heroes / salt

Clone
Source Code
GIT

Blame salt/profile/wiki/files/httpd2-prefork.apparmor

adjust-ci-pipeline anikitin/mirrorcache anikitin/t_allow_jinja_in_secrets anikitin/web_mirrors__proxy_mirrorcache bootloader cboltz-borgbackup cboltz-relnotes-15.3 cboltz-scar-sshd doc-o-o gateway hellcp/matrix-synapse-workers-syntax hellcp/paste-sync ifconfig infra libvirt lrupp-production-patch-08358 lrupp/add_identification lrupp/remove_login_interface lrupp/retire lrupp/serve_www mailman micro monitoring-restart paste-socket postfix-aliases production repositories set-secret-detection-config-1 sysctl update-access-crtmgr
  1.   c6f8b5c3230765d3c29f6739545483e4471532ac
  2.   salt
  3.   profile
  4.   wiki
  5.   files
  6.   httpd2-prefork.apparmor
Blob History Raw
Christian Boltz 856cd0 
# managed by salt - do not edit!
Christian Boltz 856cd0
Christian Boltz 856cd0 
# ------------------------------------------------------------------
Christian Boltz 856cd0 
#
Christian Boltz 856cd0 
#    Copyright (C) 2002-2005 Novell/SUSE
Christian Boltz 37c275 
#    Copyright (C) 2017-2021 Christian Boltz
Christian Boltz 856cd0 
#
Christian Boltz 856cd0 
#    This program is free software; you can redistribute it and/or
Christian Boltz 856cd0 
#    modify it under the terms of version 2 of the GNU General Public
Christian Boltz 856cd0 
#    License published by the Free Software Foundation.
Christian Boltz 856cd0 
#
Christian Boltz 856cd0 
# ------------------------------------------------------------------
Christian Boltz 856cd0
Christian Boltz 856cd0 
#include <tunables/global>
Christian Boltz 856cd0
Christian Boltz b8e2b3 
@{wiki_upload_extensions}=doc docx gif jpg jpeg odp ods odt pdf png ppt pptx svg sxc sxw xls xlsx
Christian Boltz 856cd0
Christian Boltz 856cd0 
profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) {
Christian Boltz 856cd0 
  #include <abstractions/base>
Christian Boltz 856cd0 
  #include <abstractions/bash>
Christian Boltz 856cd0 
  #include <abstractions/consoles>
Christian Boltz 856cd0 
  #include <abstractions/kerberosclient>
Christian Boltz 856cd0 
  #include <abstractions/mysql>
Christian Boltz 856cd0 
  #include <abstractions/nameservice>
Christian Boltz 856cd0 
  #include <abstractions/perl>
Christian Boltz 856cd0 
  #include <abstractions/php5>
Christian Boltz 856cd0 
  #include <abstractions/ssl_keys>
Christian Boltz 856cd0
Christian Boltz 856cd0 
  capability dac_override,
Christian Boltz 856cd0 
  capability kill,
Christian Boltz 856cd0 
  capability net_admin,
Christian Boltz 856cd0 
  capability net_bind_service,
Christian Boltz 856cd0 
  capability setgid,
Christian Boltz 856cd0 
  capability setuid,
Christian Boltz 856cd0 
  capability sys_ptrace,
Christian Boltz 856cd0 
  capability sys_tty_config,
Christian Boltz 856cd0
Christian Boltz 5bab69 
  signal send set=usr1 peer=httpd2-prefork//*,
Christian Boltz 5bab69
Christian Boltz 856cd0 
  / rw,
Christian Boltz 856cd0 
  /bin/bash rix,
Christian Boltz 856cd0 
  /dev/random r,
Christian Boltz 856cd0 
  /etc/apache2/*.conf r,
Christian Boltz 856cd0 
  owner /etc/apache2/conf.d/ r,
Christian Boltz 856cd0 
  /etc/apache2/magic r,
Christian Boltz 856cd0 
  /etc/apache2/mod_perl-startup.pl r,
Christian Boltz 856cd0 
  /etc/apache2/sysconfig.d/ r,
Christian Boltz 856cd0 
  /etc/apache2/vhosts.d/ r,
Christian Boltz 856cd0 
  /etc/apache2/vhosts.d/hostings/ r,
Christian Boltz 856cd0 
  /etc/apache2/{conf,sysconfig,vhosts}.d/* r,
Christian Boltz 856cd0 
  /etc/fstab r,
Christian Boltz 856cd0 
  /etc/mime.types r,
Christian Boltz 856cd0 
  /etc/mtab r,
