add most of apache
This commit is contained in:
parent
a5ec7cb6c4
commit
a996bdf4ad
|
@ -48,6 +48,27 @@ gen_tunable(ftp_home_dir,false)
|
|||
## Allow ftpd to run directly without inetd
|
||||
gen_tunable(ftpd_is_daemon,false)
|
||||
|
||||
## Allow httpd to use built in scripting (usually php)
|
||||
gen_tunable(httpd_builtin_scripting,false)
|
||||
|
||||
## Allow http daemon to tcp connect
|
||||
gen_tunable(httpd_can_network_connect,false)
|
||||
|
||||
## Allow httpd cgi support
|
||||
gen_tunable(httpd_enable_cgi,false)
|
||||
|
||||
## Allow httpd to read home directories
|
||||
gen_tunable(httpd_enable_homedirs,false)
|
||||
|
||||
## Run SSI execs in system CGI script domain.
|
||||
gen_tunable(httpd_ssi_exec,false)
|
||||
|
||||
## Allow http daemon to communicate with the TTY
|
||||
gen_tunable(httpd_tty_comm,false)
|
||||
|
||||
## Run CGI in the main httpd domain
|
||||
gen_tunable(httpd_unified,false)
|
||||
|
||||
## Allow BIND to write the master zone files.
|
||||
## Generally this is used for dynamic DNS.
|
||||
gen_tunable(named_write_master_zones,false)
|
||||
|
|
|
@ -137,6 +137,12 @@ optional_policy(`acct.te',`
|
|||
acct_exec_data(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`apache.te',`
|
||||
apache_read_config(logrotate_t)
|
||||
apache_domtrans(logrotate_t)
|
||||
apache_signull(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_exec(logrotate_t)
|
||||
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
|
||||
HOME_DIR/((www)|(web)|(public_html))(/.+)? context_template(system_u:object_r:httpd_ROLE_content_t,s0)
|
||||
|
||||
/etc/apache(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/httpd -d context_template(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/conf.* context_template(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/logs context_template(system_u:object_r:httpd_log_t,s0)
|
||||
/etc/httpd/modules context_template(system_u:object_r:httpd_modules_t,s0)
|
||||
/etc/vhosts -- context_template(system_u:object_r:httpd_config_t,s0)
|
||||
|
||||
/srv/([^/]*/)?www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/usr/bin/htsslpass -- context_template(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
|
||||
/usr/lib/apache-ssl/.+ -- context_template(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/lib/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/lib(64)?/apache(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache2/modules(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
|
||||
/usr/lib(64)?/apache(2)?/suexec(2)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/lib(64)?/httpd(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
/usr/sbin/apache(2)? -- context_template(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- context_template(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- context_template(system_u:object_r:httpd_exec_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/usr/sbin/httpd2-.* -- context_template(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
/usr/sbin/suexec -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
/usr/share/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/var/cache/httpd(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-eaccelerator(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-mmcache(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/ssl.*\.sem -- context_template(system_u:object_r:httpd_cache_t,s0)
|
||||
|
||||
/var/lib/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/lib/httpd(/.*)? context_template(system_u:object_r:httpd_var_lib_t,s0)
|
||||
/var/lib/php/session(/.*)? context_template(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/lib/squirrelmail/prefs(/.*)? context_template(system_u:object_r:httpd_squirrelmail_t,s0)
|
||||
|
||||
/var/log/apache(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/cgiwrap\.log.* -- context_template(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/httpd(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
|
||||
ifdef(`distro_debian', `
|
||||
/var/log/horde2(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
|
||||
')
|
||||
|
||||
/var/run/apache.* context_template(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s context_template(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? context_template(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
/var/spool/squirrelmail(/.*)? context_template(system_u:object_r:squirrelmail_spool_t,s0)
|
||||
ifdef(`targeted_policy', `', `
|
||||
/var/spool/cron/apache -- context_template(system_u:object_r:user_cron_spool_t,s0)
|
||||
')
|
||||
|
||||
