debian-selinux-policies/policy/modules/apache.te

policy_module(apache, 2.11.4)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether httpd can modify
##	public files used for public file
##	transfer services. Directories/Files must
##	be labeled public_content_rw_t.
##	</p>
## </desc>
gen_tunable(allow_httpd_anon_write, false)

## <desc>
##	<p>
##	Determine whether httpd can use mod_auth_pam.
##	</p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam, false)

## <desc>
##	<p>
##	Determine whether httpd can use built in scripting.
##	</p>
## </desc>
gen_tunable(httpd_builtin_scripting, false)

## <desc>
##	<p>
##	Determine whether httpd can check spam.
##	</p>
## </desc>
gen_tunable(httpd_can_check_spam, false)

## <desc>
##	<p>
##	Determine whether httpd scripts and modules
##	can connect to the network using TCP.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect, false)

## <desc>
##	<p>
##	Determine whether httpd scripts and modules
##	can connect to cobbler over the network.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect_cobbler, false)

## <desc>
##	<p>
##	Determine whether scripts and modules can
##	connect to databases over the network.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)

## <desc>
##	<p>
##	Determine whether httpd can connect to
##	ldap over the network.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect_ldap, false)

## <desc>
##	<p>
##	Determine whether httpd can connect
##	to memcache server over the network.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect_memcache, false)

## <desc>
##	<p>
##	Determine whether httpd can act as a relay.
##	</p>
## </desc>
gen_tunable(httpd_can_network_relay, false)

## <desc>
##	<p>
##	Determine whether httpd daemon can
##	connect to zabbix over the network.
##	</p>
## </desc>
gen_tunable(httpd_can_network_connect_zabbix, false)

## <desc>
##	<p>
##	Determine whether httpd can send mail.
##	</p>
## </desc>
gen_tunable(httpd_can_sendmail, false)

## <desc>
##	<p>
##	Determine whether httpd can communicate
##	with avahi service via dbus.
##	</p>
## </desc>
gen_tunable(httpd_dbus_avahi, false)

## <desc>
##	<p>
##	Determine wether httpd can use support.
##	</p>
## </desc>
gen_tunable(httpd_enable_cgi, false)

## <desc>
##	<p>
##	Determine whether httpd can act as a
##	FTP server by listening on the ftp port.
##	</p>
## </desc>
gen_tunable(httpd_enable_ftp_server, false)

## <desc>
##	<p>
##	Determine whether httpd can traverse
##	user home directories.
##	</p>
## </desc>
gen_tunable(httpd_enable_homedirs, false)

## <desc>
##	<p>
##	Determine whether httpd gpg can modify
##	public files used for public file
##	transfer services. Directories/Files must
##	be labeled public_content_rw_t.
##	</p>
## </desc>
gen_tunable(httpd_gpg_anon_write, false)

## <desc>
##	<p>
##	Determine whether httpd can execute
##	its temporary content.
##	</p>
## </desc>
gen_tunable(httpd_tmp_exec, false)

## <desc>
##	<p>
##	Determine whether httpd scripts and
##	modules can use execmem and execstack.
##	</p>
## </desc>
gen_tunable(httpd_execmem, false)

## <desc>
##	<p>
##	Determine whether httpd can connect
##	to port 80 for graceful shutdown.
##	</p>
## </desc>
gen_tunable(httpd_graceful_shutdown, false)

## <desc>
##	<p>
##	Determine whether httpd can
##	manage IPA content files.
##	</p>
## </desc>
gen_tunable(httpd_manage_ipa, false)

## <desc>
##	<p>
##	Determine whether httpd can use mod_auth_ntlm_winbind.
##	</p>
## </desc>
gen_tunable(httpd_mod_auth_ntlm_winbind, false)

## <desc>
##	<p>
##	Determine whether httpd can read
##	generic user home content files.
##	</p>
## </desc>
gen_tunable(httpd_read_user_content, false)

## <desc>
##	<p>
##	Determine whether httpd can change
##	its resource limits.
##	</p>
## </desc>
gen_tunable(httpd_setrlimit, false)

## <desc>
##	<p>
##	Determine whether httpd can run
##	SSI executables in the same domain
##	as system CGI scripts.
##	</p>
## </desc>
gen_tunable(httpd_ssi_exec, false)

