|
Christian Boltz |
466eca |
# managed by salt - do not edit!
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
# $Id: usr.sbin.httpd2-prefork 12 2006-04-12 21:35:41Z steve-beattie $
|
|
Christian Boltz |
466eca |
# ------------------------------------------------------------------
|
|
Christian Boltz |
466eca |
#
|
|
Christian Boltz |
466eca |
# Copyright (C) 2002-2005 Novell/SUSE
|
|
Christian Boltz |
466eca |
# Copyright (C) 2017 Christian Boltz
|
|
Christian Boltz |
466eca |
#
|
|
Christian Boltz |
466eca |
# This program is free software; you can redistribute it and/or
|
|
Christian Boltz |
466eca |
# modify it under the terms of version 2 of the GNU General Public
|
|
Christian Boltz |
466eca |
# License published by the Free Software Foundation.
|
|
Christian Boltz |
466eca |
#
|
|
Christian Boltz |
466eca |
# ------------------------------------------------------------------
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
#include <tunables/global>
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
466eca |
#include <abstractions/base>
|
|
Christian Boltz |
466eca |
#include <abstractions/bash>
|
|
Christian Boltz |
466eca |
#include <abstractions/consoles>
|
|
Christian Boltz |
466eca |
#include <abstractions/kerberosclient>
|
|
Christian Boltz |
466eca |
#include <abstractions/nameservice>
|
|
Christian Boltz |
466eca |
#include <abstractions/perl>
|
|
Christian Boltz |
466eca |
#include <abstractions/ssl_keys>
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
capability dac_override,
|
|
Christian Boltz |
466eca |
capability kill,
|
|
Christian Boltz |
466eca |
capability net_admin,
|
|
Christian Boltz |
466eca |
capability net_bind_service,
|
|
Christian Boltz |
466eca |
capability setgid,
|
|
Christian Boltz |
466eca |
capability setuid,
|
|
Christian Boltz |
466eca |
capability sys_ptrace,
|
|
Christian Boltz |
466eca |
capability sys_tty_config,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
/ rw,
|
|
Christian Boltz |
466eca |
/bin/bash rix,
|
|
Christian Boltz |
466eca |
/dev/random r,
|
|
Christian Boltz |
466eca |
/etc/apache2/*.conf r,
|
|
Christian Boltz |
466eca |
owner /etc/apache2/conf.d/ r,
|
|
Christian Boltz |
466eca |
/etc/apache2/magic r,
|
|
Christian Boltz |
466eca |
/etc/apache2/mod_perl-startup.pl r,
|
|
Christian Boltz |
466eca |
/etc/apache2/sysconfig.d/ r,
|
|
Christian Boltz |
466eca |
/etc/apache2/vhosts.d/ r,
|
|
Christian Boltz |
466eca |
/etc/apache2/vhosts.d/hostings/ r,
|
|
Christian Boltz |
466eca |
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
|
|
Christian Boltz |
466eca |
/etc/fstab r,
|
|
Christian Boltz |
466eca |
/etc/mime.types r,
|
|
Christian Boltz |
466eca |
/etc/mtab r,
|
|
Christian Boltz |
466eca |
/etc/odbcinst.ini r,
|
|
Christian Boltz |
466eca |
/proc/*/attr/current rw,
|
|
Christian Boltz |
466eca |
/proc/meminfo r,
|
|
Christian Boltz |
466eca |
/proc/sys/kernel/ngroups_max r,
|
|
Christian Boltz |
466eca |
/run/httpd.pid rw,
|
|
Christian Boltz |
466eca |
/tmp/magic* rw,
|
|
Christian Boltz |
466eca |
/usr/apache2/error/* r,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2-leader/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2-worker/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2/modules/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib/apache2/{lib,mod_}*.so mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/lib64/apache2/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
466eca |
/usr/sbin/httpd{,2}-prefork mr,
|
|
Christian Boltz |
466eca |
/usr/sbin/suexec2 mrix,
|
|
Christian Boltz |
466eca |
/usr/share/apache2/error/** r,
|
|
Christian Boltz |
466eca |
/usr/share/apache2/icons/** r,
|
|
Christian Boltz |
466eca |
/usr/share/misc/magic.mime r,
|
|
Christian Boltz |
466eca |
/usr/share/snmp/mibs r,
|
|
Christian Boltz |
466eca |
/usr/share/snmp/mibs/*.{txt,mib} r,
|
|
Christian Boltz |
466eca |
/usr/share/snmp/mibs/.index rw,
|
|
Christian Boltz |
466eca |
/var/lib/apache2/ssl_mutex w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/* rwl,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
^DEFAULT_URI flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
466eca |
#include <abstractions/apache2-common>
