Linux ns8.secondary29.go.th 2.6.32-754.28.1.el6.x86_64 #1 SMP Wed Mar 11 18:38:45 UTC 2020 x86_64
Apache/2.2.15 (CentOS)
: 122.154.134.11 | : 122.154.134.9
Cant Read [ /etc/named.conf ]
5.6.40
apache
www.github.com/MadExploits
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
CPANEL RESET
CREATE WP USER
README
+ Create Folder
+ Create File
/
usr /
share /
selinux /
devel /
include /
services /
[ HOME SHELL ]
Name
Size
Permission
Action
abrt.if
8.77
KB
-rw-r--r--
afs.if
2.07
KB
-rw-r--r--
aiccu.if
2.33
KB
-rw-r--r--
aide.if
1.29
KB
-rw-r--r--
aisexec.if
2.69
KB
-rw-r--r--
amavis.if
5.87
KB
-rw-r--r--
antivirus.if
6.23
KB
-rw-r--r--
apache.if
37.34
KB
-rw-r--r--
apcupsd.if
3.45
KB
-rw-r--r--
apm.if
2.04
KB
-rw-r--r--
arpwatch.if
3.09
KB
-rw-r--r--
asterisk.if
2.02
KB
-rw-r--r--
audioentropy.if
56
B
-rw-r--r--
automount.if
3.83
KB
-rw-r--r--
avahi.if
3.21
KB
-rw-r--r--
bacula.if
2.44
KB
-rw-r--r--
bcfg2.if
2.9
KB
-rw-r--r--
bind.if
7.84
KB
-rw-r--r--
bitlbee.if
1.26
KB
-rw-r--r--
bluetooth.if
5.63
KB
-rw-r--r--
boinc.if
3.01
KB
-rw-r--r--
bugzilla.if
851
B
-rw-r--r--
cachefilesd.if
1.2
KB
-rw-r--r--
canna.if
1.35
KB
-rw-r--r--
ccs.if
1.45
KB
-rw-r--r--
certmaster.if
3.09
KB
-rw-r--r--
certmonger.if
5.09
KB
-rw-r--r--
cfengine.if
2.98
KB
-rw-r--r--
cgdcbxd.if
1.3
KB
-rw-r--r--
cgroup.if
3.14
KB
-rw-r--r--
chronyd.if
3.61
KB
-rw-r--r--
cinder.if
1.33
KB
-rw-r--r--
cipe.if
46
B
-rw-r--r--
clamav.if
4.23
KB
-rw-r--r--
clockspeed.if
952
B
-rw-r--r--
clogd.if
1.89
KB
-rw-r--r--
cloudform.if
809
B
-rw-r--r--
cmirrord.if
2.56
KB
-rw-r--r--
cobbler.if
4.83
KB
-rw-r--r--
collectd.if
3.03
KB
-rw-r--r--
comsat.if
45
B
-rw-r--r--
condor.if
6.91
KB
-rw-r--r--
conman.if
1.51
KB
-rw-r--r--
consolekit.if
2.63
KB
-rw-r--r--
corosync.if
3.87
KB
-rw-r--r--
courier.if
5.2
KB
-rw-r--r--
cpucontrol.if
382
B
-rw-r--r--
cron.if
15.03
KB
-rw-r--r--
ctdbd.if
5.61
KB
-rw-r--r--
cups.if
6.95
KB
-rw-r--r--
cvs.if
2
KB
-rw-r--r--
cyphesis.if
412
B
-rw-r--r--
cyrus.if
2.13
KB
-rw-r--r--
dante.if
62
B
-rw-r--r--
dbskk.if
82
B
-rw-r--r--
dbus.if
12.09
KB
-rw-r--r--
dcc.if
3.35
KB
-rw-r--r--
ddclient.if
2.03
KB
-rw-r--r--
denyhosts.if
1.93
KB
-rw-r--r--
devicekit.if
4.91
KB
-rw-r--r--
dhcp.if
1.99
KB
-rw-r--r--
dictd.if
1.24
KB
-rw-r--r--
dirsrv-admin.if
3.36
KB
-rw-r--r--
dirsrv.if
5.29
KB
-rw-r--r--
distcc.if
50
B
-rw-r--r--
djbdns.if
2.46
KB
-rw-r--r--
dkim.if
57
B
-rw-r--r--
dnsmasq.if
4.97
KB
-rw-r--r--
dovecot.if
4.32
KB
-rw-r--r--
drbd.if
2.24
KB
-rw-r--r--
dspam.if
5.09
KB
-rw-r--r--
exim.if
4.81
KB
-rw-r--r--
fail2ban.if
4.47
KB
-rw-r--r--
fcoemon.if
1.56
KB
-rw-r--r--
fetchmail.if
713
B
-rw-r--r--
finger.if
747
B
-rw-r--r--
fprintd.if
790
B
-rw-r--r--
freeipmi.if
1.77
KB
-rw-r--r--
ftp.if
4.4
KB
-rw-r--r--
gatekeeper.if
57
B
-rw-r--r--
git.if
1.67
KB
-rw-r--r--
glance.if
5.2
KB
-rw-r--r--
glusterd.if
4.29
KB
-rw-r--r--
gnomeclock.if
1.72
KB
-rw-r--r--
gpm.if
1.52
KB
-rw-r--r--
gpsd.if
1.28
KB
-rw-r--r--
hal.if
8.23
KB
-rw-r--r--
hddtemp.if
722
B
-rw-r--r--
howl.if
352
B
-rw-r--r--
hypervkvp.if
1.58
KB
-rw-r--r--
i18n_input.if
327
B
-rw-r--r--
icecast.if
3.59
KB
-rw-r--r--
ifplugd.if
2.66
KB
-rw-r--r--
imaze.if
40
B
-rw-r--r--
inetd.if
4.32
KB
-rw-r--r--
inn.if
4.33
KB
-rw-r--r--
ipmievd.if
1.81
KB
-rw-r--r--
ircd.if
33
B
-rw-r--r--
irqbalance.if
43
B
-rw-r--r--
isns.if
880
B
-rw-r--r--
jabber.if
3.21
KB
-rw-r--r--
keepalived.if
475
B
-rw-r--r--
kerberos.if
9.23
KB
-rw-r--r--
kerneloops.if
2.41
KB
-rw-r--r--
keystone.if
3.95
KB
-rw-r--r--
ksmtuned.if
1.57
KB
-rw-r--r--
ktalk.if
38
B
-rw-r--r--
l2tpd.if
3.37
KB
-rw-r--r--
ldap.if
3.97
KB
-rw-r--r--
likewise.if
2.44
KB
-rw-r--r--
linuxptp.if
2.72
KB
-rw-r--r--
lircd.if
1.93
KB
-rw-r--r--
lldpad.if
1.97
KB
-rw-r--r--
lpd.if
4
KB
-rw-r--r--
lsm.if
753
B
-rw-r--r--
mailman.if
8.55
KB
-rw-r--r--
matahari.if
5.21
KB
-rw-r--r--
memcached.if
2.4
KB
-rw-r--r--
milter.if
3.43
KB
-rw-r--r--
mip6d.if
432
B
-rw-r--r--
mirrormanager.if
5.17
KB
-rw-r--r--
modemmanager.if
905
B
-rw-r--r--
monop.if
38
B
-rw-r--r--
mpd.if
5.73
KB
-rw-r--r--
mta.if
22.27
KB
-rw-r--r--
munin.if
4.66
KB
-rw-r--r--
mysql.if
8.46
KB
-rw-r--r--
nagios.if
7.73
KB
-rw-r--r--
nessus.if
349
B
-rw-r--r--
networkmanager.if
5.4
KB