/var/www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/icons(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/perl(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
@ -0,0 +1,353 @@
|
|||
## <summary>Apache web server</summary>
|
||||
|
||||
template(`apache_content_template',`
|
||||
|
||||
#This type is for webpages
|
||||
type httpd_$1_content_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_content_t)
|
||||
|
||||
# This type is used for .htaccess files
|
||||
type httpd_$1_htaccess_t; # customizable;
|
||||
files_type(httpd_$1_htaccess_t)
|
||||
|
||||
# Type that CGI scripts run as
|
||||
type httpd_$1_script_t;
|
||||
domain_type(httpd_$1_script_t)
|
||||
role system_r types httpd_$1_script_t;
|
||||
|
||||
# This type is used for executable scripts files
|
||||
type httpd_$1_script_exec_t; # customizable;
|
||||
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
|
||||
|
||||
# The following three are the only areas that
|
||||
# scripts can read, read/write, or append to
|
||||
type httpd_$1_script_ro_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_ro_t)
|
||||
|
||||
type httpd_$1_script_rw_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_rw_t)
|
||||
|
||||
type httpd_$1_script_ra_t, httpdcontent; # customizable
|
||||
files_type(httpd_$1_script_ra_t)
|
||||
|
||||
allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
|
||||
|
||||
domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
allow httpd_suexec_t httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t httpd_suexec_t:fd use;
|
||||
allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t httpd_suexec_t:process sigchld;
|
||||
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
|
||||
|
||||
allow httpd_$1_script_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow httpd_$1_script_t httpd_t:fifo_file write;
|
||||
# apache should set close-on-exec
|
||||
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
|
||||
|
||||
# Allow the script process to search the cgi directory, and users directory
|
||||
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
|
||||
|
||||
allow httpd_$1_script_t httpd_log_t:file { getattr append };
|
||||
allow httpd_$1_script_t httpd_log_t:dir search;
|
||||
logging_search_logs(httpd_$1_script_t)
|
||||
|
||||
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
|
||||
allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
|
||||
allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
|
||||
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
||||
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
dev_read_rand(httpd_$1_script_t)
|
||||
dev_read_urand(httpd_$1_script_t)
|
||||
|
||||
corecmd_exec_bin(httpd_$1_script_t)
|
||||
corecmd_exec_sbin(httpd_$1_script_t)
|
||||
|
||||
domain_exec_all_entry_files(httpd_$1_script_t)
|
||||
|
||||
files_exec_etc_files(httpd_$1_script_t)
|
||||
files_read_etc_files(httpd_$1_script_t)
|
||||
files_search_home(httpd_$1_script_t)
|
||||
|
||||
libs_use_ld_so(httpd_$1_script_t)
|
||||
libs_use_shared_libs(httpd_$1_script_t)
|
||||
libs_exec_ld_so(httpd_$1_script_t)
|
||||
libs_exec_lib_files(httpd_$1_script_t)
|
||||
|
||||
miscfiles_read_fonts(httpd_$1_script_t)
|
||||
|
||||
seutil_dontaudit_search_config(httpd_$1_script_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
|
||||
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
||||
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
||||
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
||||
can_exec(httpd_$1_script_t, httpdcontent)
|
||||
')
|
||||
',`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
|
||||
allow httpd_$1_script_t httpdcontent:file create_file_perms;
|
||||
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
|
||||
can_exec(httpd_$1_script_t, httpdcontent)
|
||||
')
|
||||
')
|
||||
|
||||
# Allow the web server to run scripts and serve pages
|
||||
tunable_policy(`httpd_builtin_scripting',`
|
||||
allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
|
||||
allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
||||
allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
|
||||
|
||||
allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
|
||||
allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
|
||||
allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
|
||||
|
||||
allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
|
||||
allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
|
||||
|
||||
allow httpd_t httpd_$1_content_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_$1_content_t:file r_file_perms;
|
||||
allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
allow httpd_t httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t httpd_t:fd use;