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
/proc/meminfo r,
|
|
Christian Boltz |
466eca |
/usr/share/zoneinfo/ r,
|
|
Christian Boltz |
466eca |
/usr/share/zoneinfo/** r,
|
|
Christian Boltz |
466eca |
/var/log/apache2/access_log w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
}
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
466eca |
#include <abstractions/nameservice>
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
/**/.htaccess r,
|
|
Christian Boltz |
466eca |
/dev/urandom r,
|
|
Christian Boltz |
466eca |
/proc/*/attr/current w,
|
|
Christian Boltz |
466eca |
/var/lib/apache2/ssl_mutex wk,
|
|
Christian Boltz |
466eca |
/var/log/apache2/access_log w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/ssl_request_log w,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
# strange, but happens in practise
|
|
Christian Boltz |
466eca |
/var/log/apache2/countdown-access_log w,
|
|
Stasiek Michalski |
073267 |
/var/log/apache2/doc-access_log w,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
}
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
33ee6f |
^vhost_phpmyadmin flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
33ee6f |
#include <abstractions/base>
|
|
Christian Boltz |
33ee6f |
#include <abstractions/mysql>
|
|
Christian Boltz |
33ee6f |
#include <abstractions/nameservice>
|
|
Christian Boltz |
33ee6f |
#include <abstractions/php>
|
|
Christian Boltz |
33ee6f |
|
|
Christian Boltz |
33ee6f |
signal receive set=usr1 peer=httpd2-prefork,
|
|
Christian Boltz |
33ee6f |
|
|
Christian Boltz |
33ee6f |
/etc/apache2/conf.d/phpMyAdmin.htpass r,
|
|
Christian Boltz |
33ee6f |
/etc/phpMyAdmin/config.inc.php r,
|
|
Christian Boltz |
33ee6f |
/proc/*/attr/current rw,
|
|
Christian Boltz |
33ee6f |
/srv/www/htdocs/phpMyAdmin/** r,
|
|
Christian Boltz |
33ee6f |
/usr/lib64/gconv/* r,
|
|
Christian Boltz |
33ee6f |
/usr/share/zoneinfo/ r,
|
|
Christian Boltz |
33ee6f |
/var/log/apache2/phpmyadmin-access_log w,
|
|
Christian Boltz |
33ee6f |
/var/log/apache2/phpmyadmin-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
33ee6f |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
33ee6f |
|
|
Christian Boltz |
33ee6f |
}
|
|
Christian Boltz |
33ee6f |
|
|
Christian Boltz |
466eca |
^vhost_countdown flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
466eca |
#include <abstractions/apache2-common>
|
|
Christian Boltz |
466eca |
#include <abstractions/base>
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
/ r,
|
|
Christian Boltz |
466eca |
# /bin/bash rix,
|
|
Christian Boltz |
466eca |
# /dev/tty rw,
|
|
Christian Boltz |
466eca |
# /proc/meminfo r,
|
|
Christian Boltz |
466eca |
# /usr/bin/timeout rix,
|
|
Christian Boltz |
466eca |
/var/log/apache2/countdown-access_log w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/countdown-access_log-21[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
466eca |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
/srv/www/countdown.opensuse.org/ r,
|
|
Christian Boltz |
466eca |
/srv/www/countdown.opensuse.org/** r,
|
|
Christian Boltz |
466eca |
}
|
|
Christian Boltz |
466eca |
|
|
Stasiek Michalski |
073267 |
^vhost_doc flags=(complain,attach_disconnected) {
|
|
Stasiek Michalski |
073267 |
#include <abstractions/apache2-common>
|
|
Stasiek Michalski |
073267 |
#include <abstractions/base>
|
|
Stasiek Michalski |
073267 |
|
|
Stasiek Michalski |
073267 |
/ r,
|
|
Stasiek Michalski |
073267 |
# /bin/bash rix,
|
|
Stasiek Michalski |
073267 |
# /dev/tty rw,
|
|
Stasiek Michalski |
073267 |
# /proc/meminfo r,
|
|
Stasiek Michalski |
073267 |
# /usr/bin/timeout rix,
|
|
Stasiek Michalski |
073267 |
/var/log/apache2/doc-access_log w,
|
|
Stasiek Michalski |
073267 |
/var/log/apache2/doc-access_log-21[12][0-9][01][0-9][0-3][0-9] w,
|
|
Stasiek Michalski |
073267 |
/var/log/apache2/error_log w,
|
|
Stasiek Michalski |
073267 |
|
|
Stasiek Michalski |
073267 |
/srv/www/vhosts/doc.opensuse.org/ r,
|
|
Stasiek Michalski |
073267 |
/srv/www/vhosts/doc.opensuse.org/** r,
|
|
Stasiek Michalski |
073267 |
}
|
|
Stasiek Michalski |
073267 |
|
|
Christian Boltz |
466eca |
}
|
|
Christian Boltz |
466eca |
|
|
Christian Boltz |
466eca |
# vim: ft=apparmor expandtab
|
|
Christian Boltz |
466eca |
|