Christian Boltz 856cd0 
  /etc/odbcinst.ini r,
Christian Boltz 856cd0 
  /etc/php.d/** r,
Christian Boltz 856cd0 
  /etc/php.ini r,
Christian Boltz 856cd0 
  /proc/*/attr/current rw,
Christian Boltz 856cd0 
  /proc/meminfo r,
Christian Boltz 856cd0 
  /proc/sys/kernel/ngroups_max r,
Christian Boltz 856cd0 
  /run/httpd.pid rw,
Christian Boltz 856cd0 
  /tmp/magic* rw,
Christian Boltz 856cd0 
  /usr/apache2/error/* r,
Christian Boltz 856cd0 
  /usr/lib/apache2-leader/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib/apache2-worker/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib/apache2/modules/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib/apache2/{lib,mod_}*.so mr,
Christian Boltz 856cd0 
  /usr/lib/mysql/libmysql*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/apache2/{lib,mod_}*.so* mr,
Christian Boltz 856cd0 
  /usr/lib64/mysql/libmysql*.so* mr,
Christian Boltz 856cd0 
  /usr/sbin/httpd{,2}-prefork mr,
Christian Boltz 856cd0 
  /usr/sbin/suexec2 mrix,
Christian Boltz 856cd0 
  /usr/share/apache2/error/** r,
Christian Boltz 856cd0 
  /usr/share/apache2/icons/** r,
Christian Boltz 856cd0 
  /usr/share/misc/magic.mime r,
Christian Boltz 856cd0 
  /usr/share/snmp/mibs r,
Christian Boltz 856cd0 
  /usr/share/snmp/mibs/*.{txt,mib} r,
Christian Boltz 856cd0 
  /usr/share/snmp/mibs/.index rw,
Christian Boltz 856cd0 
  /var/lib/apache2/ssl_mutex w,
Christian Boltz 856cd0 
  /var/log/apache2/* rwl,
Christian Boltz 856cd0
Christian Boltz 5bab69 
  ^DEFAULT_URI flags=(attach_disconnected) {
Christian Boltz 856cd0 
    #include <abstractions/apache2-common>
Christian Boltz 856cd0
Christian Boltz 856cd0 
    /proc/meminfo r,
Christian Boltz 856cd0 
    /usr/share/zoneinfo/ r,
Christian Boltz 856cd0 
    /usr/share/zoneinfo/** r,
Christian Boltz 856cd0 
    /var/log/apache2/access_log w,
Christian Boltz 856cd0 
    /var/log/apache2/error_log w,
Christian Boltz 856cd0
Christian Boltz 856cd0 
  }
Christian Boltz 856cd0
Christian Boltz 856cd0 
  ^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
Christian Boltz 856cd0 
    #include <abstractions/nameservice>
Christian Boltz 856cd0
Christian Boltz 5bab69 
    signal receive set=usr1 peer=httpd2-prefork,
Christian Boltz 5bab69
Christian Boltz 856cd0 
    /**/.htaccess r,
Christian Boltz 856cd0 
    /dev/urandom r,
Christian Boltz 856cd0 
    /proc/*/attr/current w,
Christian Boltz 856cd0 
    /var/lib/apache2/ssl_mutex wk,
Christian Boltz 856cd0 
    /var/log/apache2/access_log w,
Christian Boltz 856cd0 
    /var/log/apache2/error_log w,
Christian Boltz 856cd0 
    /var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w,
Christian Boltz 856cd0 
    /var/log/apache2/ssl_request_log w,
Christian Boltz 856cd0
Christian Boltz d30361 
    # strange, but happens in practise
Christian Boltz d30361 
    /var/log/apache2/cn-access_log w,
Christian Boltz d30361 
    /var/log/apache2/files-access_log w,
Christian Boltz d30361
Christian Boltz 856cd0 
  }
Christian Boltz 856cd0
Christian Boltz 5bab69 
  ^localhost flags=(complain,attach_disconnected) {
Christian Boltz 5bab69 
    /proc/*/attr/current rw,
Christian Boltz 5bab69 
    /proc/loadavg r,
Christian Boltz 5bab69 
    /var/log/apache2/access_log w,
Christian Boltz 5bab69 
  }
Christian Boltz 5bab69
Christian Boltz 5bab69 
  ^vhost_files flags=(attach_disconnected) {
Christian Boltz 8f0865 
    #include <abstractions/apache2-common>
Christian Boltz 8f0865
Christian Boltz 5bab69 
    signal receive set=usr1 peer=httpd2-prefork,
Christian Boltz 5bab69
Christian Boltz 8f0865 
    /var/log/apache2/files-access_log w,