## <desc>
##	<p>
##	Determine whether httpd can communicate
##	with the terminal. Needed for entering the
##	passphrase for certificates at the terminal.
##	</p>
## </desc>
gen_tunable(httpd_tty_comm, false)

## <desc>
##	<p>
##	Determine whether httpd can have full access
##	to its content types.
##	</p>
## </desc>
gen_tunable(httpd_unified, false)

## <desc>
##	<p>
##	Determine whether httpd can use
##	cifs file systems.
##	</p>
## </desc>
gen_tunable(httpd_use_cifs, false)

## <desc>
##	<p>
##	Determine whether httpd can
##	use fuse file systems.
##	</p>
## </desc>
gen_tunable(httpd_use_fusefs, false)

## <desc>
##	<p>
##	Determine whether httpd can use gpg.
##	</p>
## </desc>
gen_tunable(httpd_use_gpg, false)

## <desc>
##	<p>
##	Determine whether httpd can use
##	nfs file systems.
##	</p>
## </desc>
gen_tunable(httpd_use_nfs, false)

attribute httpdcontent;
attribute httpd_htaccess_type;

# domains that can exec all scripts
attribute httpd_exec_scripts;

attribute httpd_ra_content;
attribute httpd_rw_content;

attribute httpd_script_exec_type;

# all script domains
attribute httpd_script_domains;

attribute_role httpd_helper_roles;
roleattribute system_r httpd_helper_roles;

type httpd_t;
type httpd_exec_t;
init_daemon_domain(httpd_t, httpd_exec_t)

type httpd_cache_t;
files_type(httpd_cache_t)

type httpd_config_t;
files_config_file(httpd_config_t)

type httpd_helper_t;
type httpd_helper_exec_t;
application_domain(httpd_helper_t, httpd_helper_exec_t)
role httpd_helper_roles types httpd_helper_t;
init_rw_inherited_script_tmp_files(httpd_t)

type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)

type httpd_keytab_t;
files_type(httpd_keytab_t)

type httpd_lock_t;
files_lock_file(httpd_lock_t)

type httpd_log_t;
logging_log_file(httpd_log_t)

type httpd_modules_t;
files_type(httpd_modules_t)

type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)

type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)

type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)

type httpd_suexec_t;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
role system_r types httpd_suexec_t;

type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)

apache_content_template(sys)
corecmd_shell_entry_type(httpd_sys_script_t)
typealias httpd_sys_content_t alias ntop_http_content_t;

type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)

type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)

type httpd_unit_t;
init_unit_file(httpd_unit_t)

apache_content_template(user)
ubac_constrained(httpd_user_script_t)
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };

type httpd_var_lib_t;
files_type(httpd_var_lib_t)

type httpd_var_run_t;
files_pid_file(httpd_var_run_t)

type httpd_passwd_t;
type httpd_passwd_exec_t;
domain_type(httpd_passwd_t)
domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
role system_r types httpd_passwd_t;

type httpd_gpg_t;
domain_type(httpd_gpg_t)
role system_r types httpd_gpg_t;

optional_policy(`
	prelink_object_file(httpd_modules_t)
')

########################################
#
# Local policy
#

allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability net_admin;
init_dontaudit_getattr_exec(httpd_t)

allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket sendto;
allow httpd_t self:unix_stream_socket { accept connectto listen };
allow httpd_t self:tcp_socket { accept listen };

allow httpd_t httpd_sys_content_t:dir { write remove_name add_name };
allow httpd_t httpd_sys_content_t:file { write create unlink };

manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)

allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)

allow httpd_t httpd_keytab_t:file read_file_perms;

allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })

manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)

allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)

allow httpd_t httpd_rotatelogs_t:process signal_perms;

manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

allow httpd_t httpd_suexec_exec_t:file read_file_perms;

allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
allow httpd_t httpd_sys_script_t:process signull;


manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)

manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })

setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })

manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)

can_exec(httpd_t, httpd_exec_t)

domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)

kernel_read_kernel_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)

corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)

corenet_sendrecv_http_server_packets(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_sendrecv_http_port(httpd_t)

corenet_sendrecv_http_cache_server_packets(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_tcp_sendrecv_http_cache_port(httpd_t)

corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)

dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)

domain_use_interactive_fds(httpd_t)

fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)

fs_getattr_all_fs(httpd_t)
fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
fs_search_auto_mountpoints(httpd_t)

files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)

auth_use_nsswitch(httpd_t)

libs_read_lib_files(httpd_t)

