[selinux-policy: 717/3172] add most of apache
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:06:51 UTC 2010
commit a996bdf4addc1145a9720c69009f7a5e150851c1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 29 20:59:00 2005 +0000
add most of apache
refpolicy/policy/global_tunables | 21 +
refpolicy/policy/modules/admin/logrotate.te | 6 +
refpolicy/policy/modules/services/apache.fc | 66 +++
refpolicy/policy/modules/services/apache.if | 353 ++++++++++++
refpolicy/policy/modules/services/apache.te | 647 +++++++++++++++++++++++
refpolicy/policy/modules/services/cron.if | 3 +
refpolicy/policy/modules/services/nis.if | 63 +++
refpolicy/policy/modules/services/samba.if | 24 +-
refpolicy/policy/modules/system/corecommands.fc | 4 +
refpolicy/policy/modules/system/init.fc | 1 +
refpolicy/policy/modules/system/init.if | 4 +-
refpolicy/policy/modules/system/userdomain.if | 32 ++-
12 files changed, 1205 insertions(+), 19 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 27dbff8..20affba 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -48,6 +48,27 @@ gen_tunable(ftp_home_dir,false)
## Allow ftpd to run directly without inetd
gen_tunable(ftpd_is_daemon,false)
+## Allow httpd to use built in scripting (usually php)
+gen_tunable(httpd_builtin_scripting,false)
+
+## Allow http daemon to tcp connect
+gen_tunable(httpd_can_network_connect,false)
+
+## Allow httpd cgi support
+gen_tunable(httpd_enable_cgi,false)
+
+## Allow httpd to read home directories
+gen_tunable(httpd_enable_homedirs,false)
+
+## Run SSI execs in system CGI script domain.
+gen_tunable(httpd_ssi_exec,false)
+
+## Allow http daemon to communicate with the TTY
+gen_tunable(httpd_tty_comm,false)
+
+## Run CGI in the main httpd domain
+gen_tunable(httpd_unified,false)
+
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS.
gen_tunable(named_write_master_zones,false)
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index b5bc065..9594d28 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -137,6 +137,12 @@ optional_policy(`acct.te',`
acct_exec_data(logrotate_t)
')
+optional_policy(`apache.te',`
+ apache_read_config(logrotate_t)
+ apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
+')
+
optional_policy(`consoletype.te',`
consoletype_exec(logrotate_t)
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
new file mode 100644
index 0000000..c7c4151
--- /dev/null
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -0,0 +1,66 @@
+
+HOME_DIR/((www)|(web)|(public_html))(/.+)? context_template(system_u:object_r:httpd_ROLE_content_t,s0)
+
+/etc/apache(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_config_t,s0)
+/etc/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd -d context_template(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf.* context_template(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/logs context_template(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules context_template(system_u:object_r:httpd_modules_t,s0)
+/etc/vhosts -- context_template(system_u:object_r:httpd_config_t,s0)
+
+/srv/([^/]*/)?www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/bin/htsslpass -- context_template(system_u:object_r:httpd_helper_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib(64)?/apache(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache2/modules(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/httpd(/.*)? context_template(system_u:object_r:httpd_modules_t,s0)
+
+/usr/sbin/apache(2)? -- context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- context_template(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- context_template(system_u:object_r:httpd_exec_t,s0)
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- context_template(system_u:object_r:httpd_exec_t,s0)
+')
+/usr/sbin/suexec -- context_template(system_u:object_r:httpd_suexec_exec_t,s0)
+
+/usr/share/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? context_template(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- context_template(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/htdig(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? context_template(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? context_template(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? context_template(system_u:object_r:httpd_squirrelmail_t,s0)
+
+/var/log/apache(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- context_template(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? context_template(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/run/apache.* context_template(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s context_template(system_u:object_r:httpd_var_run_t,s0)
+
+/var/spool/gosa(/.*)? context_template(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/spool/squirrelmail(/.*)? context_template(system_u:object_r:squirrelmail_spool_t,s0)
