diff options
Diffstat (limited to 'policy/modules/contrib/apache.if')
-rw-r--r-- | policy/modules/contrib/apache.if | 1359 |
1 files changed, 0 insertions, 1359 deletions
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if deleted file mode 100644 index bbf6e4b9..00000000 --- a/policy/modules/contrib/apache.if +++ /dev/null @@ -1,1359 +0,0 @@ -## <summary>Various web servers.</summary> - -######################################## -## <summary> -## Create a set of derived types for -## httpd web content. -## </summary> -## <param name="prefix"> -## <summary> -## The prefix to be used for deriving type names. -## </summary> -## </param> -# -template(`apache_content_template',` - gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_suexec_t; - ') - - ######################################## - # - # Declarations - # - - ## <desc> - ## <p> - ## Determine whether the script domain can - ## modify public files used for public file - ## transfer services. Directories/Files must - ## be labeled public_content_rw_t. - ## </p> - ## </desc> - gen_tunable(allow_httpd_$1_script_anon_write, false) - - type httpd_$1_content_t, httpdcontent; # customizable - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - - type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; - files_type(httpd_$1_htaccess_t) - - type httpd_$1_script_t, httpd_script_domains; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - - type httpd_$1_rw_content_t, httpdcontent; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - - ######################################## - # - # Policy - # - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - attribute httpd_rw_content; - attribute httpd_ra_content; - type httpd_log_t; - ') - - typeattribute httpd_$1_rw_content_t httpd_rw_content; - typeattribute httpd_$1_ra_content_t httpd_ra_content; - ') - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - ') - - tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` - can_exec(httpd_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` - can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) - ') -') - -######################################## -## <summary> -## Role access for apache. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`apache_role',` - gen_require(` - attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; - ') - - role $1 types httpd_user_script_t; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - - allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") - - filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") - filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") - filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") - - tunable_policy(`httpd_enable_cgi',` - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($2, httpdcontent, httpd_user_script_t) - ') -') - -######################################## -## <summary> -## Read user httpd script executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_user_scripts',` - gen_require(` - type httpd_user_script_exec_t; - ') - - allow $1 httpd_user_script_exec_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -') - -######################################## -## <summary> -## Read user httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_user_content',` - gen_require(` - type httpd_user_content_t; - ') - - allow $1 httpd_user_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -') - -######################################## -## <summary> -## Execute httpd with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans',` - gen_require(` - type httpd_t, httpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_exec_t, httpd_t) -') - -######################################## -## <summary> -## Execute httpd server in the httpd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_initrc_domtrans',` - gen_require(` - type httpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) -') - -####################################### -## <summary> -## Send generic signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_signal',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signal; -') - -######################################## -## <summary> -## Send null signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_signull',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signull; -') - -######################################## -## <summary> -## Send child terminated signals to httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_sigchld',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process sigchld; -') - -######################################## -## <summary> -## Inherit and use file descriptors -## from httpd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_use_fds',` - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:fd use; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd unnamed pipes. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_fifo_file',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd unix domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_stream_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd TCP sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_tcp_sockets',` - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Create, read, write, and delete -## all httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - manage_dirs_pattern($1, httpdcontent, httpdcontent) - manage_files_pattern($1, httpdcontent, httpdcontent) - manage_lnk_files_pattern($1, httpdcontent, httpdcontent) - - manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## <summary> -## Set attributes httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_setattr_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:dir setattr_dir_perms; -') - -######################################## -## <summary> -## List httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_cache',` - gen_require(` - type httpd_cache_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Read and write httpd cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_rw_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:file rw_file_perms; -') - -######################################## -## <summary> -## Delete httpd cache directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_delete_cache_dirs',` - gen_require(` - type httpd_cache_t; - ') - - delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Delete httpd cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_delete_cache_files',` - gen_require(` - type httpd_cache_t; - ') - - delete_files_pattern($1, httpd_cache_t, httpd_cache_t) -') - -######################################## -## <summary> -## Read httpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## <summary> -## Search httpd configuration directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, httpd_config_t, httpd_config_t) - manage_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -') - -######################################## -## <summary> -## Execute the Apache helper program -## with a domain transition. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_domtrans_helper',` - gen_require(` - type httpd_helper_t, httpd_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) -') - -######################################## -## <summary> -## Execute the Apache helper program with -## a domain transition, and allow the -## specified role the Apache helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_run_helper',` - gen_require(` - attribute_role httpd_helper_roles; - ') - - apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; -') - -######################################## -## <summary> -## Read httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - read_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Append httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_append_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - append_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to append -## httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_append_log',` - gen_require(` - type httpd_log_t; - ') - - dontaudit $1 httpd_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) -') - -####################################### -## <summary> -## Write apache log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_write_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, httpd_log_t, httpd_log_t) -') - -######################################## -## <summary> -## Do not audit attempts to search -## httpd module directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_search_modules',` - gen_require(` - type httpd_modules_t; - ') - - dontaudit $1 httpd_modules_t:dir search_dir_perms; -') - -######################################## -## <summary> -## List httpd module directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -') - -######################################## -## <summary> -## Execute httpd module files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) -') - -######################################## -## <summary> -## Read httpd module files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_module_files',` - gen_require(` - type httpd_modules_t; - ') - - libs_search_lib($1) - read_files_pattern($1, httpd_modules_t, httpd_modules_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run httpd_rotatelogs. