---
apache.fc | 378 +++++++++++++++++++++++++++++++-------------------------------
1 file changed, 189 insertions(+), 189 deletions(-)
diff --git a/apache.fc b/apache.fc
index 9d4d847..16fb1a6 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,194 +1,194 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--
2.14.1
- add filecontexts
- add reload interface (e.g. for logrotate)
- remove old aliases
- use new userdom_use_inherited_user_terminals
- more strict log access
---
apache.fc | 7 +++++++
apache.if | 19 +++++++++++++++++++
apache.te | 31 +++++++++++--------------------
3 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/apache.fc b/apache.fc
index 16fb1a6..12397e9 100644
--- a/apache.fc
+++ b/apache.fc
@@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
@@ -144,6 +145,8 @@ ifdef(`distro_suse',`
/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
+
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -177,6 +180,8 @@ ifdef(`distro_suse',`
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -189,6 +194,8 @@ ifdef(`distro_suse',`
/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/apache.if b/apache.if
index 91191ec..135e2f5 100644
--- a/apache.if
+++ b/apache.if
@@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
dontaudit $1 httpd_t:tcp_socket { read write };
')
+########################################
+## <summary>
+## Reload the httpd service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_reload',`
+ gen_require(`
+ type httpd_unit_t;
+ class service { reload status };
+ ')
+
+ allow $1 httpd_unit_t:service { reload status };
+')
+
########################################
## <summary>
## Read all appendable content
diff --git a/apache.te b/apache.te
index 1c10521..68b0d69 100644
--- a/apache.te
+++ b/apache.te
@@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
-typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
-typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
-typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
-typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
-typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
-typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
-typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
-typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
-typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
-typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
-typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
-typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
@@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
-userdom_use_unpriv_users_fds(httpd_t)
-
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
+',`
+ dontaudit httpd_t self:process execmem;
')
tunable_policy(`httpd_can_sendmail',`
@@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
+',`
+ dontaudit httpd_t self:capability sys_resource;
')
tunable_policy(`httpd_ssi_exec',`
@@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
',`
userdom_dontaudit_use_user_terminals(httpd_t)
')
@@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
',`
userdom_dontaudit_use_user_terminals(httpd_helper_t)
')
@@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
')
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
',`
userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
--
2.14.1
On 09/10/2017 11:11 AM, Christian G?ttsche via refpolicy wrote:
> ---
> apache.fc | 378 +++++++++++++++++++++++++++++++-------------------------------
> 1 file changed, 189 insertions(+), 189 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 9d4d847..16fb1a6 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -1,194 +1,194 @@
> -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
> -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
> HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
> -HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
> -
> -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
> -/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
> -/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> -/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> -
> -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> -/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -
> -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -
> -/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -
> -/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
> -/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> -/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -
> -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> -/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> -/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> -
> -/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
> -
> -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> -/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> -/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
> +
> +/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
> +/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
> +/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +
> +/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +
> +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +
> +/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +
> +/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
> +/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> +/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +
> +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> +/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> +
> +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
> +
> +/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> +/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
>
> ifdef(`distro_suse',`
> -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> ')
>
> -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
> -/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -
> -/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> -/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
> -
> -/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> -/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> -/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -
> -/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> -/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
> -
> -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
> -/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -
> -/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> -/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> -/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> -/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +
> +/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> +/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
> +
> +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> +/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +
> +/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
> +
> +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
> +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +
> +/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
> +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>
Merged.
