openEuler-24.03-LTS-SP1-release

分支 (28)

标签 (22)

管理

管理

master

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP2

openEuler-24.03-LTS-SP1

openEuler-25.03

openEuler-24.09

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP1

openEuler-23.09

openEuler-24.03-LTS

openEuler-22.03-LTS-SP2

Multi-Version_obs-server-2.10.11_openEuler-22.03-LTS-SP1

openEuler-22.03-LTS

openEuler-23.03

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP4

openEuler-20.03-LTS-SP1

Multi-Version_obs-server-2.10.11_openEuler-22.09

openEuler-25.03-release

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

passenger
/
passenger-selinux.te


module myapp 1.0;

require {
	type httpd_t;
	type fixed_disk_device_t;
	type http_port_t;
	type httpd_tmp_t;
	type httpd_sys_script_exec_t;
	type rpm_var_lib_t;
	type configfs_t;
	type user_tmp_t;
	type usr_t;
	type postgresql_port_t;
	type init_t;
	type httpd_sys_content_t;
	class capability { fowner fsetid sys_ptrace sys_resource };
	class process ptrace;
	class tcp_socket name_connect;
	class blk_file getattr;
	class dir { add_name create getattr read remove_name rmdir write };
	class sock_file getattr;
	class fifo_file { append create getattr ioctl open read setattr unlink write };
	class file { append create map rename setattr unlink write };
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t configfs_t:dir getattr;

#!!!! This avc is allowed in the current policy
allow httpd_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc is allowed in the current policy
allow httpd_t http_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name write };

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_content_t:file { append create rename setattr unlink write };
allow httpd_t httpd_sys_script_exec_t:dir write;
allow httpd_t httpd_sys_script_exec_t:file append;

#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow httpd_t httpd_tmp_t:fifo_file { append create getattr ioctl open read setattr unlink write };

#!!!! This avc is allowed in the current policy
allow httpd_t postgresql_port_t:tcp_socket name_connect;
allow httpd_t rpm_var_lib_t:dir write;

#!!!! This avc is allowed in the current policy
allow httpd_t rpm_var_lib_t:file map;

#!!!! This avc is allowed in the current policy
allow httpd_t self:capability { fowner fsetid sys_ptrace sys_resource };

#!!!! This avc is allowed in the current policy
allow httpd_t self:process ptrace;

#!!!! This avc is allowed in the current policy
allow httpd_t user_tmp_t:sock_file getattr;

#!!!! This avc is allowed in the current policy
allow httpd_t usr_t:dir create;

#!!!! This avc is allowed in the current policy
allow httpd_t usr_t:file { create rename write };

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t httpd_tmp_t:dir { read remove_name rmdir write };