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_rotatelogs',` - gen_require(` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -') - -######################################## -## <summary> -## List httpd system content directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_list_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd system content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## httpd system rw content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_manage_sys_rw_content',` - gen_require(` - type httpd_sys_rw_content_t; - ') - - apache_search_sys_content($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -') - -######################################## -## <summary> -## Execute all httpd scripts in the -## system script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; - type httpd_sys_script_t; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) - ') -') - -######################################## -## <summary> -## Do not audit attempts to read and -## write httpd system script unix -## domain stream sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_rw_sys_script_stream_sockets',` - gen_require(` - type httpd_sys_script_t; - ') - - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; -') - -######################################## -## <summary> -## Execute all user scripts in the user -## script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`apache_domtrans_all_scripts',` - gen_require(` - attribute httpd_exec_scripts; - ') - - typeattribute $1 httpd_exec_scripts; -') - -######################################## -## <summary> -## Execute all user scripts in the user -## script domain. Add user script domains -## to the specified role. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; - ') - - role $2 types httpd_script_domains; - apache_domtrans_all_scripts($1) -') - -######################################## -## <summary> -## Read httpd squirrelmail data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file read_file_perms; -') - -######################################## -## <summary> -## Append httpd squirrelmail data files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_append_squirrelmail_data',` - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file append_file_perms; -') - -######################################## -## <summary> -## Search httpd system content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - allow $1 httpd_sys_content_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read httpd system content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_sys_content',` - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -') - -######################################## -## <summary> -## Search httpd system CGI directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_scripts',` - gen_require(` - type httpd_sys_content_t, httpd_sys_script_exec_t; - ') - - search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) -') - -######################################## -## <summary> -## Create, read, write, and delete all -## user httpd content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_user_content',` - refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') - apache_manage_all_content($1) -') - -######################################## -## <summary> -## Search system script state directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_sys_script_state',` - gen_require(` - type httpd_sys_script_t; - ') - - allow $1 httpd_sys_script_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read httpd tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_read_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) -') - -######################################## -## <summary> -## Do not audit attempts to write -## httpd tmp files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`apache_dontaudit_write_tmp_files',` - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file write_file_perms; -') - -######################################## -## <summary> -## Execute CGI in the specified domain. -## </summary> -## <desc> -## <p> -## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain run the cgi script in. -## </summary> -## </param> -## <param name="entrypoint"> -## <summary> -## Type of the executable to enter the cgi domain. -## </summary> -## </param> -# -interface(`apache_cgi_domain',` - gen_require(` - type httpd_t, httpd_sys_script_exec_t; - ') - - domtrans_pattern(httpd_t, $2, $1) - apache_search_sys_scripts($1) - - allow httpd_t $1:process signal; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an apache environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_admin',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_helper_t; - type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; - type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; - type httpd_initrc_exec_t, httpd_suexec_t; - ') - - allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; - allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) - ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; - allow $2 system_r; - - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - - files_search_etc($1) - admin_pattern($1, { httpd_config_t httpd_keytab_t }) - - logging_search_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) - - admin_pattern($1, httpd_lock_t) - files_lock_filetrans($1, httpd_lock_t, file) - - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - - admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) - admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) - - apache_run_all_scripts($1, $2) - apache_run_helper($1, $2) -') - -######################################## -## <summary> -## Read all appendable content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_ra_content',` - gen_require(` - attribute httpd_ra_content; - ') - - read_files_pattern($1, httpd_ra_content, httpd_ra_content) - read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) -') - -######################################## -## <summary> -## Append to all appendable web content files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_append_all_ra_content',` - gen_require(` - attribute httpd_ra_content; - ') - - apache_search_all_content($1) - append_files_pattern($1, httpd_ra_content, httpd_ra_content) -') - -######################################## -## <summary> -## Read all read/write content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_rw_content',` - gen_require(` - attribute httpd_rw_content; - ') - - read_files_pattern($1, httpd_rw_content, httpd_rw_content) - read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) -') - -######################################## -## <summary> -## Manage all read/write content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_manage_all_rw_content',` - gen_require(` - attribute httpd_rw_content; - ') - - manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) - manage_files_pattern($1, httpd_rw_content, httpd_rw_content) - manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) -') - -######################################## -## <summary> -## Read all web content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`apache_read_all_content',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - read_files_pattern($1, httpdcontent, httpdcontent) - read_lnk_files_pattern($1, httpdcontent, httpdcontent) - - read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) -') - -######################################## -## <summary> -## Search all apache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`apache_search_all_content',` - gen_require(` - attribute httpdcontent; - ') - - allow $1 httpdcontent:dir search_dir_perms; -') |