1
# $Id: usr.sbin.httpd2-prefork 274 2007-01-03 06:51:17Z seth_arnold $
2
# ------------------------------------------------------------------
4
# Copyright (C) 2002-2005 Novell/SUSE
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of version 2 of the GNU General Public
8
# License published by the Free Software Foundation.
10
# ------------------------------------------------------------------
13
#include <tunables/global>
15
/usr/sbin/httpd2-prefork {
16
#include <abstractions/base>
17
#include <abstractions/consoles>
18
#include <abstractions/kerberosclient>
19
#include <abstractions/nameservice>
20
#include <abstractions/perl>
23
capability net_bind_service,
26
capability sys_tty_config,
29
/etc/apache2/*.conf r,
31
/etc/apache2/mod_perl-startup.pl r,
32
/etc/apache2/ssl.crt/*.crt r,
33
/etc/apache2/ssl.key/*.key r,
34
/etc/apache2/{conf,sysconfig,vhosts}.d r,
35
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
44
/proc/sys/kernel/ngroups_max r,
45
/tmp/auth_ldap_cache.sem wl,
46
/tmp/session_mm_apache0.sem wl,
47
/tmp/session_mm_apache2handler0.sem wl,
48
/usr/X11R6/lib64/lib*.so* mr,
49
/usr/X11R6/lib/lib*.so* mr,
50
/usr/apache2/error/* r,
52
/usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
53
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
54
/usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
55
/usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
56
/usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
57
/usr/lib64/apache2/{lib,mod_}*.so* mr,
59
/usr/lib/apache2-leader/{lib,mod_}*.so* mr,
60
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
61
/usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
62
/usr/lib/apache2-worker/{lib,mod_}*.so* mr,
63
/usr/lib/apache2/modules/{lib,mod_}*.so* mr,
65
/usr/lib64/mysql/libmysql*.so* mr,
66
/usr/lib64/php/extensions/*.so mr,
67
/usr/lib64/php4/*.so mr,
68
/usr/lib64/python[12].[0-9]/**.{py,pyc,pth,so} mr,
69
/usr/lib64/python[12].[0-9]/site-packages r,
70
/usr/lib64/qt3/lib/lib*.so* mr,
72
/usr/lib/apache2/{lib,mod_}*.so mr,
73
/usr/lib/mysql/libmysql*.so* mr,
74
/usr/lib/php/extensions/*.so mr,
75
/usr/lib/php4/*.so mr,
76
/usr/lib/python[12].[0-9]/**.{py,pyc,pth,so} mr,
77
/usr/lib/python[12].[0-9]/site-packages r,
78
/usr/lib/qt3/lib/lib*.so* mr,
80
/usr/local/tomcat/conf/mod_jk.conf r,
81
/usr/local/tomcat/conf/workers-ajp12.properties r,
82
/usr/sbin/httpd2-prefork r,
83
/usr/share/apache2/error/* r,
84
/usr/share/apache2/error/include/* r,
85
/usr/share/misc/magic.mime r,
86
/usr/share/snmp/mibs r,
87
/usr/share/snmp/mibs/*.{txt,mib} r,
88
/usr/share/snmp/mibs/.index wr,
89
/usr/share/ssl/openssl.cnf r,
90
/var/lock/httpd2.lock.* wl,
91
/var/log/apache2/* rwl,
92
/var/log/httpd/ssl_scache.dir r,
93
/var/log/httpd/ssl_scache.pag r,
94
/var/run/httpd2.mm.* wl,
95
/var/run/httpd2.pid wl,
97
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
98
# execution of content regardless of 'x' permissions, as no exec(2)
99
# takes place to perform a domain change.
101
# suexec execution of CGIs will require appropriate permissions
102
/usr/sbin/suexec2 mixr,
105
/var/log/apache2/** rwl,
107
# Allow any CGIs in user directories to run, inheriting the apache
109
# /home/*/public_html/** mixr,
110
# (note that if you are using mod_change_hat, you have a choice of
111
# providing neccesary access in this file OR in URI-specific hats, or
112
# hats in the <VHost>, <Location>, or <Directory> directives. Please
113
# see the user's guide or mod_apparmor(5) for more information.
115
# Allow site-wide CGIs to run, inheriting the apache profile:
116
# /srv/www/cgi-bin/** mixr,
117
# /var/www/cgi-bin/** mixr,
119
@{HOME}/public_html r,
120
@{HOME}/public_html/** r,
123
/var/www/icons/*.{gif,jpg,png} r,
125
# SuSE locations (LSB?)
127
/srv/www/htdocs/** r,
128
/srv/www/icons/*.{gif,jpg,png} r,
130
/srv/www/vhosts/** r,
131
# SuSE location of the apache manual + error pages
132
/usr/share/apache2/** r,
135
/var/lib/php/sess_* rwl,
138
^HANDLING_UNTRUSTED_INPUT {
139
#include <abstractions/nameservice>
140
/var/log/apache2/* w,
145
#include <abstractions/nameservice>
146
#include <abstractions/base>
148
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
149
# execution of content regardless of 'x' permissions, as no exec(2)
150
# takes place to perform a domain change.
152
# suexec execution of CGIs will require appropriate permissions
153
/usr/sbin/suexec2 mixr,
156
/var/log/apache2/** rwl,
158
# Allow any CGIs in user directories to run, inheriting the apache
160
# /home/*/public_html/** mixr,
161
# (note that if you are using mod_change_hat, you have a choice of
162
# providing neccesary access in this file OR in URI-specific hats, or
163
# hats in the <VHost>, <Location>, or <Directory> directives. Please
164
# see the user's guide or mod_apparmor(5) for more information.
166
# Allow site-wide CGIs to run, inheriting the apache profile:
167
# /srv/www/cgi-bin/** mixr,
168
# /var/www/cgi-bin/** mixr,
170
@{HOME}/public_html r,
171
@{HOME}/public_html/** r,
174
/var/www/icons/*.{gif,jpg,png} r,
176
# SuSE locations (LSB?)
178
/srv/www/htdocs/** r,
179
/srv/www/icons/*.{gif,jpg,png} r,
181
/srv/www/vhosts/** r,
182
# SuSE location of the apache manual + error pages
183
/usr/share/apache2/** r,
186
/var/lib/php/sess_* rwl,