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache -- context_template(system_u:object_r:user_cron_spool_t,s0)
+')
+
+/var/www(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/cgi-bin(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)? context_template(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/perl(/.*)? context_template(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
new file mode 100644
index 0000000..bea817d
--- /dev/null
+++ b/refpolicy/policy/modules/services/apache.if
@@ -0,0 +1,353 @@
+## <summary>Apache web server</summary>
+
+template(`apache_content_template',`
+
+ #This type is for webpages
+ type httpd_$1_content_t, httpdcontent; # customizable
+ files_type(httpd_$1_content_t)
+
+ # This type is used for .htaccess files
+ type httpd_$1_htaccess_t; # customizable;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type httpd_$1_script_t;
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t; # customizable;
+ domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
+
+ # The following three are the only areas that
+ # scripts can read, read/write, or append to
+ type httpd_$1_script_ro_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_ro_t)
+
+ type httpd_$1_script_rw_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_rw_t)
+
+ type httpd_$1_script_ra_t, httpdcontent; # customizable
+ files_type(httpd_$1_script_ra_t)
+
+ allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
+
+ domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_suexec_t httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t httpd_suexec_t:fd use;
+ allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_$1_script_t httpd_suexec_t:process sigchld;
+
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+ # apache should set close-on-exec
+ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+
+ allow httpd_$1_script_t httpd_log_t:file { getattr append };
+ allow httpd_$1_script_t httpd_log_t:dir search;
+ logging_search_logs(httpd_$1_script_t)
+
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+
+ allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+ allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
+ allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
+ allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+ allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
+ allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
+ files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
+
+ dev_read_rand(httpd_$1_script_t)
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_bin(httpd_$1_script_t)
+ corecmd_exec_sbin(httpd_$1_script_t)
+
+ domain_exec_all_entry_files(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+ files_search_home(httpd_$1_script_t)
+
+ libs_use_ld_so(httpd_$1_script_t)
+ libs_use_shared_libs(httpd_$1_script_t)
+ libs_exec_ld_so(httpd_$1_script_t)
+ libs_exec_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_fonts(httpd_$1_script_t)
+
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
+ allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+ allow httpd_$1_script_t httpdcontent:file create_file_perms;
+ allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+ can_exec(httpd_$1_script_t, httpdcontent)
+ ')
+ ',`
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+ allow httpd_$1_script_t httpdcontent:file create_file_perms;
+ allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+ can_exec(httpd_$1_script_t, httpdcontent)
+ ')
+ ')
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
+ allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
+ allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
+ allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+
+ allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
+ allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
+ allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
+
+ allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
+ allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
+
+ allow httpd_t httpd_$1_content_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_content_t:file r_file_perms;
+ allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+ allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
+
+ allow httpd_$1_script_t self:process signal_perms;
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+
+ fs_getattr_xattr_fs(httpd_$1_script_t)
+
+ files_read_etc_runtime_files(httpd_$1_script_t)
+ files_read_usr_files(httpd_$1_script_t)
+
+ libs_read_lib(httpd_$1_script_t)
+
+ miscfiles_read_localization(httpd_$1_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_if(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+ corenet_tcp_bind_all_nodes(httpd_$1_script_t)
+ corenet_udp_bind_all_nodes(httpd_$1_script_t)
