Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/apache.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/apache.if')
-rw-r--r--policy/modules/contrib/apache.if1359
1 files changed, 0 insertions, 1359 deletions
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
deleted file mode 100644
index bbf6e4b9..00000000
--- a/policy/modules/contrib/apache.if
+++ /dev/null
@@ -1,1359 +0,0 @@
-## <summary>Various web servers.</summary>
-
-########################################
-## <summary>
-## Create a set of derived types for
-## httpd web content.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-#
-template(`apache_content_template',`
- gen_require(`
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
- type httpd_t, httpd_suexec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- ## <desc>
- ## <p>
- ## Determine whether the script domain can
- ## modify public files used for public file
- ## transfer services. Directories/Files must
- ## be labeled public_content_rw_t.
- ## </p>
- ## </desc>
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- type httpd_$1_content_t, httpdcontent; # customizable
- typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- files_type(httpd_$1_content_t)
-
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
- files_type(httpd_$1_htaccess_t)
-
- type httpd_$1_script_t, httpd_script_domains;
- domain_type(httpd_$1_script_t)
- role system_r types httpd_$1_script_t;
-
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
- type httpd_$1_rw_content_t, httpdcontent; # customizable
- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
- files_type(httpd_$1_rw_content_t)
-
- type httpd_$1_ra_content_t, httpdcontent; # customizable
- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
- files_type(httpd_$1_ra_content_t)
-
- ########################################
- #
- # Policy
- #
-
- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- attribute httpd_rw_content;
- attribute httpd_ra_content;
- type httpd_log_t;
- ')
-
- typeattribute httpd_$1_rw_content_t httpd_rw_content;
- typeattribute httpd_$1_ra_content_t httpd_ra_content;
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
- ')
-
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
- can_exec(httpd_t, httpd_$1_rw_content_t)
- ')
-
- tunable_policy(`httpd_enable_cgi',`
- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
- ')
-')
-
-########################################
-## <summary>
-## Role access for apache.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`apache_role',`
- gen_require(`
- attribute httpdcontent;
- type httpd_user_content_t, httpd_user_htaccess_t;
- type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
- ')
-
- role $1 types httpd_user_script_t;
-
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
-
- tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern($2, httpdcontent, httpd_user_script_t)
- ')
-')
-
-########################################
-## <summary>
-## Read user httpd script executable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_user_scripts',`
- gen_require(`
- type httpd_user_script_exec_t;
- ')
-
- allow $1 httpd_user_script_exec_t:dir list_dir_perms;
- read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
- read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
-')
-
-########################################
-## <summary>
-## Read user httpd content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_user_content',`
- gen_require(`
- type httpd_user_content_t;
- ')
-
- allow $1 httpd_user_content_t:dir list_dir_perms;
- read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
- read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
-')
-
-########################################
-## <summary>
-## Execute httpd with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans',`
- gen_require(`
- type httpd_t, httpd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, httpd_exec_t, httpd_t)
-')
-
-########################################
-## <summary>
-## Execute httpd server in the httpd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apache_initrc_domtrans',`
- gen_require(`
- type httpd_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-')
-
-#######################################
-## <summary>
-## Send generic signals to httpd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_signal',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:process signal;
-')
-
-########################################
-## <summary>
-## Send null signals to httpd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_signull',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:process signull;
-')
-
-########################################
-## <summary>
-## Send child terminated signals to httpd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_sigchld',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors
-## from httpd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_use_fds',`
- gen_require(`
- type httpd_t;
- ')
-
- allow $1 httpd_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write httpd unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_fifo_file',`
- gen_require(`
- type httpd_t;
- ')
-
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write httpd unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_stream_sockets',`
- gen_require(`
- type httpd_t;
- ')
-
- dontaudit $1 httpd_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write httpd TCP sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type httpd_t;
- ')
-
- dontaudit $1 httpd_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## all httpd content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_manage_all_content',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
- ')
-
- manage_dirs_pattern($1, httpdcontent, httpdcontent)
- manage_files_pattern($1, httpdcontent, httpdcontent)
- manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
-
- manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
- manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
- manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
-')
-
-########################################
-## <summary>
-## Set attributes httpd cache directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_setattr_cache_dirs',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- allow $1 httpd_cache_t:dir setattr_dir_perms;
