Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3575251pxb; Mon, 25 Jan 2021 22:01:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJw8H7nWnn5N892gWjEtVci/r7f7pXk5jVhPY+QvV5NUXI0g6xjJI3kPuDKGdFlepwPKhrXn X-Received: by 2002:a17:906:fca:: with SMTP id c10mr2578248ejk.272.1611640897987; Mon, 25 Jan 2021 22:01:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611640897; cv=none; d=google.com; s=arc-20160816; b=N/GHYN2R/zApgckYXNZ9Kh9AX03xZZZ0LV1wRyoYNrY4eqoXdo2LOEptYAj6AXdrF4 1wSkfRnnirNp/ZsM/YhIAanqPsZBYdF0ECxAemQHIT62SfuwgqnF4dAnHJjHXVuJjLHE OjZaWsRrZrrMHAS771YMyuuoPloFo7pjytATh3SRUhVq5ZGF8vvPrqfAlcjCkdQwYh5v h3+EmnfEBo+5oUQjVu81rHx8d8j494Eq3fQeBL6vZnLPROmEMygFPN3XRf+6Ldv4Djv5 KqCks+b0eV8ZZd00IRiLWUxvb4KBpcOvGsgZZzQmjO3S8gs18Xzft1m0mMwW7/nm7Jsh SOng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=f4oNhten2oT9owXgLmQjFtg87e9oGxxv6ocKVc5j9Aw=; b=gQMbGK8/ryKMZYXj1JezfN1ZV82CUR5WfsuEZ9+WwhwUq48uPctmY6As6CK24UACwu 89KlMV4Ih0ts4Q6Jrv4Gw7pYFgeJczxgg88jH8opItMtZbF67mgOSMHwIlM3pESflpeg L8RHhtJojYYxRVYLlvmrGRsSCu0lGC3lI+LTz5JBf6eLLvyrOfI7sDs8GbJmdJNX/e6t Iki7WP/4BwMIouoY6D/61y3tkLGWWh/HUl8XSX+iH908NAAgB2+RmfimBDHrgjIoC32Y 2b9zp7WxafcXq3ffOYxM9/s1ckkHY78oabWPUXTtLvAudDw7Yh7CVfwaZvTUGdPG0R7j 10+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FqLwO8x9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d5si7939210edq.173.2021.01.25.22.01.30; Mon, 25 Jan 2021 22:01:37 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FqLwO8x9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727070AbhAZGBN (ORCPT + 16 others); Tue, 26 Jan 2021 01:01:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729518AbhAYO3m (ORCPT ); Mon, 25 Jan 2021 09:29:42 -0500 Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91309C06178B for ; Mon, 25 Jan 2021 06:26:53 -0800 (PST) Received: by mail-qt1-x830.google.com with SMTP id r9so9708201qtp.11 for ; Mon, 25 Jan 2021 06:26:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=f4oNhten2oT9owXgLmQjFtg87e9oGxxv6ocKVc5j9Aw=; b=FqLwO8x91pZasub4PNOjC1sCH2T+612vSVj7lS/QVh3xret0w7NYTmZLeEi+uhF45c 65uor3jnhN6rggD/hxSzZj2HlVU1b7B3LfFAUM4wXQr2NyOFUDZBLl9CxoZ/4IBphiNz AmalSN6j83j111Sq2nurkWq05Mh7W81yeVsvs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=f4oNhten2oT9owXgLmQjFtg87e9oGxxv6ocKVc5j9Aw=; b=oBjFAFcrJH/AuwcY2qexuXfkzdTkFkecaokzfMrZHhQvR5B6BQdtGeL8sUoSLHCG9M Ez16ALF7tMfBNRN66lS1iqYkczJSnm1Fb0vhwwSS9aitB0Uqot710SVldYSn2IMCe9jp QQPdG51NGrlNs8XcpsvlRiDlnsrlDXZI00/Yg3Ia61t735u4A0I0VaS8Q1uv9xlwjx9y vmyvBz5e6YS9t8NM4J9RNLzJ3mw1ZarbeOcIxbA7lsF49YqhM61+oYPHAekfCRYU2dqF bqjLj8eSMPZe368xswGxTq44aSYsI6UHyWDzAmhfGz74K5yGuPkl/1x+v/V2/d0f1Yzn VjJg== X-Gm-Message-State: AOAM532MI2MRsygRCJqMhKm8L9OZBxQphtFgBdIopq06QJABt9JwGf57 oE9u26DssFLpTMtrlQsiijyBj7GHuBq9Gw== X-Received: by 2002:ac8:7551:: with SMTP id b17mr649879qtr.43.1611584812528; Mon, 25 Jan 2021 06:26:52 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id k132sm826862qke.77.2021.01.25.06.26.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 06:26:52 -0800 (PST) Subject: Re: [PATCH] misc services patches with changes Dominick wanted To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: Date: Mon, 25 Jan 2021 09:22:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/21 8:46 AM, Russell Coker wrote: > This patch has some changes Dominick wanted and some parts that he disliked > removed. The one place where I didn't make his change I gave less access than > he recommended. > > I think this is ready for merging. > > Signed-off-by: Russell Coker I think I'm ok with the changes, though I have a couple questions/comments: > Index: refpolicy-2.20210120/policy/modules/services/apache.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc > +++ refpolicy-2.20210120/policy/modules/services/apache.fc > @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) > /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) > +/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) > +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0) I can fix this when merging, but please keep the fc entries in order. > @@ -71,6 +71,7 @@ template(`apache_content_template',` > > manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > + allow httpd_$1_script_t httpd_$1_rw_content_t:file map; > manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) There's a lot of mmapping being added. Can you provide any additional context on this? Is this induced by some config option? Is this apache only? > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',` > files_search_runtime($1) > stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) > ') > + > +###################################### > +## > +## read aptcacher config > +## > +## > +## > +## Domain allowed to read it. > +## > +## > +# > +interface(`aptcacher_read_config',` > + gen_require(` > + type aptcacher_etc_t; > + ') > + > + files_search_etc($1) > + allow $1 aptcacher_etc_t:dir list_dir_perms; > + allow $1 aptcacher_etc_t:file mmap_read_file_perms; > +') Is this the only useful way to read these files? There's no valid non-mmap access? If regular read can be useful, then this should be aptcatch_mmap_read_config(). > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t) > > libs_read_lib_files(cupsd_t) > libs_exec_lib_files(cupsd_t) > +libs_legacy_use_ld_so(cupsd_t) This seems broken and should probably be in a debian distro block. -- Chris PeBenito