+ corenet_tcp_connect_all_ports(httpd_$1_script_t)
+
+ sysnet_read_config(httpd_$1_script_t)
+ ')
+
+ optional_policy(`mount.te',`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ mount_send_nfs_client_request(httpd_$1_script_t)
+ ')
+ ')
+
+
+ optional_policy(`mta.te',`
+ mta_send_mail(httpd_$1_script_t)
+ ')
+
+ optional_policy(`nis.te',`
+ tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+ nis_use_ypbind_uncond(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket(httpd_$1_script_t)
+ ')
+
+ ifdef(`TODO',`
+ anonymous_domain(httpd_$1_script)
+
+ #
+ # If a user starts a script by hand it gets the proper context
+ #
+ ifdef(`targeted_policy', `', `
+ if (httpd_enable_cgi) {
+ domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ }
+ ')
+ role sysadm_r types httpd_$1_script_t;
+
+ dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+ dontaudit httpd_$1_script_t sysctl_t:dir search;
+ ') dnl end TODO
+')
+
+template(`apache_per_userdomain_template', `
+
+ apache_content_template($1)
+
+# typeattribute httpd_$1_content_t $1_file_type;
+
+ role $3 types httpd_$1_script_t;
+
+ allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+ allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
+
+ allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
+ allow $2 httpd_$1_script_exec_t:file create_file_perms;
+ allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
+
+ allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
+ allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
+ domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+
+ tunable_policy(`httpd_enable_cgi && ! httpd_disable_trans',`
+ domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+ ',`
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+ allow $2 httpd_$1_script_t:fd use;
+ allow httpd_$1_script_t $2:fd use;
+ allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+ allow httpd_$1_script_t $2:process sigchld;
+ ')
+ ')
+
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home($1,httpd_t)
+ userdom_search_user_home($1,httpd_suexec_t)
+ userdom_search_user_home($1,httpd_$1_script_t)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to Apache.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`apache_domtrans',`
+ gen_require(`
+ type httpd_t, httpd_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,httpd_exec_t,httpd_t)
+
+ allow $1 httpd_t:fd use;
+ allow httpd_t $1:fd use;
+ allow httpd_t $1:fifo_file rw_file_perms;
+ allow httpd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a null signal to apache.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`apache_signull',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`apache_read_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir r_dir_perms;
+ allow $1 httpd_config_t:file r_file_perms;
+ allow $1 httpd_config_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
new file mode 100644
index 0000000..50ddc20
--- /dev/null
+++ b/refpolicy/policy/modules/services/apache.te
@@ -0,0 +1,647 @@
+
+policy_module(apache,1.0)
+
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
+# of the creating user.
+#
+# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows user_r role to perform that
+# relabeling. If it is desired that only sysadm_r should be able to relabel
+# the user CGI scripts, then relabel rule for user_r should be removed.
+#
+
+########################################
+#
+# Declarations
+#
+
+attribute httpdcontent;
+
+type httpd_t;
+type httpd_exec_t;
+init_daemon_domain(httpd_t,httpd_exec_t)
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+type httpd_cache_t;
+files_type(httpd_cache_t)
+
+# httpd_config_t is the type given to the configuration files
+type httpd_config_t;
+files_type(httpd_config_t)
+
+type httpd_helper_t;
+domain_type(httpd_helper_t)
+role system_r types httpd_helper_t;
+
+type httpd_helper_exec_t;
+domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
+
+type httpd_lock_t;
+files_lock_file(httpd_lock_t)
+
+type httpd_log_t;
+logging_log_file(httpd_log_t)
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+type httpd_modules_t;
+files_type(httpd_modules_t)
+
+type httpd_php_t;
+domain_type(httpd_php_t)
+role system_r types httpd_php_t;
+
+type httpd_php_exec_t;
+domain_entry_file(httpd_php_t,httpd_php_exec_t)
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
+type httpd_squirrelmail_t;
+files_type(httpd_squirrelmail_t)
+
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
+domain_type(httpd_suexec_t)
+role system_r types httpd_suexec_t;
+
+type httpd_suexec_exec_t;
+domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
+
+type httpd_suexec_tmp_t;
+files_tmp_file(httpd_suexec_tmp_t)
+
+type httpd_tmp_t;
+files_tmp_file(httpd_tmp_t)
+
+type httpd_tmpfs_t;
+files_tmpfs_file(httpd_tmpfs_t)
+
+# Unconfined domain for apache scripts.
