+ manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+')
+
+########################################
+##
## Search system script state directory.
##
##
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e2fecdc..a3bae43 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.8.1)
+policy_module(apache,1.8.2)
#
# NOTES:
@@ -107,11 +107,13 @@ gen_tunable(httpd_tty_comm,false)
gen_tunable(httpd_unified,false)
attribute httpdcontent;
+attribute httpd_user_content_type;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
# user script domains
attribute httpd_script_domains;