mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/extras/usr.sbin.httpd2-prefork

189 lines
6.1 KiB
Text
Raw Normal View History

Update svn:keywords properties. Fix makefile to find new common/ location.
2006-04-12 20:35:41 +00:00
# $Id$
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/httpd2-prefork {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/perl>
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/dev/random r,
/etc/apache2/*.conf r,
/etc/apache2/magic r,
/etc/apache2/mod_perl-startup.pl r,
/etc/apache2/ssl.crt/server.crt r,
/etc/apache2/ssl.key/server.key r,
/etc/apache2/{conf,sysconfig,vhosts}.d r,
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
/etc/fstab r,
/etc/mime.types r,
/etc/mtab r,
/etc/odbcinst.ini r,
/etc/php.d r,
/etc/php.d/** r,
/etc/php.ini r,
/proc/meminfo r,
/proc/sys/kernel/ngroups_max r,
/tmp/auth_ldap_cache.sem wl,
/tmp/session_mm_apache0.sem wl,
/tmp/session_mm_apache2handler0.sem wl,
/usr/X11R6/lib64/lib*.so* r,
/usr/X11R6/lib/lib*.so* r,
/usr/apache2/error/* r,
/usr/lib64/apache2-leader/{lib,mod_}*.so* r,
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* r,
/usr/lib64/apache2-prefork/{lib,mod_}*.so* r,
/usr/lib64/apache2-worker/{lib,mod_}*.so* r,
/usr/lib64/apache2/modules/{lib,mod_}*.so* r,
/usr/lib64/apache2/{lib,mod_}*.so* r,
/usr/lib/apache2-leader/{lib,mod_}*.so* r,
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* r,
/usr/lib/apache2-prefork/{lib,mod_}*.so* r,
/usr/lib/apache2-worker/{lib,mod_}*.so* r,
/usr/lib/apache2/modules/{lib,mod_}*.so* r,
/usr/lib64/mysql/libmysql*.so* r,
/usr/lib64/php/extensions/*.so r,
/usr/lib64/php4/*.so r,
/usr/lib64/python[12].[0-9]/**.{py,pyc,pth,so} r,
/usr/lib64/python[12].[0-9]/site-packages r,
/usr/lib64/qt3/lib/lib*.so* r,
/usr/lib/apache2/{lib,mod_}*.so r,
/usr/lib/mysql/libmysql*.so* r,
/usr/lib/php/extensions/*.so r,
/usr/lib/php4/*.so r,
/usr/lib/python[12].[0-9]/**.{py,pyc,pth,so} r,
/usr/lib/python[12].[0-9]/site-packages r,
/usr/lib/qt3/lib/lib*.so* r,
/usr/local/tomcat/conf/mod_jk.conf r,
/usr/local/tomcat/conf/workers-ajp12.properties r,
/usr/sbin/httpd2-prefork r,
/usr/share/apache2/error/* r,
/usr/share/apache2/error/include/* r,
/usr/share/misc/magic.mime r,
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
/usr/share/snmp/mibs/.index wr,
/usr/share/ssl/openssl.cnf r,
/var/lock/httpd2.lock.* wl,
/var/log/apache2/* rwl,
/var/log/httpd/ssl_scache.dir r,
/var/log/httpd/ssl_scache.pag r,
/var/run/httpd2.mm.* wl,
/var/run/httpd2.pid wl,
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
# execution of content regardless of 'x' permissions, as no exec(2)
# takes place to perform a domain change.
# suexec execution of CGIs will require appropriate permissions
/usr/sbin/suexec2 ixr,
# Allow logging
/var/log/apache2/** rwl,
# Allow any CGIs in user directories to run, inheriting the apache
# profile:
# /home/*/public_html/** ixr,
# (note that if you are using mod_change_hat, you have a choice of
# providing neccesary access in this file OR in URI-specific hats, or
# hats in the <VHost>, <Location>, or <Directory> directives. Please
# see the user's guide or mod_apparmor(5) for more information.
# Allow site-wide CGIs to run, inheriting the apache profile:
# /srv/www/cgi-bin/** ixr,
# /var/www/cgi-bin/** ixr,
@{HOME}/public_html r,
@{HOME}/public_html/** r,
# Red Hat locations
/var/www/html/** r,
/var/www/icons/*.{gif,jpg,png} r,
/var/www/error/* r,
# SuSE locations (LSB?)
/srv/www/htdocs r,
/srv/www/htdocs/** r,
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# SuSE location of the apache manual + error pages
/usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
^HANDLING_UNTRUSTED_INPUT {
#include <abstractions/nameservice>
/var/log/apache2/* w,
/**.htaccess r,
}
^DEFAULT_URI {
#include <abstractions/nameservice>
#include <abstractions/base>
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
# execution of content regardless of 'x' permissions, as no exec(2)
# takes place to perform a domain change.
# suexec execution of CGIs will require appropriate permissions
/usr/sbin/suexec2 ixr,
# Allow logging
/var/log/apache2/** rwl,
# Allow any CGIs in user directories to run, inheriting the apache
# profile:
# /home/*/public_html/** ixr,
# (note that if you are using mod_change_hat, you have a choice of
# providing neccesary access in this file OR in URI-specific hats, or
# hats in the <VHost>, <Location>, or <Directory> directives. Please
# see the user's guide or mod_apparmor(5) for more information.
# Allow site-wide CGIs to run, inheriting the apache profile:
# /srv/www/cgi-bin/** ixr,
# /var/www/cgi-bin/** ixr,
@{HOME}/public_html r,
@{HOME}/public_html/** r,
# Red Hat locations
/var/www/html/** r,
/var/www/icons/*.{gif,jpg,png} r,
/var/www/error/* r,
# SuSE locations (LSB?)
/srv/www/htdocs r,
/srv/www/htdocs/** r,
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# SuSE location of the apache manual + error pages
/usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
}
}
Reference in a new issue Copy permalink