-')
-
-########################################
-## <summary>
-## List httpd cache directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_list_cache',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
-')
-
-########################################
-## <summary>
-## Read and write httpd cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_rw_cache_files',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- allow $1 httpd_cache_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Delete httpd cache directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_delete_cache_dirs',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
-')
-
-########################################
-## <summary>
-## Delete httpd cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_delete_cache_files',`
- gen_require(`
- type httpd_cache_t;
- ')
-
- delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
-')
-
-########################################
-## <summary>
-## Read httpd configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
- allow $1 httpd_config_t:dir list_dir_perms;
- read_files_pattern($1, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
-')
-
-########################################
-## <summary>
-## Search httpd configuration directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
- allow $1 httpd_config_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## httpd configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_config',`
- gen_require(`
- type httpd_config_t;
- ')
-
- files_search_etc($1)
- manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
- manage_files_pattern($1, httpd_config_t, httpd_config_t)
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
-')
-
-########################################
-## <summary>
-## Execute the Apache helper program
-## with a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_helper',`
- gen_require(`
- type httpd_helper_t, httpd_helper_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
-')
-
-########################################
-## <summary>
-## Execute the Apache helper program with
-## a domain transition, and allow the
-## specified role the Apache helper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_run_helper',`
- gen_require(`
- attribute_role httpd_helper_roles;
- ')
-
- apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
-')
-
-########################################
-## <summary>
-## Read httpd log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 httpd_log_t:dir list_dir_perms;
- read_files_pattern($1, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
-')
-
-########################################
-## <summary>
-## Append httpd log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_append_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 httpd_log_t:dir list_dir_perms;
- append_files_pattern($1, httpd_log_t, httpd_log_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to append
-## httpd log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_append_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- dontaudit $1 httpd_log_t:file append_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## httpd log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
- manage_files_pattern($1, httpd_log_t, httpd_log_t)
- read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
-')
-
-#######################################
-## <summary>
-## Write apache log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_write_log',`
- gen_require(`
- type httpd_log_t;
- ')
-
- logging_search_logs($1)
- write_files_pattern($1, httpd_log_t, httpd_log_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## httpd module directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_search_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- dontaudit $1 httpd_modules_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List httpd module directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_list_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Execute httpd module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_exec_modules',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- allow $1 httpd_modules_t:dir list_dir_perms;
- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
- can_exec($1, httpd_modules_t)
-')
-
-########################################
-## <summary>
-## Read httpd module files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_module_files',`
- gen_require(`
- type httpd_modules_t;
- ')
-
- libs_search_lib($1)
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run httpd_rotatelogs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_rotatelogs',`
- gen_require(`
- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-')
-
-########################################
-## <summary>
-## List httpd system content directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_list_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- files_search_var($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## httpd system content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_manage_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- files_search_var($1)
- manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_manage_sys_rw_content',`
- gen_require(`
- type httpd_sys_rw_content_t;
- ')
-
- apache_search_sys_content($1)
- manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-')
-
-########################################
-## <summary>
-## Execute all httpd scripts in the
-## system script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_sys_script',`
- gen_require(`
- attribute httpdcontent;
- type httpd_sys_script_t;
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and
-## write httpd system script unix
-## domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
- gen_require(`
- type httpd_sys_script_t;
- ')
-
- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
-')
-
-########################################
-## <summary>
-## Execute all user scripts in the user
-## script domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apache_domtrans_all_scripts',`
- gen_require(`
- attribute httpd_exec_scripts;
- ')
-
- typeattribute $1 httpd_exec_scripts;
