##
## Determine whether the script domain can
## modify public files used for public file
## transfer services. Directories/Files must
## be labeled public_content_rw_t.
##
##
gen_tunable(`allow_httpd_$1_script_anon_write', false)
type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
files_type(httpd_$1_content_t)
type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
files_type(httpd_$1_htaccess_t)
type httpd_$1_script_t, httpd_script_domains;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
files_type(httpd_$1_rw_content_t)
type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
files_type(httpd_$1_ra_content_t)
########################################
#
# Policy
#
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
allow httpd_t httpd_$1_content_t:file map;
allow httpd_t httpd_$1_rw_content_t:file map;
')
')
########################################
##