|
Christian Boltz |
856cd0 |
# managed by salt - do not edit!
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
# $Id: usr.sbin.httpd2-prefork 12 2006-04-12 21:35:41Z steve-beattie $
|
|
Christian Boltz |
856cd0 |
# ------------------------------------------------------------------
|
|
Christian Boltz |
856cd0 |
#
|
|
Christian Boltz |
856cd0 |
# Copyright (C) 2002-2005 Novell/SUSE
|
|
Christian Boltz |
856cd0 |
# Copyright (C) 2017 Christian Boltz
|
|
Christian Boltz |
856cd0 |
#
|
|
Christian Boltz |
856cd0 |
# This program is free software; you can redistribute it and/or
|
|
Christian Boltz |
856cd0 |
# modify it under the terms of version 2 of the GNU General Public
|
|
Christian Boltz |
856cd0 |
# License published by the Free Software Foundation.
|
|
Christian Boltz |
856cd0 |
#
|
|
Christian Boltz |
856cd0 |
# ------------------------------------------------------------------
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
#include <tunables/global>
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
b8e2b3 |
@{wiki_upload_extensions}=doc docx gif jpg jpeg odp ods odt pdf png ppt pptx svg sxc sxw xls xlsx
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
856cd0 |
#include <abstractions/base>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/bash>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/consoles>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/kerberosclient>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/mysql>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/nameservice>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/perl>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/php5>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/ssl_keys>
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
capability dac_override,
|
|
Christian Boltz |
856cd0 |
capability kill,
|
|
Christian Boltz |
856cd0 |
capability net_admin,
|
|
Christian Boltz |
856cd0 |
capability net_bind_service,
|
|
Christian Boltz |
856cd0 |
capability setgid,
|
|
Christian Boltz |
856cd0 |
capability setuid,
|
|
Christian Boltz |
856cd0 |
capability sys_ptrace,
|
|
Christian Boltz |
856cd0 |
capability sys_tty_config,
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
/ rw,
|
|
Christian Boltz |
856cd0 |
/bin/bash rix,
|
|
Christian Boltz |
856cd0 |
/dev/random r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/*.conf r,
|
|
Christian Boltz |
856cd0 |
owner /etc/apache2/conf.d/ r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/magic r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/mod_perl-startup.pl r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/sysconfig.d/ r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/vhosts.d/ r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/vhosts.d/hostings/ r,
|
|
Christian Boltz |
856cd0 |
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
|
|
Christian Boltz |
856cd0 |
/etc/fstab r,
|
|
Christian Boltz |
856cd0 |
/etc/mime.types r,
|
|
Christian Boltz |
856cd0 |
/etc/mtab r,
|
|
Christian Boltz |
856cd0 |
/etc/odbcinst.ini r,
|
|
Christian Boltz |
856cd0 |
/etc/php.d/** r,
|
|
Christian Boltz |
856cd0 |
/etc/php.ini r,
|
|
Christian Boltz |
856cd0 |
/proc/*/attr/current rw,
|
|
Christian Boltz |
856cd0 |
/proc/meminfo r,
|
|
Christian Boltz |
856cd0 |
/proc/sys/kernel/ngroups_max r,
|
|
Christian Boltz |
856cd0 |
/run/httpd.pid rw,
|
|
Christian Boltz |
856cd0 |
/tmp/magic* rw,
|
|
Christian Boltz |
856cd0 |
/usr/apache2/error/* r,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2-leader/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2-worker/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2/modules/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/apache2/{lib,mod_}*.so mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib/mysql/libmysql*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/apache2/{lib,mod_}*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/lib64/mysql/libmysql*.so* mr,
|
|
Christian Boltz |
856cd0 |
/usr/sbin/httpd{,2}-prefork mr,
|
|
Christian Boltz |
856cd0 |
/usr/sbin/suexec2 mrix,
|
|
Christian Boltz |
856cd0 |
/usr/share/apache2/error/** r,
|
|
Christian Boltz |
856cd0 |
/usr/share/apache2/icons/** r,
|
|
Christian Boltz |
856cd0 |
/usr/share/misc/magic.mime r,
|
|
Christian Boltz |
856cd0 |
/usr/share/snmp/mibs r,
|
|
Christian Boltz |
856cd0 |
/usr/share/snmp/mibs/*.{txt,mib} r,
|
|
Christian Boltz |
856cd0 |
/usr/share/snmp/mibs/.index rw,
|
|
Christian Boltz |
856cd0 |
/var/lib/apache2/ssl_mutex w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/* rwl,
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
^DEFAULT_URI flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
856cd0 |
#include <abstractions/apache2-common>
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
/proc/meminfo r,
|
|
Christian Boltz |
856cd0 |
