policy_module(lighttpd,1.0.0) #### # Declarations # This policy is for lighttpd, based on the apache policy... # #### # Init daemon transition # # new process type (domain): for lighttpd daemons type lighttpd_t; # new file type: for the lighttpd executable type lighttpd_exec_t; # use interface to init system (system/init) # "Create a domain which can be started by initrc scripts" init_daemon_domain(lighttpd_t, lighttpd_exec_t) # use interface to the libraries (system/libraries.if) # "Use the dynamic link/loader for automatic loading of shared libraries" libs_use_ld_so(lighttpd_t) # use interface to the libraries (system/libraries.if) # "Load and execute functions from shared libraries" libs_use_shared_libs(lighttpd_t) # use interface to miscellaneous files (system/miscfiles.if) # "Allow process to read localization info" miscfiles_read_localization(lighttpd_t) # use interface to NOT audit attempts to use ptys (kernel/terminal.if) # "Dot not audit attempts to read and write the generic pty type # This is generally only used in the targeted policy" term_dontaudit_use_generic_ptys(lighttpd_t) # use interface to NOT audit attempts to use the console (kernel/terminal.if) # "o not audit attempts to read from or write to the console" term_dontaudit_use_console(lighttpd_t) #### # Pid files # # new file type: for the lighttpd run file (/var/run) type lighttpd_var_run_t; # use interface to the kernel pid files (kernel/files.if) # "Make the specified type usable for run time process ID files" files_pid_file(lighttpd_var_run_t) # use a defined macro that allows management of files manage_files_pattern(lighttpd_t,lighttpd_var_run_t,lighttpd_var_run_t) # use interface to kernel/files that allows transition to var_run_t (kernel/files.if) # "Create an object in the process ID directory, with a private type using a type transition" files_pid_filetrans(lighttpd_t,lighttpd_var_run_t, { file sock_file }) #### # Daemon configuration # # new file type: for config files type lighttpd_config_t; # use interface to kernel files system (kernel/files.if) # "Make the specified type usable for files in a filesystem" files_type(lighttpd_config_t) # rule: allow lighttpd_t to list directories and permissions of directories with the lighttpd_config_t type allow lighttpd_t lighttpd_config_t:dir list_dir_perms; # use a defined macro that allows files to be read read_files_pattern(lighttpd_t,lighttpd_config_t,lighttpd_config_t) # use kernel interface to allow it to read /etc files (needs nsswitch.conf blah)(kernel/files.if) # "Read generic files in /etc" files_read_etc_files(lighttpd_t) # rule: allow lighttpd_t to change its uid/gid allow lighttpd_t self:capability { setgid setuid }; #### # Modules # # new file type: for lighttpd modules type lighttpd_modules_t; # use interface to kernel files system (kernel/files.if) # "Make the specified type usable for files in a filesystem" files_type(lighttpd_modules_t) # rule: allow lighttpd_t to list directories and permissions of the modules directories allow lighttpd_t lighttpd_modules_t:dir list_dir_perms; # use defined macros that allow modules to be read read_files_pattern(lighttpd_t,lighttpd_modules_t,lighttpd_modules_t) # use defined macro that allows modules to be executed can_exec(lighttpd_t,lighttpd_modules_t) # use interface to kernel sysctrls [interface for reading/changing parameters in kernel] (kernel/kernel.if) # "Read generic kernel sysctls" kernel_read_kernel_sysctls(lighttpd_t) # use interface for access to /proc/meminfo (kernel/kernel.if) # "Allows caller to read system state information in proc" kernel_read_system_state(lighttpd_t) #### # Logging # # new file type: for log files type lighttpd_log_t; # use interface to kernel message and system logging (system/logging.if) # "Make the specified type a file used for logs" logging_log_file(lighttpd_log_t) # rule: allow lighttpd_t processes to set directory attributes allow lighttpd_t lighttpd_log_t:dir setattr; # use predefined macros that allow reading, creating, appending, etc for log file types create_files_pattern(lighttpd_t,lighttpd_log_t,lighttpd_log_t) append_files_pattern(lighttpd_t,lighttpd_log_t,lighttpd_log_t) read_files_pattern(lighttpd_t,lighttpd_log_t,lighttpd_log_t) # use interface to kernel message and system logging (system/logging.if) # "Create an object in the log directory, with a private type using a type transition" logging_log_filetrans(lighttpd_t,lighttpd_log_t,file) #### # Allow all TCP networking # # rule: allow lighttpd_t processes create tcp sockets allow lighttpd_t self:tcp_socket create_stream_socket_perms; # use interface (kernel/corenetwork) # "Send and receive TCP network traffic on all interfaces" corenet_tcp_sendrecv_all_if(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive TCP network traffic on all nodes" corenet_tcp_sendrecv_all_nodes(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive TCP network traffic on all ports" corenet_tcp_sendrecv_all_ports(lighttpd_t) # use interface (kernel/corenetwork) # "Bind TCP sockets to all nodes" corenet_tcp_bind_all_nodes(lighttpd_t) # use interface (kernel/corenetwork) # "Bind TCP sockets to the http port" corenet_tcp_bind_http_port(lighttpd_t) # use interface (kernel/corenetwork) # "Bind TCP sockets to the http_cache port" corenet_tcp_bind_http_cache_port(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive UDP network traffic on all interfaces" corenet_udp_sendrecv_all_if(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive UDP network traffic on all nodes" corenet_udp_sendrecv_all_nodes(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive UDP network traffic on all ports" corenet_udp_sendrecv_all_ports(lighttpd_t) # use interface (kernel/corenetwork) # "Send and receive http_server packets" corenet_sendrecv_http_server_packets(lighttpd_t) #### # access web files # # user interface apache interface (services/apache.if) # "Allow the specified domain to manage apache system content files" apache_manage_sys_content(lighttpd_t) # user interface apache interface (services/apache.if) # "Search apache system content" apache_search_sys_content(lighttpd_t) # user interface apache interface (services/apache.if) # "Read apache system content" apache_read_sys_content(lighttpd_t)