Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 29893 Details for
Bug 48774
apache policy files
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement
apache.te (text/plain), 8.33 KB, created by
petre rodan (RETIRED)
on 2004-04-23 03:40:54 UTC
(
hide
)
Description:
type enforcement
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2004-04-23 03:40:54 UTC
Size:
8.33 KB
patch
obsolete
>#DESC Apache - Web server ># ># X-Debian-Packages: apache2-common apache ># >############################################################################### ># ># Policy file for running the Apache web server ># ># NOTES: ># This policy will work with SUEXEC enabled as part of the Apache ># configuration. However, the user CGI scripts will run under the ># system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the ># of the creating user. ># ># The user CGI scripts must be labeled with the httpd_$1_script_exec_t ># type, and the directory containing the scripts should also be labeled ># with these types. This policy allows user_r role to perform that ># relabeling. If it is desired that only sysadm_r should be able to relabel ># the user CGI scripts, then relabel rule for user_r should be removed. ># >############################################################################### >type http_port_t, port_type; >type http_cache_port_t, port_type; > >######################################################### ># Apache types >######################################################### ># httpd_config_t is the type given to the configuration ># files for apache /etc/httpd/conf ># >type httpd_config_t, file_type, sysadmfile; > >#append_logdir_domain(httpd) >log_domain(httpd) >#can read /etc/httpd/logs >allow httpd_t httpd_log_t:lnk_file { read }; > ># For /etc/init.d/apache2 reload >can_tcp_connect(httpd_t, httpd_t) > >can_tcp_connect(web_client_domain, httpd_t) > ># httpd_modules_t is the type given to module files (libraries) ># that come with Apache /etc/httpd/modules and /usr/lib/apache ># >type httpd_modules_t, file_type, sysadmfile; > ># httpd_cache_t is the type given to the /var/cache/httpd ># directory and the files under that directory ># >type httpd_cache_t, file_type, sysadmfile; > ># httpd_exec_t is the type give to the httpd executable. ># >daemon_domain(httpd, `, privmail') > >general_domain_access(httpd_t) > >allow httpd_t { random_device_t random_device_t }:chr_file { getattr read }; > >allow httpd_t sysctl_kernel_t:dir search; >allow httpd_t sysctl_kernel_t:file read; > ># for modules that want to access /etc/mtab and /proc/meminfo >allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; > >allow httpd_t resolv_conf_t:file { getattr read }; > ># setup the system domain for system CGI scripts >apache_domain(sys) > ># The following are types for SUEXEC,which runs user scripts as their ># own user ID ># >daemon_sub_domain(httpd_t, httpd_suexec) >allow httpd_t httpd_suexec_exec_t:file read; > >######################################################### ># Permissions for running child processes and scripts >########################################################## > >allow httpd_suexec_t self:capability { setuid setgid net_bind_service }; > >allow httpd_suexec_t httpd_log_t:dir search; > >allow httpd_suexec_t var_log_t:dir search; >allow httpd_suexec_t home_root_t:dir search; >allow httpd_suexec_t httpd_log_t:file { append getattr }; >allow httpd_suexec_t httpd_t:fifo_file getattr; >allow httpd_suexec_t self:unix_stream_socket create_socket_perms; > >allow httpd_suexec_t etc_t:file { getattr read }; >read_locale(httpd_suexec_t) >#read_sysctl(httpd_suexec_t) >allow httpd_suexec_t random_device_t:chr_file { getattr read }; > ># for shell scripts >allow httpd_suexec_t bin_t:dir search; >allow httpd_suexec_t bin_t:lnk_file read; >can_exec(httpd_suexec_t, { bin_t shell_exec_t }) > >can_network(httpd_suexec_t) >#can_ypbind(httpd_suexec_t) >allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; > >ifdef(`mta.te', ` ># apache should set close-on-exec >dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; >dontaudit { system_mail_t mta_user_agent } httpd_t:unix_stream_socket { read write }; >') > >ifdef(`mysqld.te', ` >allow httpd_t mysqld_db_t:dir r_dir_perms; >allow httpd_t mysqld_etc_t:dir r_dir_perms; >allow httpd_t mysqld_etc_t:file r_file_perms; >allow httpd_t mysqld_var_run_t:dir r_dir_perms; >allow httpd_t mysqld_var_run_t:sock_file { write }; >') > >uses_shlib(httpd_t) >allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; >allow httpd_t usr_t:lnk_file read; > ># for tomcat >r_dir_file(httpd_t, var_lib_t) > ># execute perl >allow httpd_t { bin_t sbin_t }:dir search; >can_exec(httpd_t, bin_t) > >can_network(httpd_t) >#can_ypbind(httpd_t) > >################### ># Allow httpd to search users diretories >###################### >allow httpd_t home_root_t:dir { getattr search }; >dontaudit httpd_t sysadm_home_dir_t:dir getattr; > >############################################################################ ># Allow the httpd_t the capability to bind to a port and various other stuff >############################################################################ >allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; > >################################################# ># Allow the httpd_t to read the web servers config files >################################################### >r_dir_file(httpd_t, httpd_config_t) ># allow logrotate to read the config files for restart >ifdef(`logrotate.te', ` >r_dir_file(logrotate_t, httpd_config_t) >domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) >allow logrotate_t httpd_t:process signull; >') >r_dir_file(initrc_t, httpd_config_t) >################################################## > >######################################## ># Allow httpd_t to bind to the HTTP port >######################################## >allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; > >############################### ># Allow httpd_t to put files in /var/cache/httpd etc >############################## >create_dir_file(httpd_t, httpd_cache_t) > >############################### ># Allow httpd_t to access the tmpfs file system >############################## >tmpfs_domain(httpd) > >##################### ># Allow httpd_t to access ># libraries for its modules >############################### >allow httpd_t httpd_modules_t:file rx_file_perms; >allow httpd_t httpd_modules_t:dir r_dir_perms; >allow httpd_t httpd_modules_t:lnk_file r_file_perms; > >###################################################################### ># Allow initrc_t to access the Apache modules directory. >###################################################################### >allow initrc_t httpd_modules_t:dir r_dir_perms; > >############################################## ># Allow httpd_t to have access to files ># such as nisswitch.conf ># need ioctl for php >############################################### >allow httpd_t etc_t:file { read getattr ioctl }; >allow httpd_t etc_t:lnk_file read; > ># Several options for handling SSI exec cmd elements: ># Option #1: Do not support them at all. This is the default, since ># httpd_t is not permitted to execute shell_exec_t. ># Option #2: Run SSI executables in the same domain as system CGI scripts. ># Uncomment the following line to enable: >#domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) ># Option #3: Run SSI executables directly in the httpd_t domain. This means ># that they have the same permissions as the daemon. Probably not a good idea. ># Uncomment the following line to enable: >#can_exec(httpd_t, shell_exec_t) > >################################################## ># ># PHP Directives >################################################## > >type httpd_php_exec_t, file_type, exec_type; >type httpd_php_t, domain; > ># Transition from the user domain to this domain. >domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) > ># The system role is authorized for this domain. >role system_r types httpd_php_t; > >general_domain_access(httpd_php_t) >uses_shlib(httpd_php_t) >can_exec(httpd_php_t, lib_t) > ># allow php to read and append to apache logfiles >allow httpd_php_t httpd_log_t:file ra_file_perms; > ># access to /tmp >tmp_domain(httpd) >tmp_domain(httpd_php) >tmp_domain(httpd_suexec) > >allow httpd_suexec_t tmp_t:lnk_file { read }; > ># Creation of lock files for apache2 >lock_domain(httpd) > ># connect to mysql >ifdef(`mysqld.te', ` >can_unix_connect(httpd_php_t, mysqld_t) >allow httpd_php_t mysqld_var_run_t:dir { search }; >allow httpd_php_t mysqld_var_run_t:sock_file { write }; >') >allow httpd_t bin_t:dir { search }; >allow httpd_t sbin_t:dir { search }; >allow httpd_t httpd_log_t:dir { create_dir_perms }; >dontaudit httpd_t self:netlink_socket { create }; > >ifdef(`automount.te', ` >allow httpd_t autofs_t:dir { search getattr }; >allow httpd_suexec_t autofs_t:dir { search getattr }; >') >ifdef(`nfs_home_dirs', ` >r_dir_file(httpd_t, nfs_t) >r_dir_file(httpd_suexec_t, nfs_t) >can_exec(httpd_suexec_t, nfs_t) >')dnl end if nfs_home_dirs >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 48774
:
29892
| 29893 |
29894