Second part of Apache patch from Dan Walsh.

2010-04-05 10:57:52 -04:00 · 2010-04-05 10:57:52 -04:00 · 60def66b13
parent 83caba3eb9
commit 60def66b13
5 changed files with 310 additions and 68 deletions
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork, 1.13.9)
+policy_module(corenetwork, 1.13.10)

 ########################################
 #
@ -138,6 +138,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
 network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -5164,6 +5164,25 @@ interface(`files_rw_generic_pids',`
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 pidfile:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write to daemon runtime data files.
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@

-policy_module(files, 1.12.4)
+policy_module(files, 1.12.5)

 ########################################
 #
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -49,10 +49,11 @@ template(`apache_content_template',`
 	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
 	files_type(httpd_$1_ra_content_t)

-	allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
+	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)

 	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

+	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;

 	allow httpd_$1_script_t self:fifo_file rw_file_perms;
@ -69,7 +70,7 @@ template(`apache_content_template',`
 	logging_search_logs(httpd_$1_script_t)

 	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-	allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;

 	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
 	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
@ -173,50 +174,6 @@ template(`apache_content_template',`
 		miscfiles_read_localization(httpd_$1_script_t)
 	')

-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
-		allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
-		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
-		corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
-		corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
-		corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
-		corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-
-		sysnet_read_config(httpd_$1_script_t)
-	')
-
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
-		allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
-		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
-		corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
-		corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
-		corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
-		corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_tcp_connect_all_ports(httpd_$1_script_t)
-		corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
-		sysnet_read_config(httpd_$1_script_t)
-	')
-
-	optional_policy(`
-		mta_send_mail(httpd_$1_script_t)
-	')
-
-	optional_policy(`
-		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-			mysql_tcp_connect(httpd_$1_script_t)
-		')
-	')
-
 	optional_policy(`
 		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
 			nis_use_ypbind_uncond(httpd_$1_script_t)
@ -355,6 +312,24 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')

+#######################################
+## <summary>
+##	Send a generic signal to apache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_signal',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Send a null signal to apache.
@ -409,6 +384,25 @@ interface(`apache_use_fds',`
 	allow $1 httpd_t:fd use;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write Apache
@ -472,6 +466,44 @@ interface(`apache_manage_all_content',`
 	manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
 ')

+########################################
+## <summary>
+##	Allow domain to  set the attributes
+##	of the APACHE cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_setattr_cache_dirs',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	allow $1 httpd_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to list
+##	Apache cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_list_cache',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
@ -491,6 +523,25 @@ interface(`apache_rw_cache_files',`
 	allow $1 httpd_cache_t:file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Allow the specified domain to delete
+##	Apache cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_delete_cache_files',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
@ -560,7 +611,7 @@ interface(`apache_domtrans_helper',`
 ## <summary>
 ##	Execute the Apache helper program with
 ##	a domain transition, and allow the
-##	specified role the dmidecode domain.
+##	specified role the Apache helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -569,7 +620,7 @@ interface(`apache_domtrans_helper',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed the dmidecode domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@ -1015,6 +1066,45 @@ interface(`apache_search_sys_script_state',`
 	allow $1 httpd_sys_script_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_tmp_files',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write 
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_write_tmp_files',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	dontaudit $1 httpd_tmp_t:file write_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute CGI in the specified domain.
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache, 2.1.1)
+policy_module(apache, 2.1.2)

 #
 # NOTES: 
@ -63,6 +63,20 @@ gen_tunable(httpd_can_network_connect_db, false)
 ## </desc>
 gen_tunable(httpd_can_network_relay, false)

+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
+
 ## <desc>
 ## <p>
 ## Allow httpd cgi support
@ -108,6 +122,27 @@ gen_tunable(httpd_tty_comm, false)
 ## </desc>
 gen_tunable(httpd_unified, false)

+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow httpd to run gpg
+## </p>
+## </desc>
+gen_tunable(httpd_use_gpg, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
 attribute httpdcontent;
 attribute httpd_user_content_type;

@ -232,7 +267,7 @@ optional_policy(`
 # Apache server local policy
 #

-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
@ -274,6 +309,7 @@ logging_log_filetrans(httpd_t, httpd_log_t, file)
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)

 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
@ -289,9 +325,12 @@ allow httpd_t httpd_sys_content_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
 read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)

+allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })

 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@ -303,9 +342,11 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_fil
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)

+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })

 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -346,6 +387,7 @@ corecmd_exec_shell(httpd_t)

 domain_use_interactive_fds(httpd_t)

+files_dontaudit_getattr_all_pids(httpd_t)
 files_read_usr_files(httpd_t)
 files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
@ -374,8 +416,6 @@ seutil_dontaudit_search_config(httpd_t)

 userdom_use_unpriv_users_fds(httpd_t)

-mta_send_mail(httpd_t)
-
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
 ') 
@ -399,12 +439,21 @@ tunable_policy(`httpd_can_network_relay',`
 	corenet_tcp_connect_ftp_port(httpd_t)
 	corenet_tcp_connect_http_port(httpd_t)
 	corenet_tcp_connect_http_cache_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
 	corenet_sendrecv_gopher_client_packets(httpd_t)
 	corenet_sendrecv_ftp_client_packets(httpd_t)
 	corenet_sendrecv_http_client_packets(httpd_t)
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')

+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)

@ -431,6 +480,13 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_symlinks(httpd_t)
 ')

+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	mta_send_mail(httpd_t)
+')
+
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
@ -452,6 +508,10 @@ optional_policy(`
 	calamaris_read_www_files(httpd_t)
 ')

+optional_policy(`
+	ccs_read_config(httpd_t)
+')
+
 optional_policy(`
 	cobbler_search_lib(httpd_t)
 ')
@ -460,10 +520,28 @@ optional_policy(`
 	cron_system_entry(httpd_t, httpd_exec_t)
 ')

+optional_policy(`
+	cvs_read_data(httpd_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')

+ optional_policy(`
+	dbus_system_bus_client(httpd_t)
+
+	tunable_policy(`httpd_dbus_avahi',`
+		avahi_dbus_chat(httpd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_domtrans(httpd_t)
+	')
+')
+
 optional_policy(`
 	kerberos_keytab_template(httpd, httpd_t)
 ')
@ -471,6 +549,7 @@ optional_policy(`
 optional_policy(`
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
+	mailman_read_data_files(httpd_t)
 	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
 	mailman_read_archive(httpd_t)
@ -488,7 +567,6 @@ optional_policy(`

 optional_policy(`
 	nagios_read_config(httpd_t)
-	nagios_domtrans_cgi(httpd_t)
 ')

 optional_policy(`
@ -569,16 +647,31 @@ files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })

 fs_search_auto_mountpoints(httpd_php_t)

+auth_use_nsswitch(httpd_php_t)
+
 libs_exec_lib_files(httpd_php_t)

 userdom_use_unpriv_users_fds(httpd_php_t)

-optional_policy(`
-	mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
+
+	corenet_tcp_connect_mssql_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mssql_port(httpd_suexec_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 ')

 optional_policy(`
-	nis_use_ypbind(httpd_php_t)
+	mysql_stream_connect(httpd_php_t)
+	mysql_read_config(httpd_php_t)
 ')

 optional_policy(`
@ -600,7 +693,7 @@ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)

-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;

 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
@ -629,6 +722,7 @@ logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)

 miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)

 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@ -647,11 +741,9 @@ tunable_policy(`httpd_can_network_connect',`
 ')

 tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')

-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_user_home_content_files(httpd_suexec_t)
 ')

 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@ -677,15 +769,14 @@ optional_policy(`
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')

-optional_policy(`
-	nagios_domtrans_cgi(httpd_suexec_t)
-')
-
 ########################################
 #
 # Apache system script local policy
 #

+allow httpd_sys_script_t self:process getsched;
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };

 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -708,6 +799,28 @@ ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')

+tunable_policy(`httpd_can_sendmail',`
+	mta_send_mail(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+	corenet_udp_bind_all_nodes(httpd_sys_script_t)
+	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_read_user_home_content_files(httpd_sys_script_t)
 ')
@ -740,6 +853,8 @@ optional_policy(`
 # httpd_rotatelogs local policy
 #

+allow httpd_rotatelogs_t self:capability dac_override;
+
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)

 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@ -752,6 +867,23 @@ logging_search_logs(httpd_rotatelogs_t)

 miscfiles_read_localization(httpd_rotatelogs_t)

+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+	allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
 ########################################
 #
 # User content local policy