|
||||
allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t httpd_t:process sigchld;
|
||||
|
||||
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
|
||||
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
|
||||
|
||||
allow httpd_$1_script_t self:process signal_perms;
|
||||
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow httpd_$1_script_t httpd_t:fd use;
|
||||
allow httpd_$1_script_t httpd_t:process sigchld;
|
||||
|
||||
kernel_read_system_state(httpd_$1_script_t)
|
||||
|
||||
dev_read_urand(httpd_$1_script_t)
|
||||
|
||||
fs_getattr_xattr_fs(httpd_$1_script_t)
|
||||
|
||||
files_read_etc_runtime_files(httpd_$1_script_t)
|
||||
files_read_usr_files(httpd_$1_script_t)
|
||||
|
||||
libs_read_lib(httpd_$1_script_t)
|
||||
|
||||
miscfiles_read_localization(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_$1_script_t self:udp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
|
||||
corenet_raw_sendrecv_all_if(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
|
||||
corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_$1_script_t)
|
||||
corenet_udp_bind_all_nodes(httpd_$1_script_t)
|
||||
corenet_tcp_connect_all_ports(httpd_$1_script_t)
|
||||
|
||||
sysnet_read_config(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
mount_send_nfs_client_request(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
mta_send_mail(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
||||
nis_use_ypbind_uncond(httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
anonymous_domain(httpd_$1_script)
|
||||
|
||||
#
|
||||
# If a user starts a script by hand it gets the proper context
|
||||
#
|
||||
ifdef(`targeted_policy', `', `
|
||||
if (httpd_enable_cgi) {
|
||||
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
}
|
||||
')
|
||||
role sysadm_r types httpd_$1_script_t;
|
||||
|
||||
dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
|
||||
dontaudit httpd_$1_script_t sysctl_t:dir search;
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
template(`apache_per_userdomain_template', `
|
||||
|
||||
apache_content_template($1)
|
||||
|
||||
# typeattribute httpd_$1_content_t $1_file_type;
|
||||
|
||||
role $3 types httpd_$1_script_t;
|
||||
|
||||
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
|
||||
allow $2 httpd_$1_script_exec_t:file create_file_perms;
|
||||
allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
|
||||
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
|
||||
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
|
||||
allow $2 httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t $2:fd use;
|
||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t $2:process sigchld;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',`
|
||||
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
allow $2 httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t $2:fd use;
|
||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t $2:process sigchld;
|
||||
')
|
||||
',`
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
# If a user starts a script by hand it gets the proper context
|
||||
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
allow $2 httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t $2:fd use;
|
||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t $2:process sigchld;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
|
||||
allow $2 httpd_$1_script_t:fd use;
|
||||
allow httpd_$1_script_t $2:fd use;
|
||||
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
|
||||
allow httpd_$1_script_t $2:process sigchld;
|
||||
')
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_user_home($1,httpd_t)
|
||||
userdom_search_user_home($1,httpd_suexec_t)
|
||||
userdom_search_user_home($1,httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to Apache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_domtrans',`
|
||||
gen_require(`
|
||||
type httpd_t, httpd_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,httpd_exec_t,httpd_t)
|
||||
|
||||
allow $1 httpd_t:fd use;
|
||||
allow httpd_t $1:fd use;
|
||||
allow httpd_t $1:fifo_file rw_file_perms;
|
||||
allow httpd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a null signal to apache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_signull',`
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
## apache configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_read_config',`
|
||||
gen_require(`
|
||||
type httpd_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 httpd_config_t:dir r_dir_perms;
|
||||
allow $1 httpd_config_t:file r_file_perms;
|
||||
allow $1 httpd_config_t:lnk_file { getattr read };
|
||||
')