logging_send_syslog_msg(httpd_t)

miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)

seutil_dontaudit_search_config(httpd_t)

userdom_use_unpriv_users_fds(httpd_t)

init_read_state(httpd_t)

ifdef(`init_systemd', `
	systemd_manage_passwd_run(httpd_t)
')

ifdef(`TODO',`
	tunable_policy(`allow_httpd_mod_auth_pam',`
		auth_domtrans_chk_passwd(httpd_t)

		logging_send_audit_msgs(httpd_t)
	')
')

ifdef(`hide_broken_symptoms',`
	libs_exec_lib_files(httpd_t)
')

tunable_policy(`allow_httpd_anon_write',`
	miscfiles_manage_public_files(httpd_t)
')

tunable_policy(`httpd_can_network_connect',`
	corenet_sendrecv_all_client_packets(httpd_t)
	corenet_tcp_connect_all_ports(httpd_t)
	corenet_tcp_sendrecv_all_ports(httpd_t)
')

tunable_policy(`httpd_can_network_connect_db',`
	corenet_sendrecv_gds_db_client_packets(httpd_t)
	corenet_tcp_connect_gds_db_port(httpd_t)
	corenet_tcp_sendrecv_gds_db_port(httpd_t)
	corenet_sendrecv_mssql_client_packets(httpd_t)
	corenet_tcp_connect_mssql_port(httpd_t)
	corenet_tcp_sendrecv_mssql_port(httpd_t)
	corenet_sendrecv_oracledb_client_packets(httpd_t)
	corenet_tcp_connect_oracledb_port(httpd_t)
	corenet_tcp_sendrecv_oracledb_port(httpd_t)
')

tunable_policy(`httpd_can_network_relay',`
	corenet_sendrecv_gopher_client_packets(httpd_t)
	corenet_tcp_connect_gopher_port(httpd_t)
	corenet_tcp_sendrecv_gopher_port(httpd_t)
	corenet_sendrecv_ftp_client_packets(httpd_t)
	corenet_tcp_connect_ftp_port(httpd_t)
	corenet_tcp_sendrecv_ftp_port(httpd_t)
	corenet_sendrecv_http_client_packets(httpd_t)
	corenet_tcp_connect_http_port(httpd_t)
	corenet_tcp_sendrecv_http_port(httpd_t)
	corenet_sendrecv_http_cache_client_packets(httpd_t)
	corenet_tcp_connect_http_cache_port(httpd_t)
	corenet_tcp_sendrecv_http_cache_port(httpd_t)
	corenet_sendrecv_squid_client_packets(httpd_t)
	corenet_tcp_connect_squid_port(httpd_t)
	corenet_tcp_sendrecv_squid_port(httpd_t)
')

tunable_policy(`httpd_builtin_scripting',`
	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)

	allow httpd_t httpdcontent:dir list_dir_perms;
	allow httpd_t httpdcontent:file read_file_perms;
	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
')

tunable_policy(`httpd_enable_cgi',`
	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
	allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')

tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')

tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')

# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
#	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
# ')

tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)

	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
')

tunable_policy(`httpd_enable_ftp_server',`
	corenet_sendrecv_ftp_server_packets(httpd_t)
	corenet_tcp_bind_ftp_port(httpd_t)
	corenet_tcp_sendrecv_ftp_port(httpd_t)
')

tunable_policy(`httpd_enable_homedirs',`
	userdom_search_user_home_dirs(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(httpd_t)
	fs_read_nfs_files(httpd_t)
	fs_read_nfs_symlinks(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_list_auto_mountpoints(httpd_t)
	fs_read_cifs_files(httpd_t)
	fs_read_cifs_symlinks(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_t)
')

tunable_policy(`httpd_execmem',`
	allow httpd_t self:process { execmem execstack };
')

tunable_policy(`httpd_can_sendmail',`
	corenet_sendrecv_smtp_client_packets(httpd_t)
	corenet_tcp_connect_smtp_port(httpd_t)
	corenet_tcp_sendrecv_smtp_port(httpd_t)
	corenet_sendrecv_pop_client_packets(httpd_t)
	corenet_tcp_connect_pop_port(httpd_t)
	corenet_tcp_sendrecv_pop_port(httpd_t)

	mta_send_mail(httpd_t)
	mta_signal_system_mail(httpd_t)
')