--
Chris PeBenito
On 09/10/2017 11:11 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - add reload interface (e.g. for logrotate)
> - remove old aliases
> - use new userdom_use_inherited_user_terminals
> - more strict log access
> ---
> apache.fc | 7 +++++++
> apache.if | 19 +++++++++++++++++++
> apache.te | 31 +++++++++++--------------------
> 3 files changed, 37 insertions(+), 20 deletions(-)
>
> diff --git a/apache.fc b/apache.fc
> index 16fb1a6..12397e9 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -63,6 +63,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> /usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
> +/usr/lib/systemd/system/apache[^/]*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
> /usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
>
> @@ -144,6 +145,8 @@ ifdef(`distro_suse',`
> /var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
> +/var/lock/apache2(/.*)? gen_context(system_u:object_r:httpd_lock_t,s0)
> +
> /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> @@ -177,6 +180,8 @@ ifdef(`distro_suse',`
>
> /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> +/var/www(/.*)?/roundcubemail/logs(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/www(/.*)?/roundcubemail/temp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -189,6 +194,8 @@ ifdef(`distro_suse',`
> /var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
> /var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> /var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> +/var/www/uploads(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
> diff --git a/apache.if b/apache.if
> index 91191ec..135e2f5 100644
> --- a/apache.if
> +++ b/apache.if
> @@ -390,6 +390,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
> dontaudit $1 httpd_t:tcp_socket { read write };
> ')
>
> +########################################
> +## <summary>
> +## Reload the httpd service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_reload',`
> + gen_require(`
> + type httpd_unit_t;
> + class service { reload status };
> + ')
> +
> + allow $1 httpd_unit_t:service { reload status };
> +')
> +
> ########################################
> ## <summary>
> ## Read all appendable content
> diff --git a/apache.te b/apache.te
> index 1c10521..68b0d69 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -337,20 +337,6 @@ userdom_user_home_content(httpd_user_htaccess_t)
> userdom_user_home_content(httpd_user_script_exec_t)
> userdom_user_home_content(httpd_user_ra_content_t)
> userdom_user_home_content(httpd_user_rw_content_t)
> -typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
> -typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
> -typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
> -typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
> -typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
> -typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
> -typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
> -typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
> -typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
> -typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
> -typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
> -typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
> -typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
>
> type httpd_var_lib_t;
> files_type(httpd_var_lib_t)
> @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
>
> manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> logging_log_filetrans(httpd_t, httpd_log_t, file)
This reverses a recent change, but I can't remember why we changed it.
Russell?
> @@ -530,8 +519,6 @@ miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> -userdom_use_unpriv_users_fds(httpd_t)
> -
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> @@ -656,6 +643,8 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_sc
>
> tunable_policy(`httpd_execmem',`
> allow httpd_t self:process { execmem execstack };
> +',`
> + dontaudit httpd_t self:process execmem;
Should dontaudit the execstack for completeness.
> ')
>
> tunable_policy(`httpd_can_sendmail',`
> @@ -707,6 +696,8 @@ tunable_policy(`httpd_read_user_content',`
> tunable_policy(`httpd_setrlimit',`
> allow httpd_t self:process setrlimit;
> allow httpd_t self:capability sys_resource;
> +',`
> + dontaudit httpd_t self:capability sys_resource;
Same here, dontaudit setrlimit.
> ')
>
> tunable_policy(`httpd_ssi_exec',`
> @@ -718,7 +709,7 @@ tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_t)
> + userdom_use_inherited_user_terminals(httpd_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_t)
> ')
> @@ -919,7 +910,7 @@ logging_search_logs(httpd_helper_t)
> logging_send_syslog_msg(httpd_helper_t)
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_helper_t)
> + userdom_use_inherited_user_terminals(httpd_helper_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_helper_t)
> ')
> @@ -1051,7 +1042,7 @@ tunable_policy(`httpd_tmp_exec',`
> ')
>
> tunable_policy(`httpd_tty_comm',`
> - userdom_use_user_terminals(httpd_suexec_t)
> + userdom_use_inherited_user_terminals(httpd_suexec_t)
> ',`
> userdom_dontaudit_use_user_terminals(httpd_suexec_t)
> ')
>
--
Chris PeBenito
On Monday, 11 September 2017 7:13:22 PM AEST Chris PeBenito wrote:
> > @@ -407,7 +393,10 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
> > files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
> >
> > manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > -manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
> > logging_log_filetrans(httpd_t, httpd_log_t, file)
>
> This reverses a recent change, but I can't remember why we changed it.