|
|
@ -0,0 +1,647 @@
|
|||
|
||||
policy_module(apache,1.0)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
# This policy will work with SUEXEC enabled as part of the Apache
|
||||
# configuration. However, the user CGI scripts will run under the
|
||||
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
|
||||
# of the creating user.
|
||||
#
|
||||
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
|
||||
# type, and the directory containing the scripts should also be labeled
|
||||
# with these types. This policy allows user_r role to perform that
|
||||
# relabeling. If it is desired that only sysadm_r should be able to relabel
|
||||
# the user CGI scripts, then relabel rule for user_r should be removed.
|
||||
#
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute httpdcontent;
|
||||
|
||||
type httpd_t;
|
||||
type httpd_exec_t;
|
||||
init_daemon_domain(httpd_t,httpd_exec_t)
|
||||
|
||||
# httpd_cache_t is the type given to the /var/cache/httpd
|
||||
# directory and the files under that directory
|
||||
type httpd_cache_t;
|
||||
files_type(httpd_cache_t)
|
||||
|
||||
# httpd_config_t is the type given to the configuration files
|
||||
type httpd_config_t;
|
||||
files_type(httpd_config_t)
|
||||
|
||||
type httpd_helper_t;
|
||||
domain_type(httpd_helper_t)
|
||||
role system_r types httpd_helper_t;
|
||||
|
||||
type httpd_helper_exec_t;
|
||||
domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
|
||||
|
||||
type httpd_lock_t;
|
||||
files_lock_file(httpd_lock_t)
|
||||
|
||||
type httpd_log_t;
|
||||
logging_log_file(httpd_log_t)
|
||||
|
||||
# httpd_modules_t is the type given to module files (libraries)
|
||||
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
||||
type httpd_modules_t;
|
||||
files_type(httpd_modules_t)
|
||||
|
||||
type httpd_php_t;
|
||||
domain_type(httpd_php_t)
|
||||
role system_r types httpd_php_t;
|
||||
|
||||
type httpd_php_exec_t;
|
||||
domain_entry_file(httpd_php_t,httpd_php_exec_t)
|
||||
|
||||
type httpd_php_tmp_t;
|
||||
files_tmp_file(httpd_php_tmp_t)
|
||||
|
||||
type httpd_squirrelmail_t;
|
||||
files_type(httpd_squirrelmail_t)
|
||||
|
||||
# SUEXEC runs user scripts as their own user ID
|
||||
type httpd_suexec_t; #, daemon;
|
||||
domain_type(httpd_suexec_t)
|
||||
role system_r types httpd_suexec_t;
|
||||
|
||||
type httpd_suexec_exec_t;
|
||||
domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
|
||||
|
||||
type httpd_suexec_tmp_t;
|
||||
files_tmp_file(httpd_suexec_tmp_t)
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
|
||||
type httpd_tmpfs_t;
|
||||
files_tmpfs_file(httpd_tmpfs_t)
|
||||
|
||||
# Unconfined domain for apache scripts.
|
||||
# Only to be used as a last resort
|
||||
type httpd_unconfined_script_t;
|
||||
domain_type(httpd_unconfined_script_t)
|
||||
role system_r types httpd_unconfined_script_t;
|
||||
|
||||
type httpd_unconfined_script_exec_t; # customizable
|
||||
files_type(httpd_unconfined_script_exec_t)
|
||||
|
||||
# for apache2 memory mapped files
|
||||
type httpd_var_lib_t;
|
||||
files_type(httpd_var_lib_t)
|
||||
|
||||
type httpd_var_run_t;
|
||||
files_pid_file(httpd_var_run_t)
|
||||
|
||||
# File Type of squirrelmail attachments
|
||||
type squirrelmail_spool_t;
|
||||
files_tmp_file(squirrelmail_spool_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache server local policy
|
||||
#
|
||||
|
||||
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
allow httpd_t self:fifo_file rw_file_perms;
|
||||
allow httpd_t self:shm create_shm_perms;
|
||||
allow httpd_t self:sem create_sem_perms;
|
||||
allow httpd_t self:msgq create_msgq_perms;
|
||||
allow httpd_t self:msg { send receive };
|
||||
allow httpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow httpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow httpd_t self:unix_dgram_socket sendto;
|
||||
