36c3a7903c
Signed-off-by: Daniel Burgener <dburgener@tresys.com>
1380 lines
31 KiB
Plaintext
1380 lines
31 KiB
Plaintext
## <summary>Various web servers.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a set of derived types for
|
|
## httpd web content.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
## The prefix to be used for deriving type names.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`apache_content_template',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
|
|
attribute httpd_script_domains, httpd_htaccess_type;
|
|
attribute httpd_ro_content, httpd_rw_content, httpd_ra_content;
|
|
type httpd_t, httpd_suexec_t;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether the script domain can
|
|
## modify public files used for public file
|
|
## transfer services. Directories/Files must
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_httpd_$1_script_anon_write, false)
|
|
|
|
type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
|
|
files_type(httpd_$1_content_t)
|
|
|
|
type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
|
|
files_type(httpd_$1_htaccess_t)
|
|
|
|
type httpd_$1_script_t, httpd_script_domains;
|
|
domain_type(httpd_$1_script_t)
|
|
role system_r types httpd_$1_script_t;
|
|
|
|
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
corecmd_shell_entry_type(httpd_$1_script_t)
|
|
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
|
|
type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
|
|
files_type(httpd_$1_rw_content_t)
|
|
|
|
type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
|
|
files_type(httpd_$1_ra_content_t)
|
|
|
|
########################################
|
|
#
|
|
# Policy
|
|
#
|
|
|
|
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
|
|
allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
|
|
allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
|
|
allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
|
|
|
|
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
|
|
allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
|
|
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
|
|
|
|
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
tunable_policy(`allow_httpd_$1_script_anon_write',`
|
|
miscfiles_manage_public_files(httpd_$1_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
|
domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
|
|
can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
|
|
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
|
|
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for apache.
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_role',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
type httpd_user_content_t, httpd_user_htaccess_t;
|
|
type httpd_user_script_t, httpd_user_script_exec_t;
|
|
type httpd_user_ra_content_t, httpd_user_rw_content_t;
|
|
')
|
|
|
|
role $1 types httpd_user_script_t;
|
|
|
|
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
|
|
|
|
allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
|
|
allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
|
|
allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
|
|
allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
|
|
allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
|
|
allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
|
|
allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
|
|
allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
|
|
userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
|
|
userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
|
|
userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
|
|
|
|
filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
|
|
filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
|
|
filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
domtrans_pattern($2, httpdcontent, httpd_user_script_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read user httpd script executable files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_user_scripts',`
|
|
gen_require(`
|
|
type httpd_user_script_exec_t;
|
|
')
|
|
|
|
allow $1 httpd_user_script_exec_t:dir list_dir_perms;
|
|
read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read user httpd content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_user_content',`
|
|
gen_require(`
|
|
type httpd_user_content_t;
|
|
')
|
|
|
|
allow $1 httpd_user_content_t:dir list_dir_perms;
|
|
read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
|
read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute httpd with a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans',`
|
|
gen_require(`
|
|
type httpd_t, httpd_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute httpd server in the httpd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_initrc_domtrans',`
|
|
gen_require(`
|
|
type httpd_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Send generic signals to httpd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_signal',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send null signals to httpd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_signull',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send child terminated signals to httpd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_sigchld',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Inherit and use file descriptors
|
|
## from httpd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_use_fds',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write httpd unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_fifo_file',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write httpd unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_stream_sockets',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write httpd unix domain
|
|
## stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_rw_stream_sockets',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write httpd TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_tcp_sockets',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_t:tcp_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Reload the httpd service (systemd).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_reload',`
|
|
gen_require(`
|
|
type httpd_unit_t;
|
|
class service { reload status };
|
|
')
|
|
|
|
allow $1 httpd_unit_t:service { reload status };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read all appendable content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_all_ra_content',`
|
|
gen_require(`
|
|
attribute httpd_ra_content;
|
|
')
|
|
|
|
read_files_pattern($1, httpd_ra_content, httpd_ra_content)
|
|
read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append to all appendable web content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_append_all_ra_content',`
|
|
gen_require(`
|
|
attribute httpd_ra_content;
|
|
')
|
|
|
|
append_files_pattern($1, httpd_ra_content, httpd_ra_content)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read all read/write content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_all_rw_content',`
|
|
gen_require(`
|
|
attribute httpd_rw_content;
|
|
')
|
|
|
|
read_files_pattern($1, httpd_rw_content, httpd_rw_content)
|
|
read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage all read/write content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_all_rw_content',`
|
|
gen_require(`
|
|
attribute httpd_rw_content;
|
|
')
|
|
|
|
manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
|
|
manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
|
|
manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
|
|
')
|
|
########################################
|
|
## <summary>
|
|
## Read all web content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_all_content',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_exec_type;
|
|
')
|
|
|
|
read_files_pattern($1, httpdcontent, httpdcontent)
|
|
read_lnk_files_pattern($1, httpdcontent, httpdcontent)
|
|
|
|
read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Search all apache content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_all_content',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
')
|
|
|
|
allow $1 httpdcontent:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## all httpd content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_manage_all_content',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_exec_type;
|
|
')
|
|
|
|
manage_dirs_pattern($1, httpdcontent, httpdcontent)
|
|
manage_files_pattern($1, httpdcontent, httpdcontent)
|
|
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
|
|
|
|
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Set attributes httpd cache directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_setattr_cache_dirs',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
allow $1 httpd_cache_t:dir setattr_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List httpd cache directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_list_cache',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write httpd cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_rw_cache_files',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
