# $Id$ # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim:syntax=apparmor #include /usr/sbin/httpd2-prefork { #include #include #include #include #include capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_tty_config, /dev/random r, /etc/apache2/*.conf r, /etc/apache2/magic r, /etc/apache2/mod_perl-startup.pl r, /etc/apache2/ssl.crt/server.crt r, /etc/apache2/ssl.key/server.key r, /etc/apache2/{conf,sysconfig,vhosts}.d r, /etc/apache2/{conf,sysconfig,vhosts}.d/* r, /etc/fstab r, /etc/mime.types r, /etc/mtab r, /etc/odbcinst.ini r, /etc/php.d r, /etc/php.d/** r, /etc/php.ini r, /proc/meminfo r, /proc/sys/kernel/ngroups_max r, /tmp/auth_ldap_cache.sem wl, /tmp/session_mm_apache0.sem wl, /tmp/session_mm_apache2handler0.sem wl, /usr/X11R6/lib64/lib*.so* r, /usr/X11R6/lib/lib*.so* r, /usr/apache2/error/* r, /usr/lib64/apache2-leader/{lib,mod_}*.so* r, /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* r, /usr/lib64/apache2-prefork/{lib,mod_}*.so* r, /usr/lib64/apache2-worker/{lib,mod_}*.so* r, /usr/lib64/apache2/modules/{lib,mod_}*.so* r, /usr/lib64/apache2/{lib,mod_}*.so* r, /usr/lib/apache2-leader/{lib,mod_}*.so* r, /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* r, /usr/lib/apache2-prefork/{lib,mod_}*.so* r, /usr/lib/apache2-worker/{lib,mod_}*.so* r, /usr/lib/apache2/modules/{lib,mod_}*.so* r, /usr/lib64/mysql/libmysql*.so* r, /usr/lib64/php/extensions/*.so r, /usr/lib64/php4/*.so r, /usr/lib64/python[12].[0-9]/**.{py,pyc,pth,so} r, /usr/lib64/python[12].[0-9]/site-packages r, /usr/lib64/qt3/lib/lib*.so* r, /usr/lib/apache2/{lib,mod_}*.so r, /usr/lib/mysql/libmysql*.so* r, /usr/lib/php/extensions/*.so r, /usr/lib/php4/*.so r, /usr/lib/python[12].[0-9]/**.{py,pyc,pth,so} r, /usr/lib/python[12].[0-9]/site-packages r, /usr/lib/qt3/lib/lib*.so* r, /usr/local/tomcat/conf/mod_jk.conf r, /usr/local/tomcat/conf/workers-ajp12.properties r, /usr/sbin/httpd2-prefork r, /usr/share/apache2/error/* r, /usr/share/apache2/error/include/* r, /usr/share/misc/magic.mime r, /usr/share/snmp/mibs r, /usr/share/snmp/mibs/*.{txt,mib} r, /usr/share/snmp/mibs/.index wr, /usr/share/ssl/openssl.cnf r, /var/lock/httpd2.lock.* wl, /var/log/apache2/* rwl, /var/log/httpd/ssl_scache.dir r, /var/log/httpd/ssl_scache.pag r, /var/run/httpd2.mm.* wl, /var/run/httpd2.pid wl, # Note that mod_perl, mod_php, mod_python, etc, allows in-apache # execution of content regardless of 'x' permissions, as no exec(2) # takes place to perform a domain change. # suexec execution of CGIs will require appropriate permissions /usr/sbin/suexec2 ixr, # Allow logging /var/log/apache2/** rwl, # Allow any CGIs in user directories to run, inheriting the apache # profile: # /home/*/public_html/** ixr, # (note that if you are using mod_change_hat, you have a choice of # providing neccesary access in this file OR in URI-specific hats, or # hats in the , , or directives. Please # see the user's guide or mod_apparmor(5) for more information. # Allow site-wide CGIs to run, inheriting the apache profile: # /srv/www/cgi-bin/** ixr, # /var/www/cgi-bin/** ixr, @{HOME}/public_html r, @{HOME}/public_html/** r, # Red Hat locations /var/www/html/** r, /var/www/icons/*.{gif,jpg,png} r, /var/www/error/* r, # SuSE locations (LSB?) /srv/www/htdocs r, /srv/www/htdocs/** r, /srv/www/icons/*.{gif,jpg,png} r, /srv/www/vhosts r, /srv/www/vhosts/** r, # SuSE location of the apache manual + error pages /usr/share/apache2/** r, # php session state /var/lib/php/sess_* rwl, ^HANDLING_UNTRUSTED_INPUT { #include /var/log/apache2/* w, /**.htaccess r, } ^DEFAULT_URI { #include #include # Note that mod_perl, mod_php, mod_python, etc, allows in-apache # execution of content regardless of 'x' permissions, as no exec(2) # takes place to perform a domain change. # suexec execution of CGIs will require appropriate permissions /usr/sbin/suexec2 ixr, # Allow logging /var/log/apache2/** rwl, # Allow any CGIs in user directories to run, inheriting the apache # profile: # /home/*/public_html/** ixr, # (note that if you are using mod_change_hat, you have a choice of # providing neccesary access in this file OR in URI-specific hats, or # hats in the , , or directives. Please # see the user's guide or mod_apparmor(5) for more information. # Allow site-wide CGIs to run, inheriting the apache profile: # /srv/www/cgi-bin/** ixr, # /var/www/cgi-bin/** ixr, @{HOME}/public_html r, @{HOME}/public_html/** r, # Red Hat locations /var/www/html/** r, /var/www/icons/*.{gif,jpg,png} r, /var/www/error/* r, # SuSE locations (LSB?) /srv/www/htdocs r, /srv/www/htdocs/** r, /srv/www/icons/*.{gif,jpg,png} r, /srv/www/vhosts r, /srv/www/vhosts/** r, # SuSE location of the apache manual + error pages /usr/share/apache2/** r, # php session state /var/lib/php/sess_* rwl, } }