diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 61f247e95..255e63cd7 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -17,7 +17,7 @@ kernel_read_system_state(guest_t)
#
optional_policy(`
- apache_role(guest_r, guest_t)
+ apache_role(guest, guest_t, guest_application_exec_domain, guest_r)
')
optional_policy(`
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index b402c2aab..9332c1b27 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -16,7 +16,7 @@ userdom_unpriv_user_template(staff)
corenet_ib_access_unlabeled_pkeys(staff_t)
optional_policy(`
- apache_role(staff_r, staff_t)
+ apache_role(staff, staff_t, staff_application_exec_domain, staff_r)
')
optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 91baa9cf8..3cdb593e0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -140,7 +140,7 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
+ apache_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 1fbb26112..9f570514e 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -13,7 +13,7 @@ policy_module(unprivuser, 2.12.1)
userdom_unpriv_user_template(user)
optional_policy(`
- apache_role(user_r, user_t)
+ apache_role(user, user_t, user_application_exec_domain, user_r)
')
optional_policy(`
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 3b3674988..30c5da762 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -86,7 +86,7 @@ optional_policy(`
')
optional_policy(`
- apache_role(xguest_r, xguest_t)
+ apache_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
')
optional_policy(`
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 1695af750..11a7120e4 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -106,18 +106,29 @@ template(`apache_content_template',`
##
## Role access for apache.
##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
##
##
## Role allowed access
##
##
-##
-##
-## User domain for the role.
-##
-##
#
-interface(`apache_role',`
+template(`apache_role',`
gen_require(`
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
@@ -125,7 +136,7 @@ interface(`apache_role',`
type httpd_user_ra_content_t, httpd_user_rw_content_t;
')
- role $1 types httpd_user_script_t;
+ role $4 types httpd_user_script_t;
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
@@ -154,11 +165,15 @@ interface(`apache_role',`
filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+ domtrans_pattern($3, httpd_user_script_exec_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern($2, httpdcontent, httpd_user_script_t)
+ domtrans_pattern($3, httpdcontent, httpd_user_script_t)
+ ')
+
+ optional_policy(`
+ systemd_user_app_status($1, httpd_user_script_t)
')
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 385c88695..d312ca0ca 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -72,7 +72,7 @@ ifdef(`init_systemd',`
optional_policy(`
apache_run_helper(unconfined_t, unconfined_r)
- apache_role(unconfined_r, unconfined_t)
+ apache_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
')
optional_policy(`