/etc/selinux/targeted/src/policy/domains/program/apache.teに追加したポリシーの備忘録。
allow httpd_suexec_t user_home_dir_t:dir search;
allow httpd_suexec_t user_home_t:dir { add_name remove_name getattr search write };
allow httpd_suexec_t user_home_t:file { execute execute_no_trans getattr ioctl read rename append create unlink write };
allow httpd_suexec_t user_home_t:lnk_file { getattr read };
allow httpd_suexec_t tmpfs_t:dir search;
allow httpd_suexec_t lib_t:file execute;
allow httpd_sys_script_t tmpfs_t:dir search;
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_sys_script_exec_t:dir { read add_name remove_name write };
allow httpd_sys_script_t httpd_sys_script_exec_t:file { create unlink write };
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_sys_script_t var_t:dir { add_name remove_name write };
allow httpd_sys_script_t var_t:fifo_file write;
allow httpd_sys_script_t var_t:file { create execute execute_no_trans getattr link read unlink write };
allow httpd_sys_script_t user_home_t:lnk_file read;
allow httpd_sys_script_t reserved_port_t:tcp_socket name_connect;
allow httpd_sys_script_t smtp_port_t:tcp_socket name_connect;
allow httpd_t http_port_t:tcp_socket name_connect;
allow httpd_t httpd_sys_content_t:dir { add_name write remove_name };
allow httpd_t httpd_sys_content_t:file { create write append setattr unlink };
allow httpd_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_t httpd_config_t:dir {write add_name };
allow httpd_t httpd_config_t:file create;
allow httpd_t httpd_modules_t:file execmod;
allow httpd_t lib_t:file execute;
allow httpd_t tmp_t:file { getattr read };
allow httpd_t user_home_t:dir { getattr search read add_name remove_name write };
allow httpd_t user_home_t:file { getattr read write lock unlink create setattr };
allow httpd_t user_home_t:lnk_file { getattr read };