allow $1 httpd_cache_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete httpd cache directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_delete_cache_dirs',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete httpd cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_delete_cache_files',`
|
|
gen_require(`
|
|
type httpd_cache_t;
|
|
')
|
|
|
|
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_read_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 httpd_config_t:dir list_dir_perms;
|
|
read_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search httpd configuration directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 httpd_config_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## httpd configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
|
|
manage_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the Apache helper program
|
|
## with a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_helper',`
|
|
gen_require(`
|
|
type httpd_helper_t, httpd_helper_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the Apache helper program with
|
|
## a domain transition, and allow the
|
|
## specified role the Apache helper domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_run_helper',`
|
|
gen_require(`
|
|
attribute_role httpd_helper_roles;
|
|
')
|
|
|
|
apache_domtrans_helper($1)
|
|
roleattribute $2 httpd_helper_roles;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_read_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 httpd_log_t:dir list_dir_perms;
|
|
read_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append httpd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_append_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
allow $1 httpd_log_t:dir list_dir_perms;
|
|
append_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to append
|
|
## httpd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_append_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_log_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## httpd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
|
|
manage_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Write apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_write_log',`
|
|
gen_require(`
|
|
type httpd_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
write_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
## httpd module directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_search_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List httpd module directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_list_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute httpd module files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_exec_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
|
|
can_exec($1, httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd module files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_module_files',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
libs_search_lib($1)
|
|
read_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to
|
|
## run httpd_rotatelogs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_rotatelogs',`
|
|
gen_require(`
|
|
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List httpd system content directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_list_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
files_search_var($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## httpd system content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_manage_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## httpd system rw content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_manage_sys_rw_content',`
|
|
gen_require(`
|
|
type httpd_sys_rw_content_t;
|
|
')
|
|
|
|
apache_search_sys_content($1)
|
|
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all httpd scripts in the
|
|
## system script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_sys_script',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write httpd system script unix
|
|
## domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
|
|
gen_require(`
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all user scripts in the user
|
|
## script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_domtrans_all_scripts',`
|
|
gen_require(`
|
|
attribute httpd_exec_scripts;
|
|
')
|
|
|
|
typeattribute $1 httpd_exec_scripts;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all user scripts in the user
|
|
## script domain. Add user script domains
|
|
## to the specified role.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_run_all_scripts',`
|
|
gen_require(`
|
|
attribute httpd_script_domains;
|
|
')
|
|
|
|
role $2 types httpd_script_domains;
|
|
apache_domtrans_all_scripts($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd squirrelmail data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_squirrelmail_data',`
|
|
gen_require(`
|
|
type httpd_squirrelmail_t;
|
|
')
|
|
|
|
allow $1 httpd_squirrelmail_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append httpd squirrelmail data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_append_squirrelmail_data',`
|
|
gen_require(`
|
|
type httpd_squirrelmail_t;
|
|
')
|
|
|
|
allow $1 httpd_squirrelmail_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search httpd system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
files_search_var($1)
|
|
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
allow $1 httpd_sys_content_t:dir list_dir_perms;
|
|
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search httpd system CGI directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_scripts',`
|
|
gen_require(`
|
|
type httpd_sys_content_t, httpd_sys_script_exec_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete all
|
|
## user httpd content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_manage_all_user_content',`
|
|
gen_require(`
|
|
type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
|
|
type httpd_user_htaccess_t, httpd_user_script_exec_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
|
|
manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
|
|
manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search system script state directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_search_sys_script_state',`
|
|
gen_require(`
|
|
type httpd_sys_script_t;
|
|
')
|
|
|
|
allow $1 httpd_sys_script_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read httpd tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_read_tmp_files',`
|
|
gen_require(`
|
|
type httpd_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write
|
|
## httpd tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_dontaudit_write_tmp_files',`
|
|
gen_require(`
|
|
type httpd_tmp_t;
|
|
')
|
|
|
|
dontaudit $1 httpd_tmp_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete httpd_var_lib_t files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain that can delete the files
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_delete_lib_files',`
|
|
gen_require(`
|
|
type httpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute CGI in the specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This is an interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain run the cgi script in.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entrypoint">
|
|
## <summary>
|
|
## Type of the executable to enter the cgi domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_cgi_domain',`
|
|
gen_require(`
|
|
type httpd_t;
|
|
')
|
|
|
|
domtrans_pattern(httpd_t, $2, $1)
|
|
apache_search_sys_scripts($1)
|
|
|
|
allow httpd_t $1:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an apache environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`apache_admin',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_exec_type;
|
|
attribute httpd_script_domains, httpd_htaccess_type;
|
|
type httpd_t, httpd_config_t, httpd_log_t;
|
|
type httpd_modules_t, httpd_lock_t, httpd_helper_t;
|
|
type httpd_runtime_t, httpd_passwd_t, httpd_suexec_t;
|
|
type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
|
|
type httpd_initrc_exec_t, httpd_keytab_t;
|
|
')
|
|
|
|
allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
|
|
allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
|
|
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
|
|
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
|
|
|
|
init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t)
|
|
|
|
apache_manage_all_content($1)
|
|
miscfiles_manage_public_files($1)
|
|
|
|
files_search_etc($1)
|
|
admin_pattern($1, { httpd_keytab_t httpd_config_t })
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, httpd_log_t)
|
|
|
|
admin_pattern($1, httpd_modules_t)
|
|
|
|
admin_pattern($1, httpd_lock_t)
|
|
files_lock_filetrans($1, httpd_lock_t, file)
|
|
|
|
admin_pattern($1, httpd_runtime_t)
|
|
files_pid_filetrans($1, httpd_runtime_t, file)
|
|
|
|
admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
|
|
admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
|
|
|
|
apache_run_all_scripts($1, $2)
|
|
apache_run_helper($1, $2)
|
|
')
|