/usr/share/zoneinfo/ r,
|
|
Christian Boltz |
856cd0 |
/usr/share/zoneinfo/** r,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/access_log w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
}
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
856cd0 |
#include <abstractions/nameservice>
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
/**/.htaccess r,
|
|
Christian Boltz |
856cd0 |
/dev/urandom r,
|
|
Christian Boltz |
856cd0 |
/proc/*/attr/current w,
|
|
Christian Boltz |
856cd0 |
/var/lib/apache2/ssl_mutex wk,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/access_log w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/ssl_request_log w,
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
d30361 |
# strange, but happens in practise
|
|
Christian Boltz |
d30361 |
/var/log/apache2/cn-access_log w,
|
|
Christian Boltz |
d30361 |
/var/log/apache2/files-access_log w,
|
|
Christian Boltz |
d30361 |
|
|
Christian Boltz |
856cd0 |
}
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
8f0865 |
^vhost_files flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
8f0865 |
#include <abstractions/apache2-common>
|
|
Christian Boltz |
8f0865 |
|
|
Christian Boltz |
8f0865 |
/var/log/apache2/files-access_log w,
|
|
Christian Boltz |
8f0865 |
/var/log/apache2/files-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
8f0865 |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
8f0865 |
|
|
Christian Boltz |
8f0865 |
/srv/www/files.opensuse.org/public/ r,
|
|
Christian Boltz |
8f0865 |
/srv/www/files.opensuse.org/public/** r,
|
|
Christian Boltz |
8f0865 |
}
|
|
Christian Boltz |
8f0865 |
|
|
Christian Boltz |
c1339c |
# {% for wiki in pillar['mediawiki_1_27']['wikis']|sort %}
|
|
Christian Boltz |
856cd0 |
^vhost_{{wiki}}wiki flags=(complain,attach_disconnected) {
|
|
Christian Boltz |
856cd0 |
#include <abstractions/apache2-common>
|
|
Christian Boltz |
856cd0 |
#include <abstractions/base>
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
/ r,
|
|
Christian Boltz |
856cd0 |
/bin/bash rix,
|
|
Christian Boltz |
856cd0 |
/dev/tty rw,
|
|
Christian Boltz |
856cd0 |
/proc/meminfo r,
|
|
Christian Boltz |
e3b51b |
/usr/bin/timeout rix,
|
|
Christian Boltz |
f4bc96 |
/usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize Px -> pygmentize,
|
|
Christian Boltz |
856cd0 |
/usr/sbin/sendmail PUx,
|
|
Christian Boltz |
0d2b2a |
/var/log/apache2/{{wiki}}-access_log w,
|
|
Christian Boltz |
0d2b2a |
/var/log/apache2/{{wiki}}-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
|
|
Christian Boltz |
856cd0 |
/var/log/apache2/error_log w,
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/cache/ r,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/cache/* rw,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/public/ r,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/public/** r,
|
|
Christian Boltz |
02bcf3 |
/srv/www/{{wiki}}.opensuse.org/public/images/**/ rw,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/public/images/**.@{wiki_upload_extensions} rw,
|
|
Christian Boltz |
02bcf3 |
/srv/www/{{wiki}}.opensuse.org/public/images/deleted/**/index.html rw,
|
|
Christian Boltz |
c759ed |
/srv/www/{{wiki}}.opensuse.org/public/images/deleted/.htaccess rw,
|
|
Christian Boltz |
4441b5 |
/srv/www/{{wiki}}.opensuse.org/public/images/lockdir/*.lock rwk,
|
|
Christian Boltz |
d30361 |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!localcopy_*. rw,
|
|
Christian Boltz |
e3b51b |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!php??????. rw,
|
|
Christian Boltz |
02bcf3 |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/**/index.html rw,
|
|
Christian Boltz |
02bcf3 |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/.htaccess rw,
|
|
Christian Boltz |
e3b51b |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/localcopy_* rw,
|
|
Christian Boltz |
c759ed |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/mw-runJobs-backoffs.json rwk,
|
|
Christian Boltz |
4441b5 |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/ResourceLoaderImage?????? rw,
|
|
Christian Boltz |
b8e2b3 |
/srv/www/{{wiki}}.opensuse.org/public/images/temp/svg_*/ rw,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/tmp/php* rw,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/secrets.php r,
|
|
Christian Boltz |
856cd0 |
/srv/www/{{wiki}}.opensuse.org/wiki_settings.php r,
|
|
Christian Boltz |
856cd0 |
/usr/share/mediawiki_1_27/** r,
|
|
Christian Boltz |
adbc27 |
# {% if wiki == 'en-test' %}
|
|
Christian Boltz |
adbc27 |
/usr/share/mediawiki_1_27--git/** r,
|
|
Christian Boltz |
adbc27 |
# {% endif %}
|
|
Christian Boltz |
856cd0 |
}
|
|
Christian Boltz |
856cd0 |
# {% endfor %}
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
}
|
|
Christian Boltz |
856cd0 |
|
|
Christian Boltz |
856cd0 |
# vim: ft=apparmor expandtab
|
|
Christian Boltz |
856cd0 |
|