# managed by salt - do not edit! # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2017-2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ #include @{wiki_upload_extensions}=doc docx gif jpg jpeg odp ods odt pdf png ppt pptx svg sxc sxw xls xlsx profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) { #include #include #include #include #include #include #include #include #include capability dac_override, capability kill, capability net_admin, capability net_bind_service, capability setgid, capability setuid, capability sys_ptrace, capability sys_tty_config, signal send set=usr1 peer=httpd2-prefork//*, / rw, /bin/bash rix, /dev/random r, /etc/apache2/*.conf r, owner /etc/apache2/conf.d/ r, /etc/apache2/magic r, /etc/apache2/mod_perl-startup.pl r, /etc/apache2/sysconfig.d/ r, /etc/apache2/vhosts.d/ r, /etc/apache2/vhosts.d/hostings/ r, /etc/apache2/{conf,sysconfig,vhosts}.d/* r, /etc/fstab r, /etc/mime.types r, /etc/mtab r, /etc/odbcinst.ini r, /etc/php.d/** r, /etc/php.ini r, /proc/*/attr/current rw, /proc/meminfo r, /proc/sys/kernel/ngroups_max r, /run/httpd.pid rw, /tmp/magic* rw, /usr/apache2/error/* r, /usr/lib/apache2-leader/{lib,mod_}*.so* mr, /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr, /usr/lib/apache2-prefork/{lib,mod_}*.so* mr, /usr/lib/apache2-worker/{lib,mod_}*.so* mr, /usr/lib/apache2/modules/{lib,mod_}*.so* mr, /usr/lib/apache2/{lib,mod_}*.so mr, /usr/lib/mysql/libmysql*.so* mr, /usr/lib64/apache2-leader/{lib,mod_}*.so* mr, /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr, /usr/lib64/apache2-prefork/{lib,mod_}*.so* mr, /usr/lib64/apache2-worker/{lib,mod_}*.so* mr, /usr/lib64/apache2/modules/{lib,mod_}*.so* mr, /usr/lib64/apache2/{lib,mod_}*.so* mr, /usr/lib64/mysql/libmysql*.so* mr, /usr/sbin/httpd{,2}-prefork mr, /usr/sbin/suexec2 mrix, /usr/share/apache2/error/** r, /usr/share/apache2/icons/** r, /usr/share/misc/magic.mime r, /usr/share/snmp/mibs r, /usr/share/snmp/mibs/*.{txt,mib} r, /usr/share/snmp/mibs/.index rw, /var/lib/apache2/ssl_mutex w, /var/log/apache2/* rwl, ^DEFAULT_URI flags=(attach_disconnected) { #include /proc/meminfo r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /var/log/apache2/access_log w, /var/log/apache2/error_log w, } ^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) { #include signal receive set=usr1 peer=httpd2-prefork, /**/.htaccess r, /dev/urandom r, /proc/*/attr/current w, /var/lib/apache2/ssl_mutex wk, /var/log/apache2/access_log w, /var/log/apache2/error_log w, /var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w, /var/log/apache2/ssl_request_log w, # strange, but happens in practise /var/log/apache2/cn-access_log w, /var/log/apache2/files-access_log w, } ^localhost flags=(complain,attach_disconnected) { /proc/*/attr/current rw, /proc/loadavg r, /var/log/apache2/access_log w, } ^vhost_files flags=(attach_disconnected) { #include signal receive set=usr1 peer=httpd2-prefork, /var/log/apache2/files-access_log w, /var/log/apache2/files-access_log-20[12][0-9][01][0-9][0-3][0-9] w, /var/log/apache2/error_log w, /srv/www/files.opensuse.org/public/ r, /srv/www/files.opensuse.org/public/** r, } # {% for wiki in pillar['mediawiki']['wikis']|sort %} ^vhost_{{wiki}}wiki flags=(complain,attach_disconnected) { #include #include signal receive set=usr1 peer=httpd2-prefork, / r, /{usr/,}bin/bash rix, /dev/tty rw, /proc/meminfo r, /usr/bin/timeout rix, /usr/share/mediawiki_1_*/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize Px -> pygmentize, /usr/sbin/sendmail PUx, /var/log/apache2/{{wiki}}-access_log w, /var/log/apache2/{{wiki}}-access_log-20[12][0-9][01][0-9][0-3][0-9] w, /var/log/apache2/error_log w, /srv/www/{{wiki}}.opensuse.org/cache/ r, /srv/www/{{wiki}}.opensuse.org/cache/* rw, /srv/www/{{wiki}}.opensuse.org/public/ r, /srv/www/{{wiki}}.opensuse.org/public/** r, /srv/www/{{wiki}}.opensuse.org/public/images/**/ rw, /srv/www/{{wiki}}.opensuse.org/public/images/**.@{wiki_upload_extensions} rw, /srv/www/{{wiki}}.opensuse.org/public/images/deleted/**/index.html rw, /srv/www/{{wiki}}.opensuse.org/public/images/deleted/.htaccess rw, /srv/www/{{wiki}}.opensuse.org/public/images/lockdir/*.lock rwk, /srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!localcopy_*. rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/*/*/*\!php??????. rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/**/index.html rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/.htaccess rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/localcopy_* rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/mw-runJobs-backoffs.json rwk, /srv/www/{{wiki}}.opensuse.org/public/images/temp/ResourceLoaderImage?????? rw, /srv/www/{{wiki}}.opensuse.org/public/images/temp/svg_*/ rw, /srv/www/{{wiki}}.opensuse.org/tmp/php* rw, /srv/www/{{wiki}}.opensuse.org/secrets.php r, /srv/www/{{wiki}}.opensuse.org/wiki_settings.php r, /usr/share/icu/*/icudt*l.dat r, /usr/share/mediawiki_1_*/** r, /usr/bin/magick Px -> magick-{{wiki}}, } # {% endfor %} } # vim: ft=apparmor expandtab