File: //proc/676643/root/usr/share/apparmor/extra-profiles/usr.sbin.httpd2-prefork
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
abi <abi/3.0>,
include <tunables/global>
/usr/sbin/httpd2-prefork {
include <abstractions/apache2-common>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/kerberosclient>
include <abstractions/nameservice>
include <abstractions/perl>
include <abstractions/openssl>
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/dev/random r,
/etc/apache2/*.conf r,
/etc/apache2/magic r,
/etc/apache2/mod_perl-startup.pl r,
/etc/apache2/ssl.crt/*.crt r,
/etc/apache2/ssl.key/*.key r,
/etc/apache2/{conf,sysconfig,vhosts}.d/ r,
/etc/apache2/{conf,sysconfig,vhosts}.d/* r,
/etc/fstab r,
/etc/mime.types r,
/etc/mtab r,
/etc/odbcinst.ini r,
/etc/php.d/ r,
/etc/php.d/** r,
/etc/php.ini r,
/tmp/auth_ldap_cache.sem wl,
/tmp/session_mm_apache0.sem wl,
/tmp/session_mm_apache2handler0.sem wl,
/usr/X11R6/lib64/lib*.so* mr,
/usr/X11R6/lib/lib*.so* mr,
/usr/apache2/error/* r,
/usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
/usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
/usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
/usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
/usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
/usr/lib64/apache2/{lib,mod_}*.so* mr,
/usr/lib/apache2-leader/{lib,mod_}*.so* mr,
/usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
/usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
/usr/lib/apache2-worker/{lib,mod_}*.so* mr,
/usr/lib/apache2/modules/{lib,mod_}*.so* mr,
/usr/lib64/mysql/libmysql*.so* mr,
/usr/lib64/php/extensions/*.so mr,
/usr/lib64/php4/*.so mr,
/usr/lib64/python[12].[0-9]/**.{py,pyc,pth,so} mr,
/usr/lib64/python[12].[0-9]/site-packages r,
/usr/lib64/qt3/lib/lib*.so* mr,
/usr/lib/apache2/{lib,mod_}*.so mr,
/usr/lib/mysql/libmysql*.so* mr,
/usr/lib/php/extensions/*.so mr,
/usr/lib/php4/*.so mr,
/usr/lib/python[12].[0-9]/**.{py,pyc,pth,so} mr,
/usr/lib/python[12].[0-9]/site-packages r,
/usr/lib/qt3/lib/lib*.so* mr,
/usr/local/tomcat/conf/mod_jk.conf r,
/usr/local/tomcat/conf/workers-ajp12.properties r,
/usr/sbin/httpd2-prefork r,
/usr/share/misc/magic.mime r,
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
/usr/share/snmp/mibs/.index wr,
/{run,var}/lock/httpd2.lock.* wl,
/var/log/apache2/* rwl,
/var/log/httpd/ssl_scache.dir r,
/var/log/httpd/ssl_scache.pag r,
/{,var/}run/httpd2.mm.* wl,
/{,var/}run/httpd2.pid wl,
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
# execution of content regardless of 'x' permissions, as no exec(2)
# takes place to perform a domain change.
# suexec execution of CGIs will require appropriate permissions
/usr/sbin/suexec2 mixr,
# Allow logging
/var/log/apache2/** rwl,
# Allow any CGIs in user directories to run, inheriting the apache
# profile:
# /home/*/public_html/** mixr,
# (note that if you are using mod_change_hat, you have a choice of
# providing neccesary access in this file OR in URI-specific hats, or
# hats in the <VHost>, <Location>, or <Directory> directives. Please
# see the user's guide or mod_apparmor(5) for more information.
# Allow site-wide CGIs to run, inheriting the apache profile:
# /srv/www/cgi-bin/** mixr,
# /var/www/cgi-bin/** mixr,
@{HOME}/public_html r,
@{HOME}/public_html/** r,
# Red Hat locations
/var/www/html/** r,
/var/www/icons/*.{gif,jpg,png} r,
/var/www/error/* r,
# SuSE locations (LSB?)
/srv/www/htdocs r,
/srv/www/htdocs/** r,
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# php session state
/var/lib/php/sess_* rwl,
^HANDLING_UNTRUSTED_INPUT {
include <abstractions/apache2-common>
/var/log/apache2/* w,
}
^DEFAULT_URI {
include <abstractions/apache2-common>
include <abstractions/base>
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
# execution of content regardless of 'x' permissions, as no exec(2)
# takes place to perform a domain change.
# suexec execution of CGIs will require appropriate permissions
/usr/sbin/suexec2 mixr,
# Allow logging
/var/log/apache2/** rwl,
# Allow any CGIs in user directories to run, inheriting the apache
# profile:
# /home/*/public_html/** mixr,
# (note that if you are using mod_change_hat, you have a choice of
# providing neccesary access in this file OR in URI-specific hats, or
# hats in the <VHost>, <Location>, or <Directory> directives. Please
# see the user's guide or mod_apparmor(5) for more information.
# Allow site-wide CGIs to run, inheriting the apache profile:
# /srv/www/cgi-bin/** mixr,
# /var/www/cgi-bin/** mixr,
@{HOME}/public_html r,
@{HOME}/public_html/** r,
# Red Hat locations
/var/www/html/** r,
/var/www/icons/*.{gif,jpg,png} r,
/var/www/error/* r,
# SuSE locations (LSB?)
/srv/www/htdocs r,
/srv/www/htdocs/** r,
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
# php session state
/var/lib/php/sess_* rwl,
}
}