+# Only to be used as a last resort
+type httpd_unconfined_script_t;
+domain_type(httpd_unconfined_script_t)
+role system_r types httpd_unconfined_script_t;
+
+type httpd_unconfined_script_exec_t; # customizable
+files_type(httpd_unconfined_script_exec_t)
+
+# for apache2 memory mapped files
+type httpd_var_lib_t;
+files_type(httpd_var_lib_t)
+
+type httpd_var_run_t;
+files_pid_file(httpd_var_run_t)
+
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+
+########################################
+#
+# Apache server local policy
+#
+
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
+allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:fd use;
+allow httpd_t self:fifo_file rw_file_perms;
+allow httpd_t self:shm create_shm_perms;
+allow httpd_t self:sem create_sem_perms;
+allow httpd_t self:msgq create_msgq_perms;
+allow httpd_t self:msg { send receive };
+allow httpd_t self:unix_dgram_socket create_socket_perms;
+allow httpd_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_t self:unix_dgram_socket sendto;
+allow httpd_t self:unix_stream_socket connectto;
+allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow httpd_t self:tcp_socket { acceptfrom connectto recvfrom };
+
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket { connect };
+allow httpd_t self:tcp_socket connected_socket_perms;
+allow httpd_t self:udp_socket connected_socket_perms;
+
+# Allow httpd_t to put files in /var/cache/httpd etc
+allow httpd_t httpd_cache_t:dir create_dir_perms;
+allow httpd_t httpd_cache_t:file create_file_perms;
+allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
+
+# Allow the httpd_t to read the web servers config files
+allow httpd_t httpd_config_t:dir r_dir_perms;
+allow httpd_t httpd_config_t:file r_file_perms;
+allow httpd_t httpd_config_t:lnk_file { getattr read };
+
+can_exec(httpd_t, httpd_exec_t)
+
+allow httpd_t httpd_lock_t:file create_file_perms;
+files_create_lock(httpd_t,httpd_lock_t)
+
+allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
+allow httpd_t httpd_log_t:file { create ra_file_perms };
+allow httpd_t httpd_log_t:lnk_file read;
+
+allow httpd_t httpd_modules_t:file rx_file_perms;
+allow httpd_t httpd_modules_t:dir r_dir_perms;
+allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+
+allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
+allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
+allow httpd_t httpd_squirrelmail_t:file create_file_perms;
+
+allow httpd_t httpd_tmp_t:dir create_dir_perms;
+allow httpd_t httpd_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
+
+allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+allow httpd_t httpd_var_lib_t:file create_file_perms;
+allow httpd_t httpd_var_lib_t:dir create_dir_perms;
+files_create_var_lib(httpd_t,httpd_var_lib_t)
+
+allow httpd_t httpd_var_run_t:file create_file_perms;
+allow httpd_t httpd_var_run_t:sock_file create_file_perms;
+allow httpd_t httpd_var_run_t:dir rw_dir_perms;
+files_create_pid(httpd_t,httpd_var_run_t, { file sock_file })
+
+allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
+allow httpd_t squirrelmail_spool_t:file create_file_perms;
+allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
+
+kernel_read_kernel_sysctl(httpd_t)
+kernel_tcp_recvfrom(httpd_t)
+# for modules that want to access /proc/meminfo
+kernel_read_system_state(httpd_t)
+
+corenet_tcp_sendrecv_all_if(httpd_t)
+corenet_udp_sendrecv_all_if(httpd_t)
+corenet_raw_sendrecv_all_if(httpd_t)
+corenet_tcp_sendrecv_all_nodes(httpd_t)
+corenet_udp_sendrecv_all_nodes(httpd_t)
+corenet_raw_sendrecv_all_nodes(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
+corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
+corenet_tcp_bind_http_port(httpd_t)
+corenet_tcp_bind_http_cache_port(httpd_t)
+
+dev_read_sysfs(httpd_t)
+dev_read_rand(httpd_t)
+dev_read_urand(httpd_t)
