Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 29894 Details for
Bug 48774
apache policy files
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
macros
apache_macros.te (text/plain), 6.67 KB, created by
petre rodan (RETIRED)
on 2004-04-23 03:41:12 UTC
(
hide
)
Description:
macros
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2004-04-23 03:41:12 UTC
Size:
6.67 KB
patch
obsolete
> >define(`apache_domain', ` > >undefine(`apache_single_user') >ifdef(`single_userdomain', ` >ifelse($1, sys, `', ` >define(`apache_single_user') >')dnl end if >')dnl end ifdef single_userdomain > >ifdef(`apache_single_user', ` >typealias $1_home_t alias httpd_$1_content_t; >typealias $1_home_t alias httpd_$1_htaccess_t; >typealias $1_home_t alias httpd_$1_script_exec_t; >typealias $1_home_t alias httpd_$1_script_ro_t; >typealias $1_home_t alias httpd_$1_script_rw_t; >typealias $1_home_t alias httpd_$1_script_ra_t; >', ` > >#This type is for webpages ># >### XXX >#type httpd_$1_content_t, file_type, homedirfile, sysadmfile; >type httpd_$1_content_t, file_type, sysadmfile; > ># This type is used for .htaccess files ># >type httpd_$1_htaccess_t, file_type, sysadmfile; > >type httpd_$1_script_exec_t, file_type, sysadmfile; > ># Type that CGI scripts run as >type httpd_$1_script_t, domain, privmail; >role system_r types httpd_$1_script_t; > >domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) >allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; >allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; > >allow httpd_$1_script_t httpd_t:fd use; >allow httpd_$1_script_t httpd_t:process sigchld; > >uses_shlib(httpd_$1_script_t) >can_network(httpd_$1_script_t) >#can_ypbind(httpd_$1_script_t) >allow httpd_$1_script_t { usr_t lib_t }:file { getattr read }; > >allow httpd_$1_script_t self:process { fork signal_perms }; > >allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; >allow httpd_$1_script_t etc_runtime_t:file { getattr read }; >read_locale(httpd_$1_script_t) >allow httpd_$1_script_t fs_t:filesystem getattr; >allow httpd_$1_script_t self:unix_stream_socket create_socket_perms; >allow httpd_$1_script_t proc_t:file { getattr read }; > >allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; >allow httpd_$1_script_t { self proc_t }:lnk_file read; > >allow httpd_$1_script_t device_t:dir { getattr search }; >allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; > ># The following are the only areas that ># scripts can read, read/write, or append to ># >type httpd_$1_script_ro_t, file_type, sysadmfile; >type httpd_$1_script_rw_t, file_type, sysadmfile; >file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) >type httpd_$1_script_ra_t, file_type, sysadmfile; > >ifdef(`slocate.te', ` >ifelse($1, `sys', `', ` >allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search }; >allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read }; >')dnl end ifelse >')dnl end slocate.te > >######################################################### ># Permissions for running child processes and scripts >########################################################## >allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; > >domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) > >allow httpd_$1_script_t httpd_t:fifo_file { write }; > >allow httpd_$1_script_t self:fifo_file rw_file_perms; > >allow httpd_$1_script_t random_device_t:chr_file r_file_perms; > >########################################################################### ># Allow the script interpreters to run the scripts. So ># the perl executable will be able to run a perl script >######################################################################### >can_exec(httpd_$1_script_t, { bin_t shell_exec_t }) >allow httpd_$1_script_t { bin_t sbin_t }:dir { getattr search }; >allow httpd_$1_script_t bin_t:lnk_file read; >allow httpd_$1_script_t etc_t:file { getattr read }; > >############################################################################ ># Allow the script process to search the cgi directory, and users directory >############################################################################## >allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; >allow httpd_$1_script_t home_root_t:dir { getattr search }; >allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; > >############################################################################# ># Allow the scripts to read, read/write, append to the specified directories ># or files >############################################################################ >r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) >create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) >ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) > >ifelse($1, sys, ` ># ># If a user starts a script by hand it gets the proper context ># >domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) >role sysadm_r types httpd_$1_script_t; >', ` > >ifdef(`single_userdomain', `', ` ># If a user starts a script by hand it gets the proper context >domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) >role $1_r types httpd_$1_script_t; > >####################################### ># Allow user to create or edit web content >######################################### > >create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) >create_dir_file($1_crond_t, httpd_$1_content_t) >allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; > >###################################################################### ># Allow the user to create htaccess files >##################################################################### > >allow $1_t httpd_$1_htaccess_t:{ file lnk_file } { create_file_perms relabelto relabelfrom }; > >######################################################################### ># Allow user to create files or directories ># that scripts are able to read, write, or append to >########################################################################### > >create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) >allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; >')dnl end ifdef single_userdomain > ># allow accessing files/dirs below the users home dir >allow httpd_$1_script_t $1_home_dir_t:dir { getattr search }; >allow httpd_t $1_home_dir_t:dir { getattr search }; >')dnl end ifelse sys > >################################################################ ># Allow the web server to run scripts and serve pages >############################################################## >r_dir_file(httpd_t, httpd_$1_content_t) > >allow httpd_t httpd_$1_htaccess_t: file r_file_perms; > >r_dir_file(httpd_t, httpd_$1_script_rw_t) > >############################################ ># Allow scripts to append to http logs >######################################### >allow httpd_$1_script_t httpd_log_t:file append; > >')dnl end apache_single_user >')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=29894">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 48774
:
29892
|
29893
| 29894
