Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4439699pxb;
        Tue, 26 Jan 2021 23:47:47 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz5mRfFVB26T2NoMAgDvSlcqG3Sjsl2/bk67u32bA59b+scpUXQoY0chAZ4kIMRGuXug+Xv
X-Received: by 2002:a17:906:3b44:: with SMTP id h4mr6162969ejf.414.1611733667453;
        Tue, 26 Jan 2021 23:47:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611733667; cv=none;
        d=google.com; s=arc-20160816;
        b=GVX0nXaxrWAnRxivhwbOn2qldwffhorKL7Ob27bc3DBHcZZq60DoZoPTMWQ1U/jh3H
         2R66Nmp4lQ3+cmyZ7SZvwUTMu8EbNIPouJbPDJ138CSUv3Y51ICcBJ+q1/KHDzA6pSZt
         G+LqazOU6bBZZky7VrlwoNVU7zafHNY1/Ev1L+3CbTf9va+JNUyiZA22EAvQeBHaj7FQ
         mj9uPRK/wHtKV0FuAFkzSqGfAJunL1z/0dqRl6FRBfi868K3ng6EAOg/Lt35YUHCzzML
         7distiNRvFjcdP5OdLqVxWkecs6qcomfEKxO6efz8FzkDhpGwYUq0dHzi++pJ4hBrJ21
         7N7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=l/T2BNaMap6kkC9KoMMIjdnbZp0czbf1Uxi5A8UJVvk=;
        b=yUXnfm0iRyyIaZwPFL5Flc2l0JEwc0c67wtCQqMGLViXhb5D8qJPDPtsKOkmB7tCmB
         B8n1LR5tCP2aQbVi5y6Yx9qmRczqeyfvxcVtPHE9vZi0Pu+6nUpR5+ZTEVIJ2zLD8zP3
         +G2LuAeNC7iV5Zxu9qVwa/SjVGaj2wirpMm6l4Vi3tuCbIG3HsSjcUB5nk62a6TunrO+
         vKeG2zc1VeUzgbKOb8MNmC/9okB394mHMPljHHIDQ+XTPnLi69mMHqSAmk4QKUo4ttK6
         amFovXAVaLYtTb01Qe/KBozn20h5q+sD4bMTctf1Nl616mpBIL+Gs7baUl2Vu/KOEbnE
         74sA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=0QwJQgx4;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n2si548508ejl.444.2021.01.26.23.47.40;
        Tue, 26 Jan 2021 23:47:47 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=0QwJQgx4;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231197AbhA0FFL (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Wed, 27 Jan 2021 00:05:11 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38690 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231421AbhA0DHF (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 26 Jan 2021 22:07:05 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 507CDC061794
        for <selinux-refpolicy@vger.kernel.org>; Tue, 26 Jan 2021 19:04:52 -0800 (PST)
Received: from liv.coker.com.au (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id 1FDC41709B;
        Wed, 27 Jan 2021 14:04:47 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1611716688;
        bh=l/T2BNaMap6kkC9KoMMIjdnbZp0czbf1Uxi5A8UJVvk=; l=2652;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=0QwJQgx4hcJNp5MLJlSoYVVr9pGfJ4JUktAC70whuAXJqUY0t5O6YNLAQmXV+K96Y
         fLGluYdsYFuKXPZDi6ZYoSAHuQqqRZjaEaQ0WF+D6LW5l4hTo+e54S0B3SoV/fqf3U
         MwQZJgPD1xmdc/UQgxUYHQvhQl6rLivQzkmRzdSU=
From:   Russell Coker <russell@coker.com.au>
To:     Chris PeBenito <pebenito@ieee.org>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc services patches with changes Dominick wanted
Date:   Wed, 27 Jan 2021 14:04:45 +1100
Message-ID: <53731370.JSHSjNzumS@liv>
In-Reply-To: <a1537f1d-fdf1-f05e-363a-c20ba77e6fa5@ieee.org>
References: <YAmFvVmpuYxNxmOC@xev> <a1537f1d-fdf1-f05e-363a-c20ba77e6fa5@ieee.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote:
> >   gs_exec_t,s0)
> >   /usr/sbin/suexec					--	
gen_context(system_u:object_r:httpd_suexec_exec
> >   _t,s0)
> >   /usr/sbin/wigwam					--	
gen_context(system_u:object_r:httpd_exec_t,s0)> 
> > +/usr/sbin/php.*-fpm					--	
gen_context(system_u:object_r:httpd_exec_t,s0)
> > +/usr/sbin/php-fpm[^/]+					--	
gen_context(system_u:object_r:httpd_exec_t,
> > s0)
> I can fix this when merging, but please keep the fc entries in order.

OK, I'll do that in the next version.

> > @@ -71,6 +71,7 @@ template(`apache_content_template',`
> > 
> >   	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)> 
> > +	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> > 
> >   	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> >   	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t)
> There's a lot of mmapping being added.  Can you provide any additional
> context on this?  Is this induced by some config option? Is this apache
> only?

It's for Apache, it maps all files it sends with no special configuration.

> > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> > 
> >   	files_search_runtime($1)
> >   	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
> >   	aptcacher_t)>   
> >   ')
> > 
> > +
> > +######################################
> > +## <summary>
> > +##     read aptcacher config
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed to read it.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`aptcacher_read_config',`
> > +	gen_require(`
> > +		type aptcacher_etc_t;
> > +	')
> > +
> > +	files_search_etc($1)
> > +	allow $1 aptcacher_etc_t:dir list_dir_perms;
> > +	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> > +')
> 
> Is this the only useful way to read these files?  There's no valid non-mmap
> access?  If regular read can be useful, then this should be
> aptcatch_mmap_read_config().

OK.

> > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
> > 
> >   libs_read_lib_files(cupsd_t)
> >   libs_exec_lib_files(cupsd_t)
> > 
> > +libs_legacy_use_ld_so(cupsd_t)
> 
> This seems broken and should probably be in a debian distro block.

OK, I'll remove that and do more testing.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/