1
# ------------------------------------------------------------------
3
# Copyright (C) 2002-2005 Novell/SUSE
5
# This program is free software; you can redistribute it and/or
6
# modify it under the terms of version 2 of the GNU General Public
7
# License published by the Free Software Foundation.
9
# ------------------------------------------------------------------
12
#include <tunables/global>
14
/usr/sbin/httpd2-prefork {
15
#include <abstractions/base>
16
#include <abstractions/consoles>
17
#include <abstractions/kerberosclient>
18
#include <abstractions/nameservice>
19
#include <abstractions/perl>
22
capability net_bind_service,
25
capability sys_tty_config,
28
/etc/apache2/*.conf r,
30
/etc/apache2/mod_perl-startup.pl r,
31
/etc/apache2/ssl.crt/*.crt r,
32
/etc/apache2/ssl.key/*.key r,
33
/etc/apache2/{conf,sysconfig,vhosts}.d/ r,
34
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
42
/tmp/auth_ldap_cache.sem wl,
43
/tmp/session_mm_apache0.sem wl,
44
/tmp/session_mm_apache2handler0.sem wl,
45
/usr/X11R6/lib64/lib*.so* mr,
46
/usr/X11R6/lib/lib*.so* mr,
47
/usr/apache2/error/* r,
49
/usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
50
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
51
/usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
52
/usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
53
/usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
54
/usr/lib64/apache2/{lib,mod_}*.so* mr,
56
/usr/lib/apache2-leader/{lib,mod_}*.so* mr,
57
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
58
/usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
59
/usr/lib/apache2-worker/{lib,mod_}*.so* mr,
60
/usr/lib/apache2/modules/{lib,mod_}*.so* mr,
62
/usr/lib64/mysql/libmysql*.so* mr,
63
/usr/lib64/php/extensions/*.so mr,
64
/usr/lib64/php4/*.so mr,
65
/usr/lib64/python[12].[0-9]/**.{py,pyc,pth,so} mr,
66
/usr/lib64/python[12].[0-9]/site-packages r,
67
/usr/lib64/qt3/lib/lib*.so* mr,
69
/usr/lib/apache2/{lib,mod_}*.so mr,
70
/usr/lib/mysql/libmysql*.so* mr,
71
/usr/lib/php/extensions/*.so mr,
72
/usr/lib/php4/*.so mr,
73
/usr/lib/python[12].[0-9]/**.{py,pyc,pth,so} mr,
74
/usr/lib/python[12].[0-9]/site-packages r,
75
/usr/lib/qt3/lib/lib*.so* mr,
77
/usr/local/tomcat/conf/mod_jk.conf r,
78
/usr/local/tomcat/conf/workers-ajp12.properties r,
79
/usr/sbin/httpd2-prefork r,
80
/usr/share/apache2/error/* r,
81
/usr/share/apache2/error/include/* r,
82
/usr/share/misc/magic.mime r,
83
/usr/share/snmp/mibs r,
84
/usr/share/snmp/mibs/*.{txt,mib} r,
85
/usr/share/snmp/mibs/.index wr,
86
/usr/share/ssl/openssl.cnf r,
87
/var/lock/httpd2.lock.* wl,
88
/var/log/apache2/* rwl,
89
/var/log/httpd/ssl_scache.dir r,
90
/var/log/httpd/ssl_scache.pag r,
91
/var/run/httpd2.mm.* wl,
92
/var/run/httpd2.pid wl,
94
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
95
# execution of content regardless of 'x' permissions, as no exec(2)
96
# takes place to perform a domain change.
98
# suexec execution of CGIs will require appropriate permissions
99
/usr/sbin/suexec2 mixr,
102
/var/log/apache2/** rwl,
104
# Allow any CGIs in user directories to run, inheriting the apache
106
# /home/*/public_html/** mixr,
107
# (note that if you are using mod_change_hat, you have a choice of
108
# providing neccesary access in this file OR in URI-specific hats, or
109
# hats in the <VHost>, <Location>, or <Directory> directives. Please
110
# see the user's guide or mod_apparmor(5) for more information.
112
# Allow site-wide CGIs to run, inheriting the apache profile:
113
# /srv/www/cgi-bin/** mixr,
114
# /var/www/cgi-bin/** mixr,
116
@{HOME}/public_html r,
117
@{HOME}/public_html/** r,
120
/var/www/icons/*.{gif,jpg,png} r,
122
# SuSE locations (LSB?)
124
/srv/www/htdocs/** r,
125
/srv/www/icons/*.{gif,jpg,png} r,
127
/srv/www/vhosts/** r,
128
# SuSE location of the apache manual + error pages
129
/usr/share/apache2/** r,
132
/var/lib/php/sess_* rwl,
135
^HANDLING_UNTRUSTED_INPUT {
136
#include <abstractions/nameservice>
137
/var/log/apache2/* w,
142
#include <abstractions/nameservice>
143
#include <abstractions/base>
145
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
146
# execution of content regardless of 'x' permissions, as no exec(2)
147
# takes place to perform a domain change.
149
# suexec execution of CGIs will require appropriate permissions
150
/usr/sbin/suexec2 mixr,
153
/var/log/apache2/** rwl,
155
# Allow any CGIs in user directories to run, inheriting the apache
157
# /home/*/public_html/** mixr,
158
# (note that if you are using mod_change_hat, you have a choice of
159
# providing neccesary access in this file OR in URI-specific hats, or
160
# hats in the <VHost>, <Location>, or <Directory> directives. Please
161
# see the user's guide or mod_apparmor(5) for more information.
163
# Allow site-wide CGIs to run, inheriting the apache profile:
164
# /srv/www/cgi-bin/** mixr,
165
# /var/www/cgi-bin/** mixr,
167
@{HOME}/public_html r,
168
@{HOME}/public_html/** r,
171
/var/www/icons/*.{gif,jpg,png} r,
173
# SuSE locations (LSB?)
175
/srv/www/htdocs/** r,
176
/srv/www/icons/*.{gif,jpg,png} r,
178
/srv/www/vhosts/** r,
179
# SuSE location of the apache manual + error pages
180
/usr/share/apache2/** r,
183
/var/lib/php/sess_* rwl,