## <summary>Apache web server</summary>

########################################

## <summary>

##	Create a set of derived types for apache

##	web content.

## </summary>

## <param name="prefix">

##	<summary>

##	The prefix to be used for deriving type names.

##	</summary>

## </param>

#

template(`apache_content_template',`

	gen_require(`

		attribute httpdcontent;

		attribute httpd_exec_scripts;

		attribute httpd_script_exec_type;

		type httpd_t, httpd_suexec_t, httpd_log_t;

	')

	# allow write access to public file transfer

	# services files.

	gen_tunable(allow_httpd_$1_script_anon_write, false)

	#This type is for webpages

	type httpd_$1_content_t, httpdcontent; # customizable

	files_type(httpd_$1_content_t)

	# This type is used for .htaccess files

	type httpd_$1_htaccess_t; # customizable;

	files_type(httpd_$1_htaccess_t)

	# Type that CGI scripts run as

	type httpd_$1_script_t;

	domain_type(httpd_$1_script_t)

	role system_r types httpd_$1_script_t;

	# This type is used for executable scripts files

	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;

	corecmd_shell_entry_type(httpd_$1_script_t)

	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)

	# The following three are the only areas that 

	# scripts can read, read/write, or append to

	type httpd_$1_script_ro_t, httpdcontent; # customizable

	files_type(httpd_$1_script_ro_t)

	type httpd_$1_script_rw_t, httpdcontent; # customizable

	files_type(httpd_$1_script_rw_t)

	type httpd_$1_script_ra_t, httpdcontent; # customizable

	files_type(httpd_$1_script_ra_t)

	allow httpd_t httpd_$1_htaccess_t:file read_file_perms;

	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)

	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;

	allow httpd_$1_script_t self:fifo_file rw_file_perms;

	allow httpd_$1_script_t self:unix_stream_socket connectto;

	allow httpd_$1_script_t httpd_t:fifo_file write;

	# apache should set close-on-exec

	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };

	# Allow the script process to search the cgi directory, and users directory

	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;

	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)

	logging_search_logs(httpd_$1_script_t)

	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)

	allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;

	allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };

	read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;

	read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)

	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)

	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file })

	kernel_dontaudit_search_sysctl(httpd_$1_script_t)

	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

	dev_read_rand(httpd_$1_script_t)

	dev_read_urand(httpd_$1_script_t)

	corecmd_exec_all_executables(httpd_$1_script_t)

	files_exec_etc_files(httpd_$1_script_t)

	files_read_etc_files(httpd_$1_script_t)

	files_search_home(httpd_$1_script_t)

	libs_use_ld_so(httpd_$1_script_t)

	libs_use_shared_libs(httpd_$1_script_t)

	libs_exec_ld_so(httpd_$1_script_t)

	libs_exec_lib_files(httpd_$1_script_t)

	miscfiles_read_fonts(httpd_$1_script_t)

	miscfiles_read_public_files(httpd_$1_script_t)

	seutil_dontaudit_search_config(httpd_$1_script_t)

	tunable_policy(`httpd_enable_cgi && httpd_unified',`

		allow httpd_$1_script_t httpdcontent:file entrypoint;

		manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)

		manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)

		manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)

		can_exec(httpd_$1_script_t, httpdcontent)

	')

	tunable_policy(`allow_httpd_$1_script_anon_write',`

		miscfiles_manage_public_files(httpd_$1_script_t)

	') 

	# Allow the web server to run scripts and serve pages

	tunable_policy(`httpd_builtin_scripting',`

		manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

		manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

		manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

		rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

		allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };

		read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

		append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

		read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

		allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;

		read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

		read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

		allow httpd_t httpd_$1_content_t:dir list_dir_perms;

		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)

	')

	tunable_policy(`httpd_enable_cgi',`

		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;

		# privileged users run the script:

		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)

		# apache runs the script:

		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)

		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };

		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;

		allow httpd_$1_script_t self:process { setsched signal_perms };

		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;

		allow httpd_$1_script_t httpd_t:fd use;

		allow httpd_$1_script_t httpd_t:process sigchld;

		kernel_read_system_state(httpd_$1_script_t)

		dev_read_urand(httpd_$1_script_t)

		fs_getattr_xattr_fs(httpd_$1_script_t)

		files_read_etc_runtime_files(httpd_$1_script_t)

		files_read_usr_files(httpd_$1_script_t)

		libs_read_lib_files(httpd_$1_script_t)

		miscfiles_read_localization(httpd_$1_script_t)

	')

	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`

		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;

		allow httpd_$1_script_t self:udp_socket create_socket_perms;

		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)

		corenet_all_recvfrom_netlabel(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)

		corenet_udp_sendrecv_all_if(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)

		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)

		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)

		sysnet_read_config(httpd_$1_script_t)

	')

	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`

		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;

		allow httpd_$1_script_t self:udp_socket create_socket_perms;

		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)

		corenet_all_recvfrom_netlabel(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)

		corenet_udp_sendrecv_all_if(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)

		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)

		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)

		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)

		corenet_tcp_connect_all_ports(httpd_$1_script_t)

		corenet_sendrecv_all_client_packets(httpd_$1_script_t)

		sysnet_read_config(httpd_$1_script_t)

	')

	optional_policy(`

		mta_send_mail(httpd_$1_script_t)

	')

	optional_policy(`

		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`

			mysql_tcp_connect(httpd_$1_script_t)

		')

	')

	optional_policy(`

		tunable_policy(`httpd_enable_cgi && allow_ypbind',`

			nis_use_ypbind_uncond(httpd_$1_script_t)

		')

	')

	optional_policy(`

		postgresql_unpriv_client(httpd_$1_script_t)

		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`

			postgresql_tcp_connect(httpd_$1_script_t)

		')

	')

	optional_policy(`

		nscd_socket_use(httpd_$1_script_t)

	')

')

#######################################

## <summary>

##	The per role template for the apache module.

## </summary>

## <desc>

##	

##	This template creates types used for web pages

##	and web cgi to be used from the user home directory.

##	

##	

##	This template is invoked automatically for each user, and

##	generally does not need to be invoked directly

##	by policy writers.

##	

## </desc>

## <param name="userdomain_prefix">

##	<summary>

##	The prefix of the user domain (e.g., user

##	is the prefix for user_t).

##	</summary>

## </param>

## <param name="user_domain">

##	<summary>

##	The type of the user domain.

##	</summary>

## </param>

## <param name="user_role">

##	<summary>

##	The role associated with the user domain.

##	</summary>

## </param>

#

template(`apache_per_role_template', `

	gen_require(`

		attribute httpdcontent, httpd_script_domains;

		attribute httpd_exec_scripts, httpd_user_content_type;

		attribute httpd_user_script_exec_type;

		type httpd_t, httpd_suexec_t, httpd_log_t;

	')

	apache_content_template($1)

	typeattribute httpd_$1_content_t httpd_user_content_type;

	typeattribute httpd_$1_script_ra_t httpd_user_content_type;

	typeattribute httpd_$1_script_rw_t httpd_user_content_type;

	typeattribute httpd_$1_script_ro_t httpd_user_content_type;

	typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;

	typeattribute httpd_$1_script_t httpd_script_domains;

	userdom_user_home_content($1,httpd_$1_content_t)

	role $3 types httpd_$1_script_t;

	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };

	allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };

	manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)

	manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)

	manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)

	manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	tunable_policy(`httpd_enable_cgi',`

		# If a user starts a script by hand it gets the proper context

		domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)

	')

	tunable_policy(`httpd_enable_cgi && httpd_unified',`

		allow httpd_$1_script_t httpdcontent:file entrypoint;

		domtrans_pattern($2, httpdcontent, httpd_$1_script_t)

