## Various web servers. ######################################## ## ## Create a set of derived types for ## httpd web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # template(`apache_content_template',` gen_require(` attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; attribute httpd_script_domains, httpd_htaccess_type; attribute httpd_ro_content, httpd_rw_content, httpd_ra_content; type httpd_t, httpd_suexec_t; ') ######################################## # # Declarations # ## ##

## Determine whether the script domain can ## modify public files used for public file ## transfer services. Directories/Files must ## be labeled public_content_rw_t. ##

##
gen_tunable(`allow_httpd_$1_script_anon_write', false) type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable files_type(httpd_$1_content_t) type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; files_type(httpd_$1_htaccess_t) type httpd_$1_script_t, httpd_script_domains; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable files_type(httpd_$1_rw_content_t) type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable files_type(httpd_$1_ra_content_t) ######################################## # # Policy # can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) tunable_policy(`allow_httpd_$1_script_anon_write',` miscfiles_manage_public_files(httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; ') tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) allow httpd_t httpd_$1_content_t:file map; allow httpd_t httpd_$1_rw_content_t:file map; ') ') ######################################## ## ## Role access for apache. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## User domain for the role. ## ## ## ## ## User exec domain for execute and transition access. ## ## ## ## ## Role allowed access ## ## # template(`apache_role',` gen_require(` attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; type httpd_user_ra_content_t, httpd_user_rw_content_t; ') role $4 types httpd_user_script_t; allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") tunable_policy(`httpd_enable_cgi',` domtrans_pattern($3, httpd_user_script_exec_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($3, httpdcontent, httpd_user_script_t) ') optional_policy(` systemd_user_app_status($1, httpd_user_script_t) ') ') ######################################## ## ## Read user httpd script executable files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_user_scripts',` gen_require(` type httpd_user_script_exec_t; ') allow $1 httpd_user_script_exec_t:dir list_dir_perms; read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## ## ## Read user httpd content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_user_content',` gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir list_dir_perms; read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## ## ## Execute httpd with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans',` gen_require(` type httpd_t, httpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_exec_t, httpd_t) ') ######################################## ## ## Execute httpd server in the httpd domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_initrc_domtrans',` gen_require(` type httpd_initrc_exec_t; ') init_labeled_script_domtrans($1, httpd_initrc_exec_t) ') ####################################### ## ## Send generic signals to httpd. ## ## ## ## Domain allowed access. ## ## # interface(`apache_signal',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signal; ') ######################################## ## ## Send null signals to httpd. ## ## ## ## Domain allowed access. ## ## # interface(`apache_signull',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signull; ') ######################################## ## ## Send child terminated signals to httpd. ## ## ## ## Domain allowed access. ## ## # interface(`apache_sigchld',` gen_require(` type httpd_t; ') allow $1 httpd_t:process sigchld; ') ######################################## ## ## Inherit and use file descriptors ## from httpd. ## ## ## ## Domain allowed access. ## ## # interface(`apache_use_fds',` gen_require(` type httpd_t; ') allow $1 httpd_t:fd use; ') ######################################## ## ## Do not audit attempts to read and ## write httpd unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_fifo_file',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to read and ## write httpd unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_stream_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:unix_stream_socket { read write }; ') ######################################## ## ## Read and write httpd unix domain ## stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`apache_rw_stream_sockets',` gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms; ') ######################################## ## ## Do not audit attempts to read and ## write httpd TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_tcp_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:tcp_socket { read write }; ') ######################################## ## ## Reload the httpd service (systemd). ## ## ## ## Domain allowed access. ## ## # interface(`apache_reload',` gen_require(` type httpd_unit_t; class service { reload status }; ') allow $1 httpd_unit_t:service { reload status }; ') ######################################## ## ## Read all appendable content ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_all_ra_content',` gen_require(` attribute httpd_ra_content; ') read_files_pattern($1, httpd_ra_content, httpd_ra_content) read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) ') ######################################## ## ## Append to all appendable web content ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_all_ra_content',` gen_require(` attribute httpd_ra_content; ') append_files_pattern($1, httpd_ra_content, httpd_ra_content) ') ######################################## ## ## Read all read/write content ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_all_rw_content',` gen_require(` attribute