← Back to branch summary

~ubuntu-branches/ubuntu/natty/refpolicy-ubuntu/natty

« back to all changes in this revision

Viewing changes to policy/modules/services/apache.if

  • Committer: Bazaar Package Importer
  • Author(s): Caleb Case
  • Date: 2009-10-19 01:48:39 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20091019014839-0rpi67ygkrjya30k
Tags: 0.2.20090730-0ubuntu1
https://launchpad.net/bugs/434084
* Updated to upstream release 2.20090730
* Handle Upstart direct execution of daemons.
* Pre-depend on selinux to ensure that the trigger is handled (LP: #434084).

Show diffs side-by-side

added added

removed removed

Lines of Context:
policy/modules/services/apache.if
79
79
        read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
80
80
 
81
81
        allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
82
 
        read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
83
 
        read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
 
82
        read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
 
83
        read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
84
84
 
85
85
        manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
86
86
        manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
268
268
 
269
269
        allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
270
270
 
271
 
        manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
272
 
        manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
273
 
        manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
274
 
        relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
275
 
        relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
276
 
        relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
277
 
 
278
 
        manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
279
 
        manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
280
 
        manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
281
 
        relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
282
 
        relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
283
 
        relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
284
 
 
285
 
        manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
286
 
        manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
287
 
        manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
288
 
        relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
289
 
        relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
290
 
        relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
291
 
 
292
 
        manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
293
 
        manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
294
 
        manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
295
 
        relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
296
 
        relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
297
 
        relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
 
271
        manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
272
        manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
273
        manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
274
        relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
275
        relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
276
        relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
 
277
 
 
278
        manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
279
        manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
280
        manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
281
        relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
282
        relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
283
        relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
 
284
 
 
285
        manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
286
        manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
287
        manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
288
        relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
289
        relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
290
        relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
 
291
 
 
292
        manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
293
        manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
294
        manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
295
        relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
296
        relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
297
        relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
298
298
 
299
299
        tunable_policy(`httpd_enable_cgi',`
300
300
                # If a user starts a script by hand it gets the proper context
735
735
 
736
736
        allow $1 httpd_modules_t:dir list_dir_perms;
737
737
        allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
738
 
        can_exec($1,httpd_modules_t)
 
738
        can_exec($1, httpd_modules_t)
739
739
')
740
740
 
741
741
########################################
1040
1040
 
1041
1041
        allow httpd_t $1:process signal;
1042
1042
')
 
1043
 
 
1044
########################################
 
1045
## <summary>
 
1046
##      All of the rules required to administrate an apache environment
 
1047
## </summary>
 
1048
## <param name="prefix">
 
1049
##      <summary>
 
1050
##      Prefix of the domain. Example, user would be
 
1051
##      the prefix for the uder_t domain.
 
1052
##      </summary>
 
1053
## </param>
 
1054
## <param name="domain">
 
1055
##      <summary>
 
1056
##      Domain allowed access.
 
1057
##      </summary>
 
1058
## </param>
 
1059
## <param name="role">
 
1060
##      <summary>
 
1061
##      Role allowed access.
 
1062
##      </summary>
 
1063
## </param>
 
1064
## <rolecap/>
 
1065
#
 
1066
interface(`apache_admin',`
 
1067
        gen_require(`
 
1068
                attribute httpdcontent;
 
1069
                attribute httpd_script_exec_type;
 
1070
 
 
1071
                type httpd_t, httpd_config_t, httpd_log_t;
 
1072
                type httpd_modules_t, httpd_lock_t;
 
1073
                type httpd_var_run_t, httpd_php_tmp_t;
 
1074
                type httpd_suexec_tmp_t, httpd_tmp_t;
 
1075
        ')
 
1076
 
 
1077
        allow $1 httpd_t:process { getattr ptrace signal_perms };
 
1078
        ps_process_pattern($1, httpd_t)
 
1079
 
 
1080
        apache_manage_all_content($1)
 
1081
        miscfiles_manage_public_files($1)
 
1082
 
 
1083
        files_search_etc($1)
 
1084
        admin_pattern($1, httpd_config_t)
 
1085
 
 
1086
        logging_search_logs($1)
 
1087
        admin_pattern($1, httpd_log_t)
 
1088
 
 
1089
        admin_pattern($1, httpd_modules_t)
 
1090
 
 
1091
        admin_pattern($1, httpd_lock_t)
 
1092
        files_lock_filetrans($1, httpd_lock_t, file)
 
1093
 
 
1094
        admin_pattern($1, httpd_var_run_t)
 
1095
        files_pid_filetrans($1, httpd_var_run_t, file)
 
1096
 
 
1097
        kernel_search_proc($1)
 
1098
        allow $1 httpd_t:dir list_dir_perms;
 
1099
 
 
1100
        read_lnk_files_pattern($1, httpd_t, httpd_t)
 
1101
 
 
1102
        admin_pattern($1, httpdcontent)
 
1103
        admin_pattern($1, httpd_script_exec_type)
 
1104
        admin_pattern($1, httpd_tmp_t)
 
1105
        admin_pattern($1, httpd_php_tmp_t)
 
1106
        admin_pattern($1, httpd_suexec_tmp_t)
 
1107
')