optional_policy(`
	tunable_policy(`httpd_can_network_connect_zabbix',`
		zabbix_tcp_connect(httpd_t)
	')
')

optional_policy(`
	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
		spamassassin_domtrans_client(httpd_t)
	')
')

tunable_policy(`httpd_graceful_shutdown',`
	corenet_sendrecv_http_client_packets(httpd_t)
	corenet_tcp_connect_http_port(httpd_t)
	corenet_tcp_sendrecv_http_port(httpd_t)
')

optional_policy(`
	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
	')
')

optional_policy(`
	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
		samba_domtrans_winbind_helper(httpd_t)
	')
')

tunable_policy(`httpd_read_user_content',`
	userdom_read_user_home_content_files(httpd_t)
')

tunable_policy(`httpd_setrlimit',`
	allow httpd_t self:process setrlimit;
	allow httpd_t self:capability sys_resource;
')

tunable_policy(`httpd_ssi_exec',`
	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
')

tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
	can_exec(httpd_t, httpd_tmp_t)
')

tunable_policy(`httpd_tty_comm',`
	userdom_use_user_terminals(httpd_t)
',`
	userdom_dontaudit_use_user_terminals(httpd_t)
')

tunable_policy(`httpd_use_cifs',`
	fs_list_auto_mountpoints(httpd_t)
	fs_manage_cifs_dirs(httpd_t)
	fs_manage_cifs_files(httpd_t)
	fs_manage_cifs_symlinks(httpd_t)
')

tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_t)
')

tunable_policy(`httpd_use_fusefs',`
	fs_list_auto_mountpoints(httpd_t)
	fs_manage_fusefs_dirs(httpd_t)
	fs_manage_fusefs_files(httpd_t)
	fs_read_fusefs_symlinks(httpd_t)
')

tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
	fs_exec_fusefs_files(httpd_t)
')

tunable_policy(`httpd_use_nfs',`
	fs_list_auto_mountpoints(httpd_t)
	rpc_manage_nfs_rw_content(httpd_t)
	rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_t)
')

optional_policy(`
	calamaris_read_www_files(httpd_t)
')

optional_policy(`
	ccs_read_config(httpd_t)
')

optional_policy(`
	clamav_domtrans_clamscan(httpd_t)
')

optional_policy(`
	cobbler_read_config(httpd_t)
	cobbler_read_lib_files(httpd_t)
')

optional_policy(`
	cron_system_entry(httpd_t, httpd_exec_t)
')

optional_policy(`
	cvs_read_data(httpd_t)
')

optional_policy(`
	daemontools_service_domain(httpd_t, httpd_exec_t)
')

optional_policy(`
	dbus_system_bus_client(httpd_t)

	tunable_policy(`httpd_dbus_avahi',`
		avahi_dbus_chat(httpd_t)
	')
')

optional_policy(`
	git_read_generic_sys_content_files(httpd_t)
')

optional_policy(`
	gitosis_read_lib_files(httpd_t)
')

optional_policy(`
	kerberos_manage_host_rcache(httpd_t)
	kerberos_read_keytab(httpd_t)
	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
	kerberos_use(httpd_t)
')

optional_policy(`
	ldap_stream_connect(httpd_t)

	tunable_policy(`httpd_can_network_connect_ldap',`
		ldap_tcp_connect(httpd_t)
	')
')

optional_policy(`
	mailman_signal_cgi(httpd_t)
	mailman_domtrans_cgi(httpd_t)
	mailman_read_data_files(httpd_t)
	mailman_search_data(httpd_t)
	mailman_read_archive(httpd_t)
')

optional_policy(`
	memcached_stream_connect(httpd_t)

	tunable_policy(`httpd_can_network_connect_memcache',`
		memcached_tcp_connect(httpd_t)
	')

	tunable_policy(`httpd_manage_ipa',`
		memcached_manage_pid_files(httpd_t)
	')
')

optional_policy(`
	mysql_read_config(httpd_t)
	mysql_stream_connect(httpd_t)

	tunable_policy(`httpd_can_network_connect_db',`
		mysql_tcp_connect(httpd_t)
	')
')

optional_policy(`
	nagios_read_config(httpd_t)
')

optional_policy(`
	openca_domtrans(httpd_t)
	openca_signal(httpd_t)
	openca_sigstop(httpd_t)
	openca_kill(httpd_t)
')

optional_policy(`
	pcscd_read_pid_files(httpd_t)
')

