## Apache web server ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # template(`apache_content_template',` gen_require(` attribute httpdcontent; attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') # allow write access to public file transfer # services files. gen_tunable(allow_httpd_$1_script_anon_write,false) #This type is for webpages type httpd_$1_content_t, httpdcontent; # customizable files_type(httpd_$1_content_t) # This type is used for .htaccess files type httpd_$1_htaccess_t; # customizable; files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as type httpd_$1_script_t; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) # The following three are the only areas that # scripts can read, read/write, or append to type httpd_$1_script_ro_t, httpdcontent; # customizable files_type(httpd_$1_script_ro_t) type httpd_$1_script_rw_t, httpdcontent; # customizable files_type(httpd_$1_script_rw_t) type httpd_$1_script_ra_t, httpdcontent; # customizable files_type(httpd_$1_script_ra_t) allow httpd_t httpd_$1_htaccess_t:file read_file_perms; domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; allow httpd_$1_script_t httpd_t:fifo_file write; # apache should set close-on-exec dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) dev_read_rand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) files_search_home(httpd_$1_script_t) libs_use_ld_so(httpd_$1_script_t) libs_use_shared_libs(httpd_$1_script_t) libs_exec_ld_so(httpd_$1_script_t) libs_exec_lib_files(httpd_$1_script_t) miscfiles_read_fonts(httpd_$1_script_t) miscfiles_read_public_files(httpd_$1_script_t) seutil_dontaudit_search_config(httpd_$1_script_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t httpdcontent:file entrypoint; manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) can_exec(httpd_$1_script_t, httpdcontent) ') tunable_policy(`allow_httpd_$1_script_anon_write',` miscfiles_manage_public_files(httpd_$1_script_t) ') # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; allow httpd_$1_script_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(httpd_$1_script_t) corenet_all_recvfrom_netlabel(httpd_$1_script_t) corenet_tcp_sendrecv_all_if(httpd_$1_script_t) corenet_udp_sendrecv_all_if(httpd_$1_script_t) corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t) corenet_tcp_connect_postgresql_port(httpd_$1_script_t) corenet_tcp_connect_mysqld_port(httpd_$1_script_t) corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t) corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; allow httpd_$1_script_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(httpd_$1_script_t) corenet_all_recvfrom_netlabel(httpd_$1_script_t) corenet_tcp_sendrecv_all_if(httpd_$1_script_t) corenet_udp_sendrecv_all_if(httpd_$1_script_t) corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) corenet_udp_sendrecv_all_ports(httpd_$1_script_t) corenet_tcp_connect_all_ports(httpd_$1_script_t) corenet_sendrecv_all_client_packets(httpd_$1_script_t) sysnet_read_config(httpd_$1_script_t) ') optional_policy(` mta_send_mail(httpd_$1_script_t) ') optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') ') optional_policy(` nscd_socket_use(httpd_$1_script_t) ') ') ####################################### ## ## The per role template for the apache module. ## ## ##

## This template creates types used for web pages ## and web cgi to be used from the user home directory. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`apache_per_role_template', ` gen_require(` attribute httpdcontent, httpd_script_domains; attribute httpd_exec_scripts, httpd_user_content_type; attribute httpd_user_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') apache_content_template($1) typeattribute httpd_$1_content_t httpd_user_content_type; typeattribute httpd_$1_script_ra_t httpd_user_content_type; typeattribute httpd_$1_script_rw_t httpd_user_content_type; typeattribute httpd_$1_script_ro_t httpd_user_content_type; typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; typeattribute httpd_$1_script_t httpd_script_domains; userdom_user_home_content($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t httpdcontent:file entrypoint; domtrans_pattern($2, httpdcontent, httpd_$1_script_t) ') # allow accessing files/dirs below the users home dir tunable_policy(`httpd_enable_homedirs',` userdom_search_user_home_dirs($1,httpd_t) userdom_search_user_home_dirs($1,httpd_suexec_t) userdom_search_user_home_dirs($1,httpd_$1_script_t) ') ') ######################################## ## ## Read httpd user scripts executables. ## ## ## ## Prefix of the domain. Example, user would be ## the prefix for the uder_t domain. ## ## ## ## ## Domain allowed access. ## ## # template(`apache_read_user_scripts',` gen_require(` type httpd_$1_script_exec_t; ') allow $2 httpd_$1_script_exec_t:dir list_dir_perms; read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) ') ######################################## ## ## Read user web content. ## ## ## ## Prefix of the domain. Example, user would be ## the prefix for the uder_t domain. ## ## ## ## ## Domain allowed access. ## ## # template(`apache_read_user_content',` gen_require(` type httpd_$1_content_t; ') allow $2 httpd_$1_content_t:dir list_dir_perms; read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) ') ######################################## ## ## Transition to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans',` gen_require(` type httpd_t, httpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1,httpd_exec_t,httpd_t) ') ######################################## ## ## Send a null signal to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_signull',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signull; ') ######################################## ## ## Send a SIGCHLD signal to apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_sigchld',` gen_require(` type httpd_t; ') allow $1 httpd_t:process sigchld; ') ######################################## ## ## Inherit and use file descriptors from Apache. ## ## ## ## Domain allowed access. ## ## # interface(`apache_use_fds',` gen_require(` type httpd_t; ') allow $1 httpd_t:fd use; ') ######################################## ## ## Do not audit attempts to read and write Apache ## unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`apache_dontaudit_rw_stream_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:unix_stream_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and write Apache ## TCP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`apache_dontaudit_rw_tcp_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:tcp_socket { read write }; ') ######################################## ## ## Create, read, write, and delete all web content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_content',` gen_require(` attribute httpdcontent, httpd_script_exec_type; ') manage_dirs_pattern($1,httpdcontent,httpdcontent) manage_files_pattern($1,httpdcontent,httpdcontent) manage_lnk_files_pattern($1,httpdcontent,httpdcontent) manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type) manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type) manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type) ') ######################################## ## ## Allow the specified domain to read ## and write Apache cache files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_rw_cache_files',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:file