allow httpd_t self:unix_stream_socket connectto;
|
||||
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
|
||||
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_t self:udp_socket { connect };
|
||||
allow httpd_t self:tcp_socket connected_socket_perms;
|
||||
allow httpd_t self:udp_socket connected_socket_perms;
|
||||
|
||||
# Allow httpd_t to put files in /var/cache/httpd etc
|
||||
allow httpd_t httpd_cache_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_cache_t:file create_file_perms;
|
||||
allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
|
||||
|
||||
# Allow the httpd_t to read the web servers config files
|
||||
allow httpd_t httpd_config_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_config_t:file r_file_perms;
|
||||
allow httpd_t httpd_config_t:lnk_file { getattr read };
|
||||
|
||||
can_exec(httpd_t, httpd_exec_t)
|
||||
|
||||
allow httpd_t httpd_lock_t:file create_file_perms;
|
||||
files_create_lock(httpd_t,httpd_lock_t)
|
||||
|
||||
allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
|
||||
allow httpd_t httpd_log_t:file { create ra_file_perms };
|
||||
allow httpd_t httpd_log_t:lnk_file read;
|
||||
|
||||
allow httpd_t httpd_modules_t:file rx_file_perms;
|
||||
allow httpd_t httpd_modules_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
|
||||
|
||||
allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
|
||||
allow httpd_t httpd_squirrelmail_t:file create_file_perms;
|
||||
|
||||
allow httpd_t httpd_tmp_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
|
||||
|
||||
allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow httpd_t httpd_var_lib_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_lib_t:dir create_dir_perms;
|
||||
files_create_var_lib(httpd_t,httpd_var_lib_t)
|
||||
|
||||
allow httpd_t httpd_var_run_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
|
||||
allow httpd_t httpd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(httpd_t,httpd_var_run_t, { file sock_file })
|
||||
|
||||
allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
|
||||
allow httpd_t squirrelmail_spool_t:file create_file_perms;
|
||||
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(httpd_t)
|
||||
kernel_tcp_recvfrom(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(httpd_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_t)
|
||||
corenet_raw_sendrecv_all_if(httpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(httpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_t)
|
||||
corenet_udp_bind_all_nodes(httpd_t)
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
|
||||
dev_read_sysfs(httpd_t)
|
||||
dev_read_rand(httpd_t)
|
||||
dev_read_urand(httpd_t)
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
|
||||
term_dontaudit_use_console(httpd_t)
|
||||
|
||||
# execute perl
|
||||
corecmd_exec_bin(httpd_t)
|
||||
corecmd_exec_sbin(httpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(httpd_t)
|
||||
|
||||
files_read_usr_files(httpd_t)
|
||||
files_list_mnt(httpd_t)
|
||||
files_search_spool(httpd_t)
|
||||
files_read_var_lib_files(httpd_t)
|
||||
files_search_home(httpd_t)
|
||||
files_getattr_home_dir(httpd_t)
|
||||
# for modules that want to access /etc/mtab
|
||||
files_read_etc_runtime_files(httpd_t)
|
||||
# Allow httpd_t to have access to files such as nisswitch.conf
|
||||
files_read_etc_files(httpd_t)
|
||||
|
||||
init_use_fd(httpd_t)
|
||||
init_use_script_pty(httpd_t)
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
libs_read_lib(httpd_t)
|
||||
|
||||
logging_send_syslog_msg(httpd_t)
|
||||
|
||||
miscfiles_read_localization(httpd_t)
|
||||
miscfiles_read_fonts(httpd_t)
|
||||
|
||||
seutil_dontaudit_search_config(httpd_t)
|
||||
|
||||
sysnet_dns_name_resolve(httpd_t)
|
||||
sysnet_use_ldap(httpd_t)
|
||||
sysnet_read_config(httpd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(httpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(httpd_t)