optional_policy(`
	postgresql_stream_connect(httpd_t)
	postgresql_unpriv_client(httpd_t)

	tunable_policy(`httpd_can_network_connect_db',`
		postgresql_tcp_connect(httpd_t)
	')
')

optional_policy(`
	puppet_read_lib_files(httpd_t)
')

optional_policy(`
	rpc_search_nfs_state_data(httpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(httpd_t)
')

optional_policy(`
	shibboleth_read_config(httpd_t)
	shibboleth_stream_connect(httpd_t)
')

optional_policy(`
	smokeping_read_lib_files(httpd_t)
')

optional_policy(`
	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')

optional_policy(`
	udev_read_db(httpd_t)
')

optional_policy(`
	yam_read_content(httpd_t)
')

########################################
#
# Helper local policy
#

read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)

append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

files_search_etc(httpd_helper_t)

logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)

tunable_policy(`httpd_tty_comm',`
	userdom_use_user_terminals(httpd_helper_t)
',`
	userdom_dontaudit_use_user_terminals(httpd_helper_t)
')

########################################
#
# Suexec local policy
#

allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:tcp_socket { accept listen };
allow httpd_suexec_t self:unix_stream_socket { accept listen };

create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)

manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })

kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)

corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)

corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)

dev_read_urand(httpd_suexec_t)

fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)

files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)

auth_use_nsswitch(httpd_suexec_t)

logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)

miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)

tunable_policy(`httpd_builtin_scripting',`
	exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)

	allow httpd_suexec_t httpdcontent:dir list_dir_perms;
	allow httpd_suexec_t httpdcontent:file read_file_perms;
	allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
')

tunable_policy(`httpd_can_network_connect',`
	corenet_tcp_connect_all_ports(httpd_suexec_t)
	corenet_sendrecv_all_client_packets(httpd_suexec_t)
	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')

tunable_policy(`httpd_can_network_connect_db',`
	corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
	corenet_tcp_connect_gds_db_port(httpd_suexec_t)
	corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
	corenet_tcp_connect_mssql_port(httpd_suexec_t)
	corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
	corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
')

tunable_policy(`httpd_can_sendmail',`
	corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
	corenet_tcp_connect_smtp_port(httpd_suexec_t)
	corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
	corenet_sendrecv_pop_client_packets(httpd_suexec_t)
	corenet_tcp_connect_pop_port(httpd_suexec_t)
	corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
	mta_send_mail(httpd_suexec_t)
	mta_signal_system_mail(httpd_suexec_t)
')

tunable_policy(`httpd_enable_cgi && httpd_unified',`
	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_list_auto_mountpoints(httpd_suexec_t)
	fs_read_cifs_files(httpd_suexec_t)
	fs_read_cifs_symlinks(httpd_suexec_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_suexec_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(httpd_suexec_t)
	fs_read_nfs_files(httpd_suexec_t)
	fs_read_nfs_symlinks(httpd_suexec_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_suexec_t)
')

tunable_policy(`httpd_execmem',`
	allow httpd_suexec_t self:process { execmem execstack };
')

tunable_policy(`httpd_tmp_exec',`
	can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')

tunable_policy(`httpd_tty_comm',`
	userdom_use_user_terminals(httpd_suexec_t)
',`
	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')

tunable_policy(`httpd_use_cifs',`
	fs_list_auto_mountpoints(httpd_suexec_t)
	fs_manage_cifs_dirs(httpd_suexec_t)
	fs_manage_cifs_files(httpd_suexec_t)
	fs_manage_cifs_symlinks(httpd_suexec_t)
')

tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_suexec_t)
')

tunable_policy(`httpd_use_fusefs',`
	fs_list_auto_mountpoints(httpd_suexec_t)
	fs_manage_fusefs_dirs(httpd_suexec_t)
	fs_manage_fusefs_files(httpd_suexec_t)
	fs_read_fusefs_symlinks(httpd_suexec_t)
')

tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
	fs_exec_fusefs_files(httpd_suexec_t)
')

tunable_policy(`httpd_use_nfs',`
	fs_list_auto_mountpoints(httpd_suexec_t)
	rpc_manage_nfs_rw_content(httpd_t)
	rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_suexec_t)
')

optional_policy(`
	mailman_domtrans_cgi(httpd_suexec_t)
')

optional_policy(`
	mysql_stream_connect(httpd_suexec_t)
	mysql_read_config(httpd_suexec_t)

