Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4439699pxb; Tue, 26 Jan 2021 23:47:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJz5mRfFVB26T2NoMAgDvSlcqG3Sjsl2/bk