Christian Boltz 8f0865 
    /var/log/apache2/files-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
Christian Boltz 8f0865 
    /var/log/apache2/error_log w,
Christian Boltz 8f0865
Christian Boltz 8f0865 
    /srv/www/files.opensuse.org/public/ r,
Christian Boltz 8f0865 
    /srv/www/files.opensuse.org/public/** r,
Christian Boltz 8f0865 
  }
Christian Boltz 8f0865
Christian Boltz 37c275 
  #  {% for wiki in pillar['mediawiki']['wikis']|sort %}
Christian Boltz 856cd0 
  ^vhost_{{wiki}}wiki flags=(complain,attach_disconnected) {
Christian Boltz 856cd0 
    #include <abstractions/apache2-common>
Christian Boltz 856cd0 
    #include <abstractions/base>
Christian Boltz 856cd0
Christian Boltz 5bab69 
    signal receive set=usr1 peer=httpd2-prefork,
Christian Boltz 5bab69
Christian Boltz 856cd0 
    / r,
Christian Boltz 856cd0 
    /bin/bash rix,
Christian Boltz 856cd0 
    /dev/tty rw,
Christian Boltz 856cd0 
    /proc/meminfo r,
Christian Boltz e3b51b 
    /usr/bin/timeout rix,
Christian Boltz 37c275 
    /usr/share/mediawiki_1_*/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize Px -> pygmentize,
Christian Boltz 856cd0 
    /usr/sbin/sendmail PUx,
Christian Boltz 0d2b2a 
    /var/log/apache2/{{wiki}}-access_log w,
Christian Boltz 0d2b2a 
    /var/log/apache2/{{wiki}}-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
Christian Boltz 856cd0 
    /var/log/apache2/error_log w,
Christian Boltz 856cd0
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/cache/ r,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/cache/* rw,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/public/ r,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/public/** r,
Christian Boltz 02bcf3 
    /srv/www/{{wiki}}.opensuse.org/public/images/**/ rw,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/public/images/**.@{wiki_upload_extensions} rw,
Christian Boltz 02bcf3 
    /srv/www/{{wiki}}.opensuse.org/public/images/deleted/**/index.html rw,
Christian Boltz c759ed 
    /srv/www/{{wiki}}.opensuse.org/public/images/deleted/.htaccess rw,
Christian Boltz 4441b5 
    /srv/www/{{wiki}}.opensuse.org/public/images/lockdir/*.lock rwk,
Christian Boltz d30361 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!localcopy_*. rw,
Christian Boltz e3b51b 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!php??????. rw,
Christian Boltz 02bcf3 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/**/index.html rw,
Christian Boltz 02bcf3 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/.htaccess rw,
Christian Boltz e3b51b 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/localcopy_* rw,
Christian Boltz c759ed 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/mw-runJobs-backoffs.json rwk,
Christian Boltz 4441b5 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/ResourceLoaderImage?????? rw,
Christian Boltz b8e2b3 
    /srv/www/{{wiki}}.opensuse.org/public/images/temp/svg_*/ rw,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/tmp/php* rw,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/secrets.php r,
Christian Boltz 856cd0 
    /srv/www/{{wiki}}.opensuse.org/wiki_settings.php r,
Christian Boltz 5bab69 
    /usr/share/icu/*/icudt*l.dat r,
Christian Boltz 37c275 
    /usr/share/mediawiki_1_*/** r,
Christian Boltz 5bab69 
    /usr/bin/magick Px -> magick-{{wiki}},
Christian Boltz 856cd0 
  }
Christian Boltz 856cd0 
  #  {% endfor %}
Christian Boltz 856cd0
Christian Boltz 856cd0 
}
Christian Boltz 856cd0
Christian Boltz 856cd0 
# vim: ft=apparmor expandtab
Christian Boltz 856cd0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.