rw_file_perms; ') ######################################## ## ## Allow the specified domain to read ## apache configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir list_dir_perms; read_files_pattern($1,httpd_config_t,httpd_config_t) read_lnk_files_pattern($1,httpd_config_t,httpd_config_t) ') ######################################## ## ## Allow the specified domain to manage ## apache configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) manage_dirs_pattern($1,httpd_config_t,httpd_config_t) manage_files_pattern($1,httpd_config_t,httpd_config_t) read_lnk_files_pattern($1,httpd_config_t,httpd_config_t) ') ######################################## ## ## Execute the Apache helper program with ## a domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans_helper',` gen_require(` type httpd_helper_t, httpd_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t) ') ######################################## ## ## Execute the Apache helper program with ## a domain transition, and allow the ## specified role the dmidecode domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the dmidecode domain. ## ## ## ## ## The type of the terminal allow the dmidecode domain to use. ## ## ## # interface(`apache_run_helper',` gen_require(` type httpd_helper_t; ') apache_domtrans_helper($1) role $2 types httpd_helper_t; allow httpd_helper_t $3:chr_file rw_term_perms; ') ######################################## ## ## Allow the specified domain to read ## apache log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; read_files_pattern($1,httpd_log_t,httpd_log_t) read_lnk_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## ## ## Allow the specified domain to append ## to apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; append_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## ## ## Do not audit attempts to append to the ## Apache logs. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_append_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file { getattr append }; ') ######################################## ## ## Allow the specified domain to manage ## to apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1,httpd_log_t,httpd_log_t) manage_files_pattern($1,httpd_log_t,httpd_log_t) read_lnk_files_pattern($1,httpd_log_t,httpd_log_t) ') ######################################## ## ## Do not audit attempts to search Apache ## module directories. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_search_modules',` gen_require(` type httpd_modules_t; ') dontaudit $1 httpd_modules_t:dir search_dir_perms; ') ######################################## ## ## Allow the specified domain to list ## the contents of the apache modules ## directory. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; ') ######################################## ## ## Allow the specified domain to execute ## apache modules. ## ## ## ## Domain allowed access. ## ## # interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_file_perms; can_exec($1,httpd_modules_t) ') ######################################## ## ## Execute a domain transition to run httpd_rotatelogs. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans_rotatelogs',` gen_require(` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') domtrans_pattern($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t) ') ######################################## ## ## Allow the specified domain to manage ## apache system content files. ## ## ## ## Domain allowed access. ## ## ## # # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; ') files_search_var($1) manage_dirs_pattern($1,httpd_sys_content_t,httpd_sys_content_t) manage_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) manage_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) ') ######################################## ## ## Execute all web scripts in the system ## script domain. ## ## ## ## Domain allowed access. ## ## # # cjp: this interface specifically added to allow # sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_t; ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') ') ######################################## ## ## Do not audit attempts to read and write Apache ## system script unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`apache_dontaudit_rw_sys_script_stream_sockets',` gen_require(` type httpd_sys_script_t; ') dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; ') ######################################## ## ## Execute all user scripts in the user ## script domain. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans_all_scripts',` gen_require(` attribute httpd_exec_scripts; ') typeattribute $1 httpd_exec_scripts; ') ######################################## ## ## Execute all user scripts in the user ## script domain. Add user script domains ## to the specified role. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the script domains. ## ## # # cjp: this is missing the terminal since scripts # do not output to the terminal interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; ') role $2 types httpd_script_domains; apache_domtrans_all_scripts($1) ') ######################################## ## ## Allow the specified domain to read ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file { getattr read }; ') ######################################## ## ## Allow the specified domain to append ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file { getattr append }; ') ######################################## ## ## Search apache system content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir search_dir_perms; ') ######################################## ## ## Read apache system content. ## ## ## ## Domain to not audit. ## ## # interface(`apache_read_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir list_dir_perms; read_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t) ') ######################################## ## ## Search apache system CGI directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_scripts',` gen_require(` type httpd_sys_content_t, httpd_sys_script_exec_t; ') search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) ') ######################################## ## ## Create, read, write, and delete all user web content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_user_content',` gen_require(` attribute httpd_user_content_type, httpd_user_script_exec_type; ') manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type) manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type) manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type) manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) ') ######################################## ## ## Search system script state directory. ## ## ## ## Domain to not audit. ## ## # interface(`apache_search_sys_script_state',` gen_require(` type httpd_sys_script_t; ') allow $1 httpd_sys_script_t:dir search_dir_perms; ') ######################################## ## ## Execute CGI in the specified domain. ## ## ##

## Execute CGI in the specified domain. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain run the cgi script in. ## ## ## ## ## Type of the executable to enter the cgi domain. ## ## # interface(`apache_cgi_domain',` gen_require(` type httpd_t, httpd_sys_script_exec_t; ') domtrans_pattern(httpd_t, $2, $1) apache_search_sys_scripts($1) allow httpd_t $1:process signal; ')