-')
-
-########################################
-## <summary>
-## Execute all user scripts in the user
-## script domain. Add user script domains
-## to the specified role.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_run_all_scripts',`
- gen_require(`
- attribute httpd_exec_scripts, httpd_script_domains;
- ')
-
- role $2 types httpd_script_domains;
- apache_domtrans_all_scripts($1)
-')
-
-########################################
-## <summary>
-## Read httpd squirrelmail data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_squirrelmail_data',`
- gen_require(`
- type httpd_squirrelmail_t;
- ')
-
- allow $1 httpd_squirrelmail_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Append httpd squirrelmail data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_append_squirrelmail_data',`
- gen_require(`
- type httpd_squirrelmail_t;
- ')
-
- allow $1 httpd_squirrelmail_t:file append_file_perms;
-')
-
-########################################
-## <summary>
-## Search httpd system content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- files_search_var($1)
- allow $1 httpd_sys_content_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read httpd system content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_sys_content',`
- gen_require(`
- type httpd_sys_content_t;
- ')
-
- allow $1 httpd_sys_content_t:dir list_dir_perms;
- read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
- read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
-')
-
-########################################
-## <summary>
-## Search httpd system CGI directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_sys_scripts',`
- gen_require(`
- type httpd_sys_content_t, httpd_sys_script_exec_t;
- ')
-
- search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete all
-## user httpd content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_manage_all_user_content',`
- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
- apache_manage_all_content($1)
-')
-
-########################################
-## <summary>
-## Search system script state directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_sys_script_state',`
- gen_require(`
- type httpd_sys_script_t;
- ')
-
- allow $1 httpd_sys_script_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read httpd tmp files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_read_tmp_files',`
- gen_require(`
- type httpd_tmp_t;
- ')
-
- files_search_tmp($1)
- read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write
-## httpd tmp files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apache_dontaudit_write_tmp_files',`
- gen_require(`
- type httpd_tmp_t;
- ')
-
- dontaudit $1 httpd_tmp_t:file write_file_perms;
-')
-
-########################################
-## <summary>
-## Execute CGI in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## This is an interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain run the cgi script in.
-## </summary>
-## </param>
-## <param name="entrypoint">
-## <summary>
-## Type of the executable to enter the cgi domain.
-## </summary>
-## </param>
-#
-interface(`apache_cgi_domain',`
- gen_require(`
- type httpd_t, httpd_sys_script_exec_t;
- ')
-
- domtrans_pattern(httpd_t, $2, $1)
- apache_search_sys_scripts($1)
-
- allow httpd_t $1:process signal;
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an apache environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_admin',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
- type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_suexec_t;
- ')
-
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
-
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
-
- apache_manage_all_content($1)
- miscfiles_manage_public_files($1)
-
- files_search_etc($1)
- admin_pattern($1, { httpd_config_t httpd_keytab_t })
-
- logging_search_logs($1)
- admin_pattern($1, httpd_log_t)
-
- admin_pattern($1, httpd_modules_t)
-
- admin_pattern($1, httpd_lock_t)
- files_lock_filetrans($1, httpd_lock_t, file)
-
- admin_pattern($1, httpd_var_run_t)
- files_pid_filetrans($1, httpd_var_run_t, file)
-
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
-
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
-')
-
-########################################
-## <summary>
-## Read all appendable content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_ra_content',`
- gen_require(`
- attribute httpd_ra_content;
- ')
-
- read_files_pattern($1, httpd_ra_content, httpd_ra_content)
- read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-########################################
-## <summary>
-## Append to all appendable web content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_append_all_ra_content',`
- gen_require(`
- attribute httpd_ra_content;
- ')
-
- apache_search_all_content($1)
- append_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-########################################
-## <summary>
-## Read all read/write content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_rw_content',`
- gen_require(`
- attribute httpd_rw_content;
- ')
-
- read_files_pattern($1, httpd_rw_content, httpd_rw_content)
- read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-########################################
-## <summary>
-## Manage all read/write content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_manage_all_rw_content',`
- gen_require(`
- attribute httpd_rw_content;
- ')
-
- manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
- manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
- manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-########################################
-## <summary>
-## Read all web content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_content',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
- ')
-
- read_files_pattern($1, httpdcontent, httpdcontent)
- read_lnk_files_pattern($1, httpdcontent, httpdcontent)
-
- read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
- read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
-')
-
-########################################
-## <summary>
-## Search all apache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_all_content',`
- gen_require(`
- attribute httpdcontent;
- ')
-
- allow $1 httpdcontent:dir search_dir_perms;
-')