httpd_rw_content; ') read_files_pattern($1, httpd_rw_content, httpd_rw_content) read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) ') ######################################## ## ## Manage all read/write content ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_all_rw_content',` gen_require(` attribute httpd_rw_content; ') manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) manage_files_pattern($1, httpd_rw_content, httpd_rw_content) manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) ') ######################################## ## ## Read all web content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_all_content',` gen_require(` attribute httpdcontent, httpd_script_exec_type; ') read_files_pattern($1, httpdcontent, httpdcontent) read_lnk_files_pattern($1, httpdcontent, httpdcontent) read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) ') ####################################### ## ## Search all apache content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_all_content',` gen_require(` attribute httpdcontent; ') allow $1 httpdcontent:dir search_dir_perms; ') ####################################### ## ## List all apache content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_all_content',` gen_require(` attribute httpdcontent; ') allow $1 httpdcontent:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete ## all httpd content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_content',` gen_require(` attribute httpdcontent, httpd_script_exec_type; ') manage_dirs_pattern($1, httpdcontent, httpdcontent) manage_files_pattern($1, httpdcontent, httpdcontent) manage_lnk_files_pattern($1, httpdcontent, httpdcontent) manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) ') ######################################## ## ## Set attributes httpd cache directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_setattr_cache_dirs',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:dir setattr_dir_perms; ') ######################################## ## ## List httpd cache directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_cache',` gen_require(` type httpd_cache_t; ') list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Read and write httpd cache files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_rw_cache_files',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:file rw_file_perms; ') ######################################## ## ## Delete httpd cache directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_cache_dirs',` gen_require(` type httpd_cache_t; ') delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Delete httpd cache files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_cache_files',` gen_require(` type httpd_cache_t; ') delete_files_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## ## Read httpd configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir list_dir_perms; read_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## ## Search httpd configuration directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir search_dir_perms; ') ######################################## ## ## Create, read, write, and delete ## httpd configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) manage_dirs_pattern($1, httpd_config_t, httpd_config_t) manage_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## ## Execute the Apache helper program ## with a domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`apache_domtrans_helper',` gen_require(` type httpd_helper_t, httpd_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) ') ######################################## ## ## Execute the Apache helper program with ## a domain transition, and allow the ## specified role the Apache helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apache_run_helper',` gen_require(` attribute_role httpd_helper_roles; ') apache_domtrans_helper($1) roleattribute $2 httpd_helper_roles; ') ######################################## ## ## Read httpd log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_read_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; read_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Append httpd log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; append_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Do not audit attempts to append ## httpd log files. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_append_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file append_file_perms; ') ######################################## ## ## Create, read, write, and delete ## httpd log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, httpd_log_t, httpd_log_t) manage_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ####################################### ## ## Write apache log files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_write_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) write_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## ## Do not audit attempts to search ## httpd module directories. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_search_modules',` gen_require(` type httpd_modules_t; ') dontaudit $1 httpd_modules_t:dir search_dir_perms; ') ######################################## ## ## List httpd module directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; ') ######################################## ## ## Execute httpd module files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; can_exec($1, httpd_modules_t) ') ######################################## ## ## Read httpd module files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_module_files',` gen_require(` type httpd_modules_t; ') libs_search_lib($1) read_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## ## ## Execute a domain transition to ## run httpd_rotatelogs. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans_rotatelogs',` gen_require(` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') ######################################## ## ## List httpd system content directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_list_sys_content',` gen_require(` type httpd_sys_content_t; ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') ######################################## ## ## Create, read, write, and delete ## httpd system content files. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; ') files_search_var($1) manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ######################################## ## ## Create, read, write, and delete ## httpd system rw content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_manage_sys_rw_content',` gen_require(` type httpd_sys_rw_content_t; ') apache_search_sys_content($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ######################################## ## ## Execute all httpd scripts in the ## system script domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_t; ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') ') ######################################## ## ## Do not audit attempts to read and ## write httpd system script unix ## domain stream sockets. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_rw_sys_script_stream_sockets',` gen_require(` type httpd_sys_script_t; ') dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; ') ######################################## ## ## Execute all user scripts in the user ## script domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apache_domtrans_all_scripts',` gen_require(` attribute httpd_exec_scripts; ') typeattribute $1 httpd_exec_scripts; ') ######################################## ## ## Execute all user scripts in the user ## script domain. Add user script domains ## to the specified role. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`apache_run_all_scripts',` gen_require(` attribute httpd_script_domains; ') role $2 types httpd_script_domains; apache_domtrans_all_scripts($1) ') ######################################## ## ## Read httpd squirrelmail data files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file read_file_perms; ') ######################################## ## ## Append httpd squirrelmail data files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_append_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file append_file_perms; ') ######################################## ## ## delete httpd squirrelmail spool files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_delete_squirrelmail_spool',` gen_require(` type squirrelmail_spool_t; ') delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) ') ######################################## ## ## Search httpd system content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_content',` gen_require(` type httpd_sys_content_t; ') files_search_var($1) allow $1 httpd_sys_content_t:dir search_dir_perms; ') ######################################## ## ## Read httpd system content. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir list_dir_perms; read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ######################################## ## ## Search httpd system CGI directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_scripts',` gen_require(` type httpd_sys_content_t, httpd_sys_script_exec_t; ') search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) ') ######################################## ## ## Create, read, write, and delete all ## user httpd content. ## ## ## ## Domain allowed access. ## ## ## # interface(`apache_manage_all_user_content',` gen_require(` type httpd_user_content_t, httpd_user_rw_content_t, httpd_user_ra_content_t; type httpd_user_htaccess_t, httpd_user_script_exec_t; ') manage_dirs_pattern($1, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t }) manage_files_pattern($1, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t httpd_user_htaccess_t }) manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_script_exec_t }) ') ######################################## ## ## Search system script state directories. ## ## ## ## Domain allowed access. ## ## # interface(`apache_search_sys_script_state',` gen_require(` type httpd_sys_script_t; ') allow $1 httpd_sys_script_t:dir search_dir_perms; ') ######################################## ## ## Read httpd tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`apache_read_tmp_files',` gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') ######################################## ## ## Do not audit attempts to write ## httpd tmp files. ## ## ## ## Domain to not audit. ## ## # interface(`apache_dontaudit_write_tmp_files',` gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file write_file_perms; ') ######################################## ## ## Delete httpd_var_lib_t files ## ## ## ## Domain that can delete the files ## ## # interface(`apache_delete_lib_files',` gen_require(` type httpd_var_lib_t; ') files_search_var_lib($1) delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ') ######################################## ## ## Execute CGI in the specified domain. ## ## ##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain run the cgi script in. ## ## ## ## ## Type of the executable to enter the cgi domain. ## ## # interface(`apache_cgi_domain',` gen_require(` type httpd_t; ') domtrans_pattern(httpd_t, $2, $1) apache_search_sys_scripts($1) allow httpd_t $1:process signal; ') ######################################## ## ## All of the rules required to ## administrate an apache environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; attribute httpd_script_domains, httpd_htaccess_type; type httpd_t, httpd_config_t, httpd_log_t; type httpd_modules_t, httpd_lock_t, httpd_helper_t; type httpd_runtime_t, httpd_passwd_t, httpd_suexec_t; type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; type httpd_initrc_exec_t, httpd_keytab_t; ') allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t) apache_manage_all_content($1) miscfiles_manage_public_files($1) files_search_etc($1) admin_pattern($1, { httpd_keytab_t httpd_config_t }) logging_search_logs($1) admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) admin_pattern($1, httpd_lock_t) files_lock_filetrans($1, httpd_lock_t, file) admin_pattern($1, httpd_runtime_t) files_runtime_filetrans($1, httpd_runtime_t, file) admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) apache_run_all_scripts($1, $2) apache_run_helper($1, $2) ')