	tunable_policy(`httpd_can_network_connect_db',`
		mysql_tcp_connect(httpd_suexec_t)
	')
')

optional_policy(`
	postgresql_stream_connect(httpd_suexec_t)
	postgresql_unpriv_client(httpd_suexec_t)

	tunable_policy(`httpd_can_network_connect_db',`
		postgresql_tcp_connect(httpd_suexec_t)
	')
')

tunable_policy(`httpd_read_user_content',`
	userdom_read_user_home_content_files(httpd_suexec_t)
')

tunable_policy(`httpd_enable_homedirs',`
	userdom_search_user_home_dirs(httpd_suexec_t)
')

########################################
#
# Common script local policy
#

allow httpd_script_domains self:fifo_file rw_file_perms;
allow httpd_script_domains self:unix_stream_socket connectto;

allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;

append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)

kernel_dontaudit_search_sysctl(httpd_script_domains)
kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)

corenet_all_recvfrom_unlabeled(httpd_script_domains)
corenet_all_recvfrom_netlabel(httpd_script_domains)
corenet_tcp_sendrecv_generic_if(httpd_script_domains)
corenet_tcp_sendrecv_generic_node(httpd_script_domains)

corecmd_exec_all_executables(httpd_script_domains)

dev_read_rand(httpd_script_domains)
dev_read_urand(httpd_script_domains)

files_exec_etc_files(httpd_script_domains)
files_read_etc_files(httpd_script_domains)
files_search_home(httpd_script_domains)

libs_exec_ld_so(httpd_script_domains)
libs_exec_lib_files(httpd_script_domains)

logging_search_logs(httpd_script_domains)

miscfiles_read_fonts(httpd_script_domains)
miscfiles_read_public_files(httpd_script_domains)

seutil_dontaudit_search_config(httpd_script_domains)

tunable_policy(`httpd_enable_cgi && httpd_unified',`
	allow httpd_script_domains httpdcontent:file entrypoint;

	manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
	manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
	manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)

	can_exec(httpd_script_domains, httpdcontent)
')

tunable_policy(`httpd_enable_cgi',`
	allow httpd_script_domains self:process { setsched signal_perms };
	allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;

	kernel_read_system_state(httpd_script_domains)

	fs_getattr_all_fs(httpd_script_domains)

	files_read_etc_runtime_files(httpd_script_domains)
	files_read_usr_files(httpd_script_domains)

	libs_read_lib_files(httpd_script_domains)

	miscfiles_read_localization(httpd_script_domains)
')

optional_policy(`
	tunable_policy(`httpd_enable_cgi && allow_ypbind',`
		nis_use_ypbind_uncond(httpd_script_domains)
	')
')

tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
	corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
	corenet_tcp_connect_gds_db_port(httpd_script_domains)
	corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
	corenet_sendrecv_mssql_client_packets(httpd_script_domains)
	corenet_tcp_connect_mssql_port(httpd_script_domains)
	corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
	corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
	corenet_tcp_connect_oracledb_port(httpd_script_domains)
	corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
')

optional_policy(`
	mysql_read_config(httpd_script_domains)
	mysql_stream_connect(httpd_script_domains)

	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
		mysql_tcp_connect(httpd_script_domains)
	')
')

optional_policy(`
	postgresql_stream_connect(httpd_script_domains)

	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
		postgresql_tcp_connect(httpd_script_domains)
	')
')

optional_policy(`
	nscd_use(httpd_script_domains)
')

########################################
#
# System script local policy
#

allow httpd_sys_script_t self:tcp_socket { accept listen };
allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };


allow httpd_sys_script_t httpd_t:tcp_socket { read write };
allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };

dontaudit httpd_sys_script_t httpd_config_t:dir search;

allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };

allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;

kernel_read_kernel_sysctls(httpd_sys_script_t)
dev_read_sysfs(httpd_sys_script_t)

fs_search_auto_mountpoints(httpd_sys_script_t)

files_read_var_symlinks(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)

apache_domtrans_rotatelogs(httpd_sys_script_t)

auth_use_nsswitch(httpd_sys_script_t)

logging_send_syslog_msg(httpd_sys_script_t)

ifdef(`init_systemd', `
	init_search_pid_dirs(httpd_sys_script_t)
')

tunable_policy(`httpd_can_sendmail',`
	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
	corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_pop_port(httpd_sys_script_t)
	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)