|
||||
|
||||
mta_send_mail(httpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(httpd_t)
|
||||
term_dontaudit_use_generic_pty(httpd_t)
|
||||
files_dontaudit_read_root_file(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
allow httpd_t httpd_unconfined_script_t:fd use;
|
||||
allow httpd_unconfined_script_t httpd_t:fd use;
|
||||
allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_unconfined_script_t httpd_t:process sigchld;
|
||||
|
||||
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
|
||||
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_t)
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_t self:tcp_socket create_socket_perms;
|
||||
allow httpd_t self:udp_socket { connect };
|
||||
allow httpd_t self:udp_socket connected_socket_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if(httpd_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_t)
|
||||
corenet_raw_sendrecv_all_if(httpd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_t)
|
||||
corenet_raw_sendrecv_all_nodes(httpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_t)
|
||||
corenet_udp_bind_all_nodes(httpd_t)
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
|
||||
sysnet_read_config(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
# apache should set close-on-exec
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
mysql_stream_connect(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(httpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(httpd_t)
|
||||
')
|
||||
|
||||
allow httpd_t var_log_t:dir ra_dir_perms;
|
||||
type_transition httpd_t var_log_t:file httpd_log_t;
|
||||
|
||||
can_tcp_connect(web_client_domain, httpd_t)
|
||||
|
||||
allow httpd_t crypt_device_t:chr_file rw_file_perms;
|
||||
|
||||
# for tomcat
|
||||
allow httpd_t var_lib_t:lnk_file { getattr read };
|
||||
|
||||
#########################################
|
||||
# Allow httpd to search users directories
|
||||
#########################################
|
||||
allow httpd_t home_root_t:dir { getattr search };
|
||||
|
||||
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
|
||||
|
||||
# Allow apache to used ftpd_anon_t
|
||||
anonymous_domain(httpd)
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
allow httpd_t mysqld_db_t:dir search;
|
||||
allow httpd_t mysqld_db_t:sock_file rw_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`snmpd.te', `
|
||||
dontaudit httpd_t snmpd_var_lib_t:dir search;
|
||||
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
|
||||
', `
|
||||
dontaudit httpd_t usr_t:dir write;
|
||||
')
|
||||
|
||||
r_dir_file(initrc_t, httpd_config_t)
|
||||
allow initrc_t httpd_modules_t:dir r_dir_perms;
|
||||
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
kernel_read_kernel_sysctl(httpd_sys_script_t)
|
||||
allow httpd_sys_script_t var_spool_t:dir { getattr search };
|
||||
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
|
||||
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
|
||||
allow httpd_sys_script_t var_lib_t:dir search;
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_t httpd_sys_script_t:fd use;
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_sys_script_t httpd_t:process sigchld;
|
||||
')
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
allow httpd_sys_script_t mysqld_db_t:dir search;
|
||||
allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms;
|
||||
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
typealias httpd_sys_content_t alias httpd_user_content_t;
|
||||
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
|
||||
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
')
|
||||
|
||||
# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
|
||||
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
|
||||
# This is a bug but it still exists in FC2
|
||||
typealias httpd_log_t alias httpd_runtime_t;