-rw-r--r--
nis.if
8.57
KB
-rw-r--r--
nova.if
1.17
KB
-rw-r--r--
nscd.if
6.18
KB
-rw-r--r--
nsd.if
634
B
-rw-r--r--
nslcd.if
2.31
KB
-rw-r--r--
ntop.if
2.98
KB
-rw-r--r--
ntp.if
3.56
KB
-rw-r--r--
numad.if
762
B
-rw-r--r--
nut.if
47
B
-rw-r--r--
nx.if
1.78
KB
-rw-r--r--
oav.if
973
B
-rw-r--r--
oddjob.if
3.88
KB
-rw-r--r--
oident.if
1.47
KB
-rw-r--r--
openca.if
1.37
KB
-rw-r--r--
openct.if
1.78
KB
-rw-r--r--
openhpid.if
2.94
KB
-rw-r--r--
openshift-origin.if
23
B
-rw-r--r--
openshift.if
13.75
KB
-rw-r--r--
openvpn.if
3.2
KB
-rw-r--r--
openvswitch.if
3.37
KB
-rw-r--r--
openwsman.if
428
B
-rw-r--r--
oracleasm.if
1.42
KB
-rw-r--r--
osad.if
3
KB
-rw-r--r--
pacemaker.if
3.41
KB
-rw-r--r--
pads.if
1.05
KB
-rw-r--r--
passenger.if
3.44
KB
-rw-r--r--
pcp.if
2.8
KB
-rw-r--r--
pcscd.if
1.8
KB
-rw-r--r--
pegasus.if
62
B
-rw-r--r--
perdition.if
378
B
-rw-r--r--
pingd.if
1.96
KB
-rw-r--r--
piranha.if
4.14
KB
-rw-r--r--
pkcsslotd.if
2.34
KB
-rw-r--r--
plymouthd.if
6.52
KB
-rw-r--r--
policykit.if
5.65
KB
-rw-r--r--
portmap.if
1.92
KB
-rw-r--r--
portreserve.if
2.7
KB
-rw-r--r--
portslave.if
419
B
-rw-r--r--
postfix.if
19.5
KB
-rw-r--r--
postfixpolicyd.if
1022
B
-rw-r--r--
postgresql.if
15.28
KB
-rw-r--r--
postgrey.if
1.8
KB
-rw-r--r--
ppp.if
7.1
KB
-rw-r--r--
prelude.if
3.23
KB
-rw-r--r--
privoxy.if
972
B
-rw-r--r--
procmail.if
1.84
KB
-rw-r--r--
psad.if
5.39
KB
-rw-r--r--
publicfile.if
83
B
-rw-r--r--
puppet.if
5.12
KB
-rw-r--r--
pxe.if
63
B
-rw-r--r--
pyicqt.if
66
B
-rw-r--r--
pyzor.if
2.71
KB
-rw-r--r--
qmail.if
4.16
KB
-rw-r--r--
qpidd.if
5.02
KB
-rw-r--r--
quantum.if
4.68
KB
-rw-r--r--
radius.if
1.37
KB
-rw-r--r--
radvd.if
1.18
KB
-rw-r--r--
razor.if
5.12
KB
-rw-r--r--
rdisc.if
373
B
-rw-r--r--
redis.if
4.83
KB
-rw-r--r--
remotelogin.if
779
B
-rw-r--r--
resmgr.if
465
B
-rw-r--r--
rgmanager.if
4.6
KB
-rw-r--r--
rhcs.if
16.67
KB
-rw-r--r--
rhev.if
2.04
KB
-rw-r--r--
rhgb.if
3.57
KB
-rw-r--r--
rhnsd.if
1.73
KB
-rw-r--r--
rhsmcertd.if
5.95
KB
-rw-r--r--
ricci.if
6.3
KB
-rw-r--r--
rlogin.if
925
B
-rw-r--r--
roundup.if
938
B
-rw-r--r--
rpc.if
9.53
KB
-rw-r--r--
rpcbind.if
3.1
KB
-rw-r--r--
rshd.if
428
B
-rw-r--r--
rsync.if
3.62
KB
-rw-r--r--
rtas.if
2.54
KB
-rw-r--r--
rtkit.if
1.67
KB
-rw-r--r--
rwho.if
2.89
KB
-rw-r--r--
samba.if
19.02
KB
-rw-r--r--
sanlock.if
2.23
KB
-rw-r--r--
sasl.if
1.17
KB
-rw-r--r--
sblim.if
3.54
KB
-rw-r--r--
sendmail.if
7
KB
-rw-r--r--
sensord.if
817
B
-rw-r--r--
setroubleshoot.if
3.49
KB
-rw-r--r--
sge.if
54
B
-rw-r--r--
slpd.if
1.36
KB
-rw-r--r--
slrnpull.if
978
B
-rw-r--r--
smartmon.if
1.26
KB
-rw-r--r--
smokeping.if
3.32
KB
-rw-r--r--
smstools.if
2.57
KB
-rw-r--r--
snmp.if
4.93
KB
-rw-r--r--
snort.if
1.29
KB
-rw-r--r--
soundserver.if
1.3
KB
-rw-r--r--
spamassassin.if
7.62
KB
-rw-r--r--
speedtouch.if
56
B
-rw-r--r--
squid.if
4.32
KB
-rw-r--r--
ssh.if
23.08
KB
-rw-r--r--
sssd.if
5.23
KB
-rw-r--r--
stapserver.if
3.04
KB
-rw-r--r--
stunnel.if
577
B
-rw-r--r--
svnserve.if
1.57
KB
-rw-r--r--
swift.if
1.82
KB
-rw-r--r--
sysstat.if
433
B
-rw-r--r--
tcpd.if
903
B
-rw-r--r--
telnet.if
36
B
-rw-r--r--
tftp.if
3.12
KB
-rw-r--r--
tgtd.if
1.46
KB
-rw-r--r--
timidity.if
79
B
-rw-r--r--
tomcat.if
7.27
KB
-rw-r--r--
tor.if
1.31
KB
-rw-r--r--
transproxy.if
45
B
-rw-r--r--
tuned.if
2.45
KB
-rw-r--r--
ucspitcp.if
642
B
-rw-r--r--
ulogd.if
2.91
KB
-rw-r--r--
uptime.if
36
B
-rw-r--r--
usbmuxd.if
863
B
-rw-r--r--
uucp.if
2.35
KB
-rw-r--r--
uuidd.if
3.61
KB
-rw-r--r--
uwimap.if
461
B
-rw-r--r--
varnishd.if
4.42
KB
-rw-r--r--
vdagent.if
2.36
KB
-rw-r--r--
vhostmd.if
4.43
KB
-rw-r--r--
virt.if
19.61
KB
-rw-r--r--
w3c.if
43
B
-rw-r--r--
watchdog.if
895
B
-rw-r--r--
wdmd.if
2.49
KB
-rw-r--r--
xfs.if
1.07
KB
-rw-r--r--
xprint.if
37
B
-rw-r--r--
xserver.if
37.77
KB
-rw-r--r--
zabbix.if
3.97
KB
-rw-r--r--
zarafa.if
4.04
KB
-rw-r--r--
zebra.if
1.88
KB
-rw-r--r--
zosremote.if
991
B
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : apache.if