	')

	# allow accessing files/dirs below the users home dir

	tunable_policy(`httpd_enable_homedirs',`

		userdom_search_user_home_dirs($1,httpd_t)

		userdom_search_user_home_dirs($1,httpd_suexec_t)

		userdom_search_user_home_dirs($1,httpd_$1_script_t)

	')

')

########################################

## <summary>

##	Read httpd user scripts executables.

## </summary>

## <param name="domain_prefix">

##	<summary>

##	Prefix of the domain. Example, user would be

##	the prefix for the uder_t domain.

##	</summary>

## </param>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

template(`apache_read_user_scripts',`

	gen_require(`

		type httpd_$1_script_exec_t;

	')

	allow $2 httpd_$1_script_exec_t:dir list_dir_perms;

	read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

	read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)

')

########################################

## <summary>

##	Read user web content.

## </summary>

## <param name="domain_prefix">

##	<summary>

##	Prefix of the domain. Example, user would be

##	the prefix for the uder_t domain.

##	</summary>

## </param>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

template(`apache_read_user_content',`

	gen_require(`

		type httpd_$1_content_t;

	')

	allow $2 httpd_$1_content_t:dir list_dir_perms;

	read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)

	read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)

')

########################################

## <summary>

##	Transition to apache.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_domtrans',`

	gen_require(`

		type httpd_t, httpd_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, httpd_exec_t, httpd_t)

')

########################################

## <summary>

##	Send a null signal to apache.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_signull',`

	gen_require(`

		type httpd_t;

	')

	allow $1 httpd_t:process signull;

')

########################################

## <summary>

##	Send a SIGCHLD signal to apache.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_sigchld',`

	gen_require(`

		type httpd_t;

	')

	allow $1 httpd_t:process sigchld;

')

########################################

## <summary>

##	Inherit and use file descriptors from Apache.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_use_fds',`

	gen_require(`

		type httpd_t;

	')

	allow $1 httpd_t:fd use;

')

########################################

## <summary>

##	Do not audit attempts to read and write Apache

##	unix domain stream sockets.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_dontaudit_rw_stream_sockets',`

	gen_require(`

		type httpd_t;

	')

	dontaudit $1 httpd_t:unix_stream_socket { read write };

')

########################################

## <summary>

##	Do not audit attempts to read and write Apache

##	TCP sockets.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_dontaudit_rw_tcp_sockets',`

	gen_require(`

		type httpd_t;

	')

	dontaudit $1 httpd_t:tcp_socket { read write };

')

########################################

## <summary>

##	Create, read, write, and delete all web content.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`apache_manage_all_content',`

	gen_require(`

		attribute httpdcontent, httpd_script_exec_type;

	')

	manage_dirs_pattern($1, httpdcontent, httpdcontent)

	manage_files_pattern($1, httpdcontent, httpdcontent)

	manage_lnk_files_pattern($1, httpdcontent, httpdcontent)

	manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)

	manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)

	manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)

')

########################################

## <summary>

##	Allow the specified domain to read

##	and write Apache cache files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_rw_cache_files',`

	gen_require(`

		type httpd_cache_t;

	')

	allow $1 httpd_cache_t:file rw_file_perms;

')

########################################

## <summary>

##	Allow the specified domain to read

##	apache configuration files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`apache_read_config',`

	gen_require(`

		type httpd_config_t;

	')

	files_search_etc($1)

	allow $1 httpd_config_t:dir list_dir_perms;

	read_files_pattern($1, httpd_config_t, httpd_config_t)

	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)

')

########################################

## <summary>

##	Allow the specified domain to manage

##	apache configuration files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_manage_config',`

	gen_require(`

		type httpd_config_t;

	')

	files_search_etc($1)

	manage_dirs_pattern($1, httpd_config_t, httpd_config_t)

	manage_files_pattern($1, httpd_config_t, httpd_config_t)

	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)

')

########################################

## <summary>

##	Execute the Apache helper program with

##	a domain transition.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_domtrans_helper',`

	gen_require(`

		type httpd_helper_t, httpd_helper_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)

')

########################################

## <summary>

##	Execute the Apache helper program with

##	a domain transition, and allow the

##	specified role the dmidecode domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	The role to be allowed the dmidecode domain.

