diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 3966860..34ebf10 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -1,7 +1,20 @@
## Apache web server
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+## The prefix to be used for deriving type names.
+##
+#
template(`apache_content_template',`
+ # allow write access to public file transfer
+ # services files.
+ gen_tunable(allow_httpd_$1_script_anon_write,false)
+
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -89,6 +102,7 @@ template(`apache_content_template',`
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
+ miscfiles_read_public_files(httpd_$1_script_t)
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -108,6 +122,10 @@ template(`apache_content_template',`
')
')
+ tunable_policy(`allow_httpd_$1_script_anon_write',`
+ miscfiles_manage_public_files(httpd_$1_script_t)
+ ')
+
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
@@ -199,8 +217,6 @@ template(`apache_content_template',`
')
ifdef(`TODO',`
- anonymous_domain(httpd_$1_script)
-
#
# If a user starts a script by hand it gets the proper context
#
@@ -216,6 +232,32 @@ template(`apache_content_template',`
') dnl end TODO
')
+#######################################
+##
+## The per user domain template for the apache module.
+##
+##
+##
+## This template creates types used for web pages
+## and web cgi to be used from the user home directory.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+## The type of the user domain.
+##
+##
+## The role associated with the user domain.
+##
+#
template(`apache_per_userdomain_template', `
apache_content_template($1)
@@ -249,16 +291,16 @@ template(`apache_per_userdomain_template', `
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
- domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
+ tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
allow $2 httpd_$1_script_t:fd use;
allow httpd_$1_script_t $2:fd use;
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
allow httpd_$1_script_t $2:process sigchld;
')
- tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',`
- domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
allow $2 httpd_$1_script_t:fd use;
allow httpd_$1_script_t $2:fd use;
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
@@ -275,7 +317,7 @@ template(`apache_per_userdomain_template', `
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+ domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
allow $2 httpd_$1_script_t:fd use;
allow httpd_$1_script_t $2:fd use;
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
@@ -293,7 +335,7 @@ template(`apache_per_userdomain_template', `
########################################
##
-## Transition to Apache.
+## Transition to apache.
##
##
## Domain allowed access.