## <summary>Apache web server</summary> ######################################## ## <summary> ## Create a set of derived types for apache ## web content. ## </summary> ## <param name="prefix"> ## <summary> ## The prefix to be used for deriving type names. ## </summary> ## </param> # template(`apache_content_template',` gen_require(` attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; type httpd_sys_content_t; ') #This type is for webpages type httpd_$1_content_t; # customizable; typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) # This type is used for .htaccess files type httpd_$1_htaccess_t; # customizable; files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as type httpd_$1_script_t; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type) # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) type httpd_$1_rw_content_t; # customizable typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; files_type(httpd_$1_rw_content_t) type httpd_$1_ra_content_t; # customizable typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; allow httpd_$1_script_t httpd_t:fifo_file write; # apache should set close-on-exec dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) allow httpd_$1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown }; kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) dev_read_rand(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) files_search_home(httpd_$1_script_t) libs_exec_ld_so(httpd_$1_script_t) libs_exec_lib_files(httpd_$1_script_t) miscfiles_read_fonts(httpd_$1_script_t) miscfiles_read_public_files(httpd_$1_script_t) seutil_dontaudit_search_config(httpd_$1_script_t) apache_dontaudit_leaks(httpd_$1_script_t) # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_script_t:unix_stream_socket connectto; ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_exec_t:file read_file_perms; allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms; allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; ') optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') ') optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) ') optional_policy(` nscd_socket_use(httpd_$1_script_t) ') dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; ') ######################################## ## <summary> ## Role access for apache ## </summary> ## <param name="role"> ## <summary> ## Role allowed access ## </summary> ## </param> ## <param name="domain"> ## <summary> ## User domain for the role ## </summary> ## </param> # interface(`apache_role',` gen_require(` attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; type httpd_user_ra_content_t, httpd_user_rw_content_t; ') role $1 types httpd_user_script_t; allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($2, httpdcontent, httpd_user_script_t) ') ') ######################################## ## <summary> ## Read httpd user scripts executables. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_read_user_scripts',` gen_require(` type httpd_user_script_exec_t; ') allow $1 httpd_user_script_exec_t:dir list_dir_perms; read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## ## <summary> ## Read user web content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_read_user_content',` gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir list_dir_perms; read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## ## <summary> ## Read user web content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_manage_user_content',` gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir list_dir_perms; manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ') ######################################## ## <summary> ## Transition to apache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_domtrans',` gen_require(` type httpd_t, httpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_exec_t, httpd_t) ') ###################################### ## <summary> ## Allow the specified domain to execute apache ## in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_exec',` gen_require(` type httpd_exec_t; ') can_exec($1, httpd_exec_t) ') ####################################### ## <summary> ## Send a generic signal to apache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_signal',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signal; ') ######################################## ## <summary> ## Send a null signal to apache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_signull',` gen_require(` type httpd_t; ') allow $1 httpd_t:process signull; ') ######################################## ## <summary> ## Send a SIGCHLD signal to apache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_sigchld',` gen_require(` type httpd_t; ') allow $1 httpd_t:process sigchld; ') ######################################## ## <summary> ## Inherit and use file descriptors from Apache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_use_fds',` gen_require(` type httpd_t; ') allow $1 httpd_t:fd use; ') ######################################## ## <summary> ## Do not audit attempts to read and write Apache ## unnamed pipes. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_rw_fifo_file',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## <summary> ## Do not audit attempts to read and write Apache ## unix domain stream sockets. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_rw_stream_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:unix_stream_socket { read write }; ') ######################################## ## <summary> ## Do not audit attempts to read and write Apache ## TCP sockets. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_rw_tcp_sockets',` gen_require(` type httpd_t; ') dontaudit $1 httpd_t:tcp_socket { read write }; ') ######################################## ## <summary> ## Create, read, write, and delete all web content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_manage_all_content',` gen_require(` attribute httpdcontent, httpd_script_exec_type; ') manage_dirs_pattern($1, httpdcontent, httpdcontent) manage_files_pattern($1, httpdcontent, httpdcontent) manage_lnk_files_pattern($1, httpdcontent, httpdcontent) manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) ') ######################################## ## <summary> ## Allow domain to set the attributes ## of the APACHE cache directory. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_setattr_cache_dirs',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:dir setattr; ') ######################################## ## <summary> ## Allow the specified domain to list ## Apache cache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_list_cache',` gen_require(` type httpd_cache_t; ') list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## <summary> ## Allow the specified domain to read ## and write Apache cache files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_rw_cache_files',` gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:file rw_file_perms; ') ######################################## ## <summary> ## Allow the specified domain to delete ## Apache cache dirs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_delete_cache_dirs',` gen_require(` type httpd_cache_t; ') delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ') ######################################## ## <summary> ## Allow the specified domain to delete ## Apache cache. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_delete_cache_files',` gen_require(` type httpd_cache_t; ') delete_files_pattern($1, httpd_cache_t, httpd_cache_t) ') ####################################### ## <summary> ## Allow the specified domain to search ## apache configuration dirs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_search_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir search_dir_perms; ') ######################################## ## <summary> ## Allow the specified domain to read ## apache configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_read_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir list_dir_perms; read_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## <summary> ## Allow the specified domain to manage ## apache configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_manage_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) manage_dirs_pattern($1, httpd_config_t, httpd_config_t) manage_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') ######################################## ## <summary> ## Execute the Apache helper program with ## a domain transition. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_domtrans_helper',` gen_require(` type httpd_helper_t, httpd_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) ') ######################################## ## <summary> ## Execute the Apache helper program with ## a domain transition, and allow the ## specified role the Apache helper domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_run_helper',` gen_require(` type httpd_helper_t; ') apache_domtrans_helper($1) role $2 types httpd_helper_t; ') ######################################## ## <summary> ## dontaudit attempts to read ## apache log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_dontaudit_read_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file read_file_perms; dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; ') ######################################## ## <summary> ## Allow the specified domain to read ## apache log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_read_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; read_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## <summary> ## Allow the specified domain to append ## to apache log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_append_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; append_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## <summary> ## Do not audit attempts to append to the ## Apache logs. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`apache_dontaudit_append_log',` gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file { getattr append }; ') ###################################### ## <summary> ## Allow the specified domain to write ## to apache log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_write_log',` gen_require(` type httpd_log_t; ') allow $1 httpd_log_t:file write; ') ######################################## ## <summary> ## Allow the specified domain to manage ## to apache log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_manage_log',` gen_require(` type httpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, httpd_log_t, httpd_log_t) manage_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') ######################################## ## <summary> ## Do not audit attempts to search Apache ## module directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`apache_dontaudit_search_modules',` gen_require(` type httpd_modules_t; ') dontaudit $1 httpd_modules_t:dir search_dir_perms; ') ######################################## ## <summary> ## Allow the specified domain to list ## the contents of the apache modules ## directory. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_list_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ####################################### ## <summary> ## Allow the specified domain to read ## the apache modules files. ## directory. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_read_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; read_files_pattern($1,httpd_modules_t, httpd_modules_t) ') ######################################## ## <summary> ## Allow the specified domain to execute ## apache modules. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; can_exec($1, httpd_modules_t) ') ######################################## ## <summary> ## Execute a domain transition to run httpd_rotatelogs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_domtrans_rotatelogs',` gen_require(` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') ###################################### ## <summary> ## Execute httpd_rotatelogs in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`apache_exec_rotatelogs',` gen_require(` type httpd_rotatelogs_exec_t; ') can_exec($1, httpd_rotatelogs_exec_t) ') ###################################### ## <summary> ## Execute httpd system scripts in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`apache_exec_sys_script',` gen_require(` type httpd_sys_script_exec_t; ') allow $1 httpd_sys_script_exec_t:dir search_dir_perms; can_exec($1, httpd_sys_script_exec_t) ') ######################################## ## <summary> ## Allow the specified domain to list ## apache system content files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_list_sys_content',` gen_require(` type httpd_sys_content_t; ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') ######################################## ## <summary> ## Allow