+
+fs_getattr_all_fs(httpd_t)
+fs_search_auto_mountpoints(httpd_t)
+
+term_dontaudit_use_console(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_sbin(httpd_t)
+
+domain_use_wide_inherit_fd(httpd_t)
+
+files_read_usr_files(httpd_t)
+files_list_mnt(httpd_t)
+files_search_spool(httpd_t)
+files_read_var_lib_files(httpd_t)
+files_search_home(httpd_t)
+files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
+files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+files_read_etc_files(httpd_t)
+
+init_use_fd(httpd_t)
+init_use_script_pty(httpd_t)
+
+libs_use_ld_so(httpd_t)
+libs_use_shared_libs(httpd_t)
+libs_read_lib(httpd_t)
+
+logging_send_syslog_msg(httpd_t)
+
+miscfiles_read_localization(httpd_t)
+miscfiles_read_fonts(httpd_t)
+
+seutil_dontaudit_search_config(httpd_t)
+
+sysnet_dns_name_resolve(httpd_t)
+sysnet_use_ldap(httpd_t)
+sysnet_read_config(httpd_t)
+
+userdom_use_unpriv_users_fd(httpd_t)
+userdom_dontaudit_search_sysadm_home_dir(httpd_t)
+
+mta_send_mail(httpd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(httpd_t)
+ term_dontaudit_use_generic_pty(httpd_t)
+ files_dontaudit_read_root_file(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ allow httpd_t httpd_unconfined_script_t:fd use;
+ allow httpd_unconfined_script_t httpd_t:fd use;
+ allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_unconfined_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_connect',`
+ allow httpd_t self:tcp_socket create_socket_perms;
+ allow httpd_t self:udp_socket { connect };
+ allow httpd_t self:udp_socket connected_socket_perms;
+
+ corenet_tcp_sendrecv_all_if(httpd_t)
+ corenet_udp_sendrecv_all_if(httpd_t)
+ corenet_raw_sendrecv_all_if(httpd_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_t)
+ corenet_udp_sendrecv_all_nodes(httpd_t)
+ corenet_raw_sendrecv_all_nodes(httpd_t)
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
+ corenet_udp_bind_all_nodes(httpd_t)
+ corenet_tcp_connect_all_ports(httpd_t)
+
+ sysnet_read_config(httpd_t)
+')
+
+optional_policy(`kerberos.te',`
+ kerberos_use(httpd_t)
+')
+
+optional_policy(`mta.te',`
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
+optional_policy(`mysql.te',`
+ mysql_stream_connect(httpd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(httpd_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(httpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(httpd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(httpd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(httpd_t)
+')
+
+allow httpd_t var_log_t:dir ra_dir_perms;
+type_transition httpd_t var_log_t:file httpd_log_t;
+
+can_tcp_connect(web_client_domain, httpd_t)
+
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
+# for tomcat
+allow httpd_t var_lib_t:lnk_file { getattr read };
+
+#########################################
+# Allow httpd to search users directories
+#########################################
+allow httpd_t home_root_t:dir { getattr search };
+
+dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+
+# Allow apache to used ftpd_anon_t
+anonymous_domain(httpd)
+
+optional_policy(`mysql.te',`
+ allow httpd_t mysqld_db_t:dir search;
+ allow httpd_t mysqld_db_t:sock_file rw_file_perms;
+')
+
+ifdef(`snmpd.te', `
+ dontaudit httpd_t snmpd_var_lib_t:dir search;
+ dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+ dontaudit httpd_t usr_t:dir write;
+')
+
+r_dir_file(initrc_t, httpd_config_t)
+allow initrc_t httpd_modules_t:dir r_dir_perms;
+
+
+# setup the system domain for system CGI scripts
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+kernel_read_kernel_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_spool_t:dir { getattr search };
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+allow httpd_sys_script_t var_lib_t:dir search;
+
+# Run SSI execs in system CGI script domain.