##	</summary>

## </param>

## <param name="terminal">

##	<summary>

##	The type of the terminal allow the dmidecode domain to use.

##	</summary>

## </param>

## <rolecap/>

#

interface(`apache_run_helper',`

	gen_require(`

		type httpd_helper_t;

	')

	apache_domtrans_helper($1)

	role $2 types httpd_helper_t;

	allow httpd_helper_t $3:chr_file rw_term_perms;

')

########################################

## <summary>

##	Allow the specified domain to read

##	apache log files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`apache_read_log',`

	gen_require(`

		type httpd_log_t;

	')

	logging_search_logs($1)

	allow $1 httpd_log_t:dir list_dir_perms;

	read_files_pattern($1, httpd_log_t, httpd_log_t)

	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)

')

########################################

## <summary>

##	Allow the specified domain to append

##	to apache log files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_append_log',`

	gen_require(`

		type httpd_log_t;

	')

	logging_search_logs($1)

	allow $1 httpd_log_t:dir list_dir_perms;

	append_files_pattern($1, httpd_log_t, httpd_log_t)

')

########################################

## <summary>

##	Do not audit attempts to append to the

##	Apache logs.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`apache_dontaudit_append_log',`

	gen_require(`

		type httpd_log_t;

	')

	dontaudit $1 httpd_log_t:file { getattr append };

')

########################################

## <summary>

##	Allow the specified domain to manage

##	to apache log files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_manage_log',`

	gen_require(`

		type httpd_log_t;

	')

	logging_search_logs($1)

	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)

	manage_files_pattern($1, httpd_log_t, httpd_log_t)

	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)

')

########################################

## <summary>

##	Do not audit attempts to search Apache

##	module directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`apache_dontaudit_search_modules',`

	gen_require(`

		type httpd_modules_t;

	')

	dontaudit $1 httpd_modules_t:dir search_dir_perms;

')

########################################

## <summary>

##	Allow the specified domain to list

##	the contents of the apache modules

##	directory.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_list_modules',`

	gen_require(`

		type httpd_modules_t;

	')

	allow $1 httpd_modules_t:dir list_dir_perms;

')

########################################

## <summary>

##	Allow the specified domain to execute

##	apache modules.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_exec_modules',`

	gen_require(`

		type httpd_modules_t;

	')

	allow $1 httpd_modules_t:dir list_dir_perms;

	allow $1 httpd_modules_t:lnk_file read_file_perms;

	can_exec($1,httpd_modules_t)

')

########################################

## <summary>

##	Execute a domain transition to run httpd_rotatelogs.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_domtrans_rotatelogs',`

	gen_require(`

		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;

	')

	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)

')

########################################

## <summary>

##	Allow the specified domain to manage

##	apache system content files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <rolecap/>

#

# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr

interface(`apache_manage_sys_content',`

	gen_require(`

		type httpd_sys_content_t;

	')

	files_search_var($1)

	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)

	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)

	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)

')

########################################

## <summary>

##	Execute all web scripts in the system

##	script domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

# cjp: this interface specifically added to allow

# sysadm_t to run scripts

interface(`apache_domtrans_sys_script',`

	gen_require(`

		attribute httpdcontent;

		type httpd_sys_script_t;

	')

	tunable_policy(`httpd_enable_cgi && httpd_unified',`

		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)

	')

')

########################################

## <summary>

##	Do not audit attempts to read and write Apache

##	system script unix domain stream sockets.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`apache_dontaudit_rw_sys_script_stream_sockets',`