|
||||
|
||||
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
########################################
|
||||
# When the admin starts the server, the server wants to access
|
||||
# the TTY or PTY associated with the session. The httpd appears
|
||||
# to run correctly without this permission, so the permission
|
||||
# are dontaudited here.
|
||||
##################################################
|
||||
|
||||
if (httpd_tty_comm) {
|
||||
allow { httpd_t httpd_helper_t } devpts_t:dir search;
|
||||
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
|
||||
} else {
|
||||
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
|
||||
}
|
||||
|
||||
r_dir_file(httpd_t, cert_t)
|
||||
|
||||
dontaudit httpd_suexec_t var_run_t:dir search;
|
||||
allow httpd_suexec_t home_root_t:dir search;
|
||||
|
||||
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
||||
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
allow httpd_suexec_t httpd_sys_script_t:fd use;
|
||||
allow httpd_sys_script_t httpd_suexec_t:fd use;
|
||||
allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
|
||||
allow httpd_sys_script_t httpd_suexec_t:process sigchld;
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
}
|
||||
|
||||
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
||||
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
allow httpd_t httpd_sys_script_t:fd use;
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_sys_script_t httpd_t:process sigchld;
|
||||
|
||||
allow httpd_t httpdcontent:dir create_dir_perms;
|
||||
allow httpd_t httpdcontent:file create_file_perms;
|
||||
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
|
||||
}
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
# apache should set close-on-exec
|
||||
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
|
||||
dontaudit system_mail_t httpd_log_t:file { append getattr };
|
||||
allow system_mail_t httpd_squirrelmail_t:file { append read };
|
||||
dontaudit system_mail_t httpd_t:tcp_socket { read write };
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache helper local policy
|
||||
#
|
||||
|
||||
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
||||
allow httpd_t httpd_helper_t:fd use;
|
||||
allow httpd_helper_t httpd_t:fd use;
|
||||
allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_helper_t httpd_t:process sigchld;
|
||||
|
||||
allow httpd_helper_t httpd_config_t:file { getattr read };
|
||||
|
||||
allow httpd_helper_t httpd_log_t:file append;
|
||||
|
||||
libs_use_ld_so(httpd_helper_t)
|
||||
libs_use_shared_libs(httpd_helper_t)
|
||||
|
||||
# a "run" interface needs to be
|
||||
# added, and have sysadm_t use it
|
||||
# in a optional_policy block. for httpd_helper_t
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
#
|
||||
|
||||
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_php_t self:fd use;
|
||||
allow httpd_php_t self:fifo_file rw_file_perms;
|
||||
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
|
||||
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow httpd_php_t self:unix_dgram_socket sendto;
|
||||
allow httpd_php_t self:unix_stream_socket connectto;
|
||||
allow httpd_php_t self:shm create_shm_perms;
|
||||
allow httpd_php_t self:sem create_sem_perms;
|
||||
allow httpd_php_t self:msgq create_msgq_perms;
|
||||
allow httpd_php_t self:msg { send receive };
|
||||
|
||||
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
|
||||
allow httpd_t httpd_php_t:fd use;
|
||||
allow httpd_php_t httpd_t:fd use;
|
||||
allow httpd_php_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_php_t httpd_t:process sigchld;
|
||||
|
||||
# allow php to read and append to apache logfiles
|
||||
allow httpd_php_t httpd_log_t:file ra_file_perms;
|
||||
|
||||
allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
|
||||
allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir })
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
libs_exec_lib_files(httpd_php_t)
|
||||
libs_use_ld_so(httpd_php_t)
|
||||
libs_use_shared_libs(httpd_php_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(httpd_php_t)
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
mysql_stream_connect(httpd_php_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(httpd_php_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache suexec local policy
|
||||
#
|
||||
|
||||
allow httpd_suexec_t self:capability { setuid setgid };
|
||||
allow httpd_suexec_t self:process signal_perms;
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# cjp: need transitionbool
|
||||
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||
allow httpd_t httpd_suexec_t:fd use;
|
||||
allow httpd_suexec_t httpd_t:fd use;
|
||||
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_suexec_t httpd_t:process sigchld;
|
||||
|
||||
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
||||
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
||||
allow httpd_suexec_t httpd_t:fifo_file getattr;
|
||||
|
||||
allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
|
||||
allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctl(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
|
||||
dev_read_urand(httpd_suexec_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
# for shell scripts
|
||||
corecmd_exec_bin(httpd_suexec_t)
|
||||
corecmd_exec_shell(httpd_suexec_t)
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
|
||||
libs_use_ld_so(httpd_suexec_t)
|
||||
libs_use_shared_libs(httpd_suexec_t)
|
||||
|
||||
logging_search_logs(httpd_suexec_t)
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
|
||||
corenet_udp_sendrecv_all_if(httpd_suexec_t)
|
||||
corenet_raw_sendrecv_all_if(httpd_suexec_t)
|
||||
corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
|
||||
corenet_raw_sendrecv_all_nodes(httpd_suexec_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
||||
corenet_tcp_bind_all_nodes(httpd_suexec_t)
|
||||
corenet_udp_bind_all_nodes(httpd_suexec_t)
|
||||
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
||||
|
||||
sysnet_read_config(httpd_suexec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_suexec_t)
|
||||
fs_read_nfs_symlinks(httpd_suexec_t)
|
||||
fs_execute_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
fs_execute_cifs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
mount_send_nfs_client_request(httpd_suexec_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(httpd_suexec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
#
|
||||
|
||||
apache_content_template(sys)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache unconfined script local policy
|
||||
#
|
||||
|
||||
unconfined_domain_template(httpd_unconfined_script_t)
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(httpd_unconfined_script_t)
|
||||
')
|
|
@ -147,6 +147,9 @@ template(`cron_per_userdomain_template',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`apache.te', `
|
||||
create_dir_file($1_crond_t, httpd_$1_content_t)
|
||||
')
|
||||
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
|
||||
|
||||
|
|
|
@ -1,5 +1,68 @@
|
|||
## <summary>Policy for NIS (YP) servers and clients</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use the ypbind service to access NIS services