+tunable_policy(`httpd_ssi_exec',`
+ corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
+ allow httpd_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
+optional_policy(`mysql.te',`
+ allow httpd_sys_script_t mysqld_db_t:dir search;
+ allow httpd_sys_script_t mysqld_db_t:sock_file rw_file_perms;
+
+ mysql_stream_connect(httpd_sys_script_t)
+')
+
+ifdef(`targeted_policy', `
+ typealias httpd_sys_content_t alias httpd_user_content_t;
+ typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+
+ if (httpd_enable_homedirs) {
+ allow httpd_t user_home_dir_t:dir { getattr search };
+ }
+ if (httpd_enable_homedirs) {
+ allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
+ }
+ if (httpd_enable_homedirs) {
+ allow httpd_suexec_t user_home_dir_t:dir { getattr search };
+ }
+')
+
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
+ifdef(`distro_redhat',`
+ # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
+ # This is a bug but it still exists in FC2
+ typealias httpd_log_t alias httpd_runtime_t;
+
+ allow httpd_sys_script_t httpd_log_t:file { getattr append };
+')
+
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
+if (httpd_tty_comm) {
+ allow { httpd_t httpd_helper_t } devpts_t:dir search;
+ allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+ dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+}
+
+r_dir_file(httpd_t, cert_t)
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ allow httpd_suexec_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_suexec_t:fd use;
+ allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_suexec_t:process sigchld;
+
+ ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+ ')
+}
+
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+ allow httpd_t httpd_sys_script_t:fd use;
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
+
+ allow httpd_t httpdcontent:dir create_dir_perms;
+ allow httpd_t httpdcontent:file create_file_perms;
+ allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+}
+
+tunable_policy(`httpd_enable_cgi',`
+ domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+')
+
+
+optional_policy(`mta.te',`
+ # apache should set close-on-exec
+ dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+ dontaudit system_mail_t httpd_log_t:file { append getattr };
+ allow system_mail_t httpd_squirrelmail_t:file { append read };
+ dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+') dnl end TODO
+
+########################################
+#
+# Apache helper local policy
+#
+
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_t httpd_helper_t:fd use;
+allow httpd_helper_t httpd_t:fd use;
+allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
+allow httpd_helper_t httpd_t:process sigchld;
+
+allow httpd_helper_t httpd_config_t:file { getattr read };
+
+allow httpd_helper_t httpd_log_t:file append;
+
+libs_use_ld_so(httpd_helper_t)
+libs_use_shared_libs(httpd_helper_t)
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block. for httpd_helper_t
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+allow httpd_t httpd_php_t:fd use;
+allow httpd_php_t httpd_t:fd use;
+allow httpd_php_t httpd_t:fifo_file rw_file_perms;
+allow httpd_php_t httpd_t:process sigchld;
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file ra_file_perms;
+
+allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
+allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+libs_use_ld_so(httpd_php_t)
+libs_use_shared_libs(httpd_php_t)
+
+userdom_use_unpriv_users_fd(httpd_php_t)
+
+optional_policy(`mysql.te',`
+ mysql_stream_connect(httpd_php_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(httpd_php_t)
+')
+
+########################################
+#
+# Apache suexec local policy
+#
+
+allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:process signal_perms;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+# cjp: need transitionbool
+domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+allow httpd_t httpd_suexec_t:fd use;
+allow httpd_suexec_t httpd_t:fd use;
+allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
+allow httpd_suexec_t httpd_t:process sigchld;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+
+allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
+allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
+files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
+kernel_read_kernel_sysctl(httpd_suexec_t)
+kernel_list_proc(httpd_suexec_t)
+kernel_read_proc_symlinks(httpd_suexec_t)
+
+dev_read_urand(httpd_suexec_t)
+
+fs_search_auto_mountpoints(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
+files_read_etc_files(httpd_suexec_t)
+files_read_usr_files(httpd_suexec_t)
+
+libs_use_ld_so(httpd_suexec_t)
+libs_use_shared_libs(httpd_suexec_t)
+
+logging_search_logs(httpd_suexec_t)
+logging_send_syslog_msg(httpd_suexec_t)
+
+miscfiles_read_localization(httpd_suexec_t)
+
+tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+ corenet_udp_sendrecv_all_if(httpd_suexec_t)
+ corenet_raw_sendrecv_all_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_raw_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_bind_all_nodes(httpd_suexec_t)
+ corenet_udp_bind_all_nodes(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
+
+ sysnet_read_config(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_execute_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_execute_cifs_files(httpd_suexec_t)
+')
+
+optional_policy(`mount.te',`
+ tunable_policy(`httpd_can_network_connect',`
+ mount_send_nfs_client_request(httpd_suexec_t)
+ ')
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(httpd_suexec_t)
+')
+
+########################################
+#
+# Apache system script local policy
+#
+
+apache_content_template(sys)
+
+########################################
+#
+# Apache unconfined script local policy
+#
+
+unconfined_domain_template(httpd_unconfined_script_t)
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(httpd_unconfined_script_t)
+')
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 7c6c2b1..ecd5bdf 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -147,6 +147,9 @@ template(`cron_per_userdomain_template',`
')
ifdef(`TODO',`
+ optional_policy(`apache.te', `
+ create_dir_file($1_crond_t, httpd_$1_content_t)
+ ')
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index c4e02fc..6a4c53d 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -2,6 +2,69 @@
########################################
## <summary>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </summary>
+## <desc>
+## <p>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </p>
+## <p>
+## This interface was added because of apache and
+## spamassassin, to fix a nested conditionals problem.