> Russell?
I can't remember either. But usually the case is that the application needs
some write access in some situation and therefore we have required every
access that matters.
It's not as if this change really restricts things anyway, httpd_t can still
copy the log data to a new file and unless you are tracking Inode numbers or
creation time you won't notice. I don't think create+read+append access is
meaningfully more restricting than manage_file_perms.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
> It's not as if this change really restricts things anyway, httpd_t can still
> copy the log data to a new file and unless you are tracking Inode numbers or
> creation time you won't notice. I don't think create+read+append access is
> meaningfully more restricting than manage_file_perms.
My idea is, that the domain can not overwrite the existing logs or
tamper with them in any way.
On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>> It's not as if this change really restricts things anyway, httpd_t can still
>> copy the log data to a new file and unless you are tracking Inode numbers or
>> creation time you won't notice. I don't think create+read+append access is
>> meaningfully more restricting than manage_file_perms.
>
> My idea is, that the domain can not overwrite the existing logs or
> tamper with them in any way.
I'm inclined to restore the previous permissions (this patch) unless
there is a solid case for keeping what we have.
--
Chris PeBenito
On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
> >> It's not as if this change really restricts things anyway, httpd_t can
> >> still copy the log data to a new file and unless you are tracking Inode
> >> numbers or creation time you won't notice. I don't think
> >> create+read+append access is meaningfully more restricting than
> >> manage_file_perms.
> >
> > My idea is, that the domain can not overwrite the existing logs or
> > tamper with them in any way.
>
> I'm inclined to restore the previous permissions (this patch) unless
> there is a solid case for keeping what we have.
OK give that a go and we'll do more tests about how it works.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Or should I create a boolean for the log manage permissions?
2017-09-13 2:44 GMT+02:00 Russell Coker <[email protected]>:
> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>> >> It's not as if this change really restricts things anyway, httpd_t can
>> >> still copy the log data to a new file and unless you are tracking Inode
>> >> numbers or creation time you won't notice. I don't think
>> >> create+read+append access is meaningfully more restricting than
>> >> manage_file_perms.
>> >
>> > My idea is, that the domain can not overwrite the existing logs or
>> > tamper with them in any way.
>>
>> I'm inclined to restore the previous permissions (this patch) unless
>> there is a solid case for keeping what we have.
>
> OK give that a go and we'll do more tests about how it works.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
On 09/13/2017 04:09 AM, Christian G?ttsche wrote:
> Or should I create a boolean for the log manage permissions?
No. If we find that under certain situations the manage permissions are
needed, we can reconsider then.
> 2017-09-13 2:44 GMT+02:00 Russell Coker <[email protected]>:
>> On Tuesday, 12 September 2017 5:23:14 PM AEST Chris PeBenito wrote:
>>> On 09/12/2017 05:56 AM, Christian G?ttsche wrote:
>>>>> It's not as if this change really restricts things anyway, httpd_t can
>>>>> still copy the log data to a new file and unless you are tracking Inode
>>>>> numbers or creation time you won't notice. I don't think
>>>>> create+read+append access is meaningfully more restricting than
>>>>> manage_file_perms.
>>>>
>>>> My idea is, that the domain can not overwrite the existing logs or
>>>> tamper with them in any way.
>>>
>>> I'm inclined to restore the previous permissions (this patch) unless
>>> there is a solid case for keeping what we have.
>>
>> OK give that a go and we'll do more tests about how it works.
--
Chris PeBenito
On Wednesday, 13 September 2017 6:45:56 PM AEST Chris PeBenito wrote:
> On 09/13/2017 04:09 AM, Christian G?ttsche wrote:
> > Or should I create a boolean for the log manage permissions?
>
> No. If we find that under certain situations the manage permissions are
> needed, we can reconsider then.
I agree. Having lots of booleans is annoying, confusing, and not good for
security in practice.
When something like this is up for debate I think it's best to have a default
policy of removing the access in question and waiting for more evidence of why
it's needed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/