|
||||
## unconditionally.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Use the ypbind service to access NIS services
|
||||
## unconditionally.
|
||||
## </p>
|
||||
## <p>
|
||||
## This interface was added because of apache and
|
||||
## spamassassin, to fix a nested conditionals problem.
|
||||
## When that support is added, this should be removed,
|
||||
## and the regular interface should be used.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_use_ypbind_uncond',`
|
||||
gen_require(`
|
||||
type var_yp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 self:capability net_bind_service;
|
||||
|
||||
allow $1 self:tcp_socket create_stream_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1 var_yp_t:dir r_dir_perms;
|
||||
allow $1 var_yp_t:lnk_file { getattr read };
|
||||
allow $1 var_yp_t:file r_file_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_ports($1)
|
||||
corenet_udp_sendrecv_all_ports($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_bind_generic_port($1)
|
||||
corenet_udp_bind_generic_port($1)
|
||||
corenet_tcp_bind_reserved_port($1)
|
||||
corenet_udp_bind_reserved_port($1)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
||||
corenet_tcp_connect_portmap_port($1)
|
||||
corenet_tcp_connect_reserved_port($1)
|
||||
corenet_tcp_connect_generic_port($1)
|
||||
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use the ypbind service to access NIS services.
|
||||
|
|
|
@ -24,25 +24,17 @@
|
|||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## The type of the user domain.
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## The role associated with the user domain.
|
||||
## </param>
|
||||
#
|
||||
template(`samba_per_userdomain_template',`
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type smbd_t;
|
||||
')
|
||||
|
||||
userdom_manage_user_home_subdir_files($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_symlinks($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_sockets($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_pipes($1,smbd_t)
|
||||
userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
gen_require(`
|
||||
type smbd_t;
|
||||
')
|
||||
|
||||
userdom_manage_user_home_subdir_files($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_symlinks($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_sockets($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_pipes($1,smbd_t)
|
||||
# userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -99,6 +99,10 @@ ifdef(`distro_suse', `
|
|||
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
|
||||
/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
/usr/share/apache2/[^/]* -- context_template(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
|
|
|
@ -32,6 +32,7 @@ ifdef(`distro_gentoo', `
|
|||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/apachectl -- context_template(system_u:object_r:initrc_exec_t,s0)
|
||||
/usr/sbin/open_init_pty -- context_template(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
|
|
|
@ -88,8 +88,8 @@ interface(`init_daemon_domain',`
|
|||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
|
||||
if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
domain_auto_trans(initrc_t,$2,$1)
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
|
|
|
@ -956,6 +956,36 @@ template(`admin_user_template',`
|
|||
') dnl endif TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search user home directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Search user home directories.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
template(`userdom_search_user_home',`
|
||||
gen_require(`
|
||||
class dir { getattr search };
|
||||
')
|
||||
|
||||
files_search_home($2)
|
||||
allow $2 $1_home_dir_t:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read user home files.
|
||||
|
@ -1921,7 +1951,7 @@ interface(`userdom_create_user_home',`
|
|||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir rw_dir_perms;
|
||||
allow $1 user_home_dir_t:dir rw_dir_perms;
|
||||
ifelse(`$2',`',`
|
||||
type_transition $1 user_home_dir_t:file user_home_t;
|
||||
',`
|
||||
|
|
Loading…
Reference in New Issue