	mta_send_mail(httpd_sys_script_t)
	mta_signal_system_mail(httpd_sys_script_t)
')

tunable_policy(`httpd_enable_homedirs',`
	userdom_search_user_home_dirs(httpd_sys_script_t)
')

tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
	corenet_tcp_connect_all_ports(httpd_sys_script_t)
	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
')

tunable_policy(`httpd_execmem',`
	allow httpd_sys_script_t self:process { execmem execstack };
')

tunable_policy(`httpd_read_user_content',`
	userdom_read_user_home_content_files(httpd_sys_script_t)
')

tunable_policy(`httpd_use_cifs',`
	fs_list_auto_mountpoints(httpd_sys_script_t)
	fs_manage_cifs_dirs(httpd_sys_script_t)
	fs_manage_cifs_files(httpd_sys_script_t)
	fs_manage_cifs_symlinks(httpd_sys_script_t)
')

tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_sys_script_t)
')

tunable_policy(`httpd_use_fusefs',`
	fs_list_auto_mountpoints(httpd_sys_script_t)
	fs_manage_fusefs_dirs(httpd_sys_script_t)
	fs_manage_fusefs_files(httpd_sys_script_t)
	fs_read_fusefs_symlinks(httpd_sys_script_t)
')

tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
	fs_exec_fusefs_files(httpd_sys_script_t)
')

tunable_policy(`httpd_use_nfs',`
	fs_list_auto_mountpoints(httpd_sys_script_t)
	rpc_manage_nfs_rw_content(httpd_t)
	rpc_read_nfs_content(httpd_t)
')

tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_sys_script_t)
')

optional_policy(`
	clamav_domtrans_clamscan(httpd_sys_script_t)
')

optional_policy(`
	postgresql_unpriv_client(httpd_sys_script_t)
')

########################################
#
# Rotatelogs local policy
#

allow httpd_rotatelogs_t self:capability dac_override;

manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)

kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)

files_read_etc_files(httpd_rotatelogs_t)

logging_search_logs(httpd_rotatelogs_t)

miscfiles_read_localization(httpd_rotatelogs_t)

########################################
#
# Unconfined script local policy
#

optional_policy(`
	apache_content_template(unconfined)
	unconfined_domain(httpd_unconfined_script_t)
')

########################################
#
# User content local policy
#

tunable_policy(`httpd_enable_homedirs',`
	userdom_search_user_home_dirs(httpd_user_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_list_auto_mountpoints(httpd_user_script_t)
	fs_read_cifs_files(httpd_user_script_t)
	fs_read_cifs_symlinks(httpd_user_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
	fs_exec_cifs_files(httpd_user_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_list_auto_mountpoints(httpd_user_script_t)
	fs_read_nfs_files(httpd_user_script_t)
	fs_read_nfs_symlinks(httpd_user_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
	fs_exec_nfs_files(httpd_user_script_t)
')

tunable_policy(`httpd_read_user_content',`
	userdom_read_user_home_content_files(httpd_user_script_t)
')

optional_policy(`
	postgresql_unpriv_client(httpd_user_script_t)
')

########################################
#
# Passwd local policy
#

allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;

dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;

kernel_read_system_state(httpd_passwd_t)

corecmd_exec_bin(httpd_passwd_t)
corecmd_exec_shell(httpd_passwd_t)

dev_read_urand(httpd_passwd_t)

domain_use_interactive_fds(httpd_passwd_t)

auth_use_nsswitch(httpd_passwd_t)

miscfiles_read_generic_certs(httpd_passwd_t)
miscfiles_read_localization(httpd_passwd_t)

########################################
#
# GPG local policy
#

allow httpd_gpg_t self:process setrlimit;

allow httpd_gpg_t httpd_t:fd use;
allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
allow httpd_gpg_t httpd_t:process sigchld;

dev_read_rand(httpd_gpg_t)
dev_read_urand(httpd_gpg_t)

files_read_usr_files(httpd_gpg_t)

miscfiles_read_localization(httpd_gpg_t)

tunable_policy(`httpd_gpg_anon_write',`
	miscfiles_manage_public_files(httpd_gpg_t)
')

optional_policy(`
	apache_manage_sys_rw_content(httpd_gpg_t)
')

optional_policy(`
	gpg_entry_type(httpd_gpg_t)
	gpg_exec(httpd_gpg_t)
')