+## When that support is added, this should be removed,
+## and the regular interface should be used.
+## </p>
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ dontaudit $1 self:capability net_bind_service;
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir r_dir_perms;
+ allow $1 var_yp_t:lnk_file { getattr read };
+ allow $1 var_yp_t:file r_file_perms;
+
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_bind_all_nodes($1)
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+ corenet_tcp_bind_reserved_port($1)
+ corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_reserved_ports($1)
+
+ sysnet_read_config($1)
+
+ optional_policy(`mount.te',`
+ mount_send_nfs_client_request($1)
+ ')
+')
+
+########################################
+## <summary>
## Use the ypbind service to access NIS services.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index c250727..36665be 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -24,25 +24,17 @@
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
-## <param name="user_domain">
-## The type of the user domain.
-## </param>
-## <param name="user_role">
-## The role associated with the user domain.
-## </param>
#
template(`samba_per_userdomain_template',`
- optional_policy(`
- gen_require(`
- type smbd_t;
- ')
-
- userdom_manage_user_home_subdir_files($1,smbd_t)
- userdom_manage_user_home_subdir_symlinks($1,smbd_t)
- userdom_manage_user_home_subdir_sockets($1,smbd_t)
- userdom_manage_user_home_subdir_pipes($1,smbd_t)
- userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ gen_require(`
+ type smbd_t;
')
+
+ userdom_manage_user_home_subdir_files($1,smbd_t)
+ userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+ userdom_manage_user_home_subdir_sockets($1,smbd_t)
+ userdom_manage_user_home_subdir_pipes($1,smbd_t)
+# userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
')
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index e993eb9..329715d 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -99,6 +99,10 @@ ifdef(`distro_suse', `
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)
+ifdef(`distro_suse',`
+/usr/share/apache2/[^/]* -- context_template(system_u:object_r:bin_t,s0)
+')
+
#
# /var
#
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index a89151f..4bade65 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -32,6 +32,7 @@ ifdef(`distro_gentoo', `
#
# /usr
#
+/usr/sbin/apachectl -- context_template(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- context_template(system_u:object_r:initrc_exec_t,s0)
#
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 60bf234..b9b6fc6 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -88,8 +88,8 @@ interface(`init_daemon_domain',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
- bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
- if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 8ccac59..758f23a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -958,6 +958,36 @@ template(`admin_user_template',`
########################################
## <summary>
+## Search user home directories.
+## </summary>
+## <desc>
+## <p>
+## Search user home directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+template(`userdom_search_user_home',`
+ gen_require(`
+ class dir { getattr search };
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir { getattr search };
+')
+
+########################################
+## <summary>
## Read user home files.
## </summary>
## <desc>
@@ -1921,7 +1951,7 @@ interface(`userdom_create_user_home',`
class dir rw_dir_perms;
')
- allow $1 etc_t:dir rw_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
ifelse(`$2',`',`
type_transition $1 user_home_dir_t:file user_home_t;
',`
More information about the scm-commits
mailing list