the specified domain to manage ## apache system content files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; ') files_search_var($1) apache_search_sys_content($1) manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ###################################### ## <summary> ## Allow the specified domain to manage ## apache system content rw files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_manage_sys_content_rw',` gen_require(` type httpd_sys_rw_content_t; ') files_search_var($1) apache_search_sys_content($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ######################################## ## <summary> ## Allow the specified domain to delete ## apache system content rw files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_delete_sys_content_rw',` gen_require(` type httpd_sys_rw_content_t; ') files_search_tmp($1) apache_search_sys_content($1) delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') ######################################## ## <summary> ## Execute all web scripts in the system ## script domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # # cjp: this interface specifically added to allow # sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_t; type httpd_sys_content_t; type httpd_sys_script_exec_t; ') tunable_policy(`httpd_enable_cgi',` domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') ') ######################################## ## <summary> ## Do not audit attempts to read and write Apache ## system script unix domain stream sockets. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_rw_sys_script_stream_sockets',` gen_require(` type httpd_sys_script_t; ') dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; ') ######################################## ## <summary> ## Execute all user scripts in the user ## script domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_domtrans_all_scripts',` gen_require(` attribute httpd_exec_scripts; ') typeattribute $1 httpd_exec_scripts; ') ######################################## ## <summary> ## Execute all user scripts in the user ## script domain. Add user script domains ## to the specified role. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the script domains. ## </summary> ## </param> # interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; ') role $2 types httpd_script_domains; apache_domtrans_all_scripts($1) ') ######################################## ## <summary> ## Allow the specified domain to read ## apache squirrelmail data. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_read_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## ## <summary> ## Allow the specified domain to append ## apache squirrelmail data. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_append_squirrelmail_data',` gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file append_file_perms; ') ######################################## ## <summary> ## Search apache system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_search_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir search_dir_perms; ') ####################################### ## <summary> ## Getattr apache system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`apache_getattr_sys_content',` gen_require(` type httpd_sys_content_t; ') getattr_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ######################################## ## <summary> ## Read apache system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`apache_read_sys_content',` gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir list_dir_perms; read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') ######################################## ## <summary> ## Search apache system CGI directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_search_sys_scripts',` gen_require(` type httpd_sys_content_t, httpd_sys_script_exec_t; ') search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) ') ######################################## ## <summary> ## Create, read, write, and delete all user web content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_manage_all_user_content',` gen_require(` attribute httpd_user_content_type, httpd_user_script_exec_type; ') manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ') ######################################## ## <summary> ## Search system script state directory. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`apache_search_sys_script_state',` gen_require(` type httpd_sys_script_t; ') allow $1 httpd_sys_script_t:dir search_dir_perms; ') ######################################## ## <summary> ## Allow the specified domain to read ## apache tmp files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_read_tmp_files',` gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') ###################################### ## <summary> ## Dontaudit attempts to read and write ## apache tmp files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_rw_tmp_files',` gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file { read write }; ') ######################################## ## <summary> ## Dontaudit attempts to write ## apache tmp files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_dontaudit_write_tmp_files',` gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file write; ') ######################################## ## <summary> ## Execute CGI in the specified domain. ## </summary> ## <desc> ## <p> ## Execute CGI in the specified domain. ## </p> ## <p> ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain run the cgi script in. ## </summary> ## </param> ## <param name="entrypoint"> ## <summary> ## Type of the executable to enter the cgi domain. ## </summary> ## </param> # interface(`apache_cgi_domain',` gen_require(` type httpd_t, httpd_sys_script_exec_t; ') domtrans_pattern(httpd_t, $2, $1) apache_search_sys_scripts($1) allow httpd_t $1:process signal; ') ######################################## ## <summary> ## All of the rules required to administrate an apache environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_admin',` gen_require(` attribute httpdcontent; attribute httpd_script_exec_type; type httpd_t, httpd_config_t, httpd_log_t; type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; type httpd_initrc_exec_t, httpd_bool_t; ') allow $1 httpd_t:process { getattr ptrace signal_perms }; ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 httpd_initrc_exec_t system_r; allow $2 system_r; apache_manage_all_content($1) miscfiles_manage_public_files($1) files_search_etc($1) admin_pattern($1, httpd_config_t) logging_search_logs($1) admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) admin_pattern($1, httpd_lock_t) files_lock_filetrans($1, httpd_lock_t, file) admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; ps_process_pattern($1, httpd_t) read_lnk_files_pattern($1, httpd_t, httpd_t) admin_pattern($1, httpdcontent) admin_pattern($1, httpd_script_exec_type) seutil_domtrans_setfiles($1) admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) ifdef(`TODO',` allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; ') ') ######################################## ## <summary> ## dontaudit read and write an leaked file descriptors ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`apache_dontaudit_leaks',` gen_require(` type httpd_t, httpd_tmp_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 httpd_t:tcp_socket { read write }; dontaudit $1 httpd_t:unix_dgram_socket { read write }; dontaudit $1 httpd_t:unix_stream_socket { read write }; dontaudit $1 httpd_tmp_t:file { read write }; ') ####################################### ## <summary> ## Allow getattr of suexec ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`apache_getattr_suexec',` gen_require(` type httpd_suexec_exec_t; ') allow $1 httpd_suexec_exec_t:file getattr; ') ####################################### ## <summary> ## Read and write of httpd unix stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`apache_rw_stream_sockets',` gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket rw_socket_perms; ') ####################################### ## <summary> ## Allow any httpd_exec_t to be an entrypoint of this domain ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_entrypoint',` gen_require(` type httpd_exec_t; ') allow $1 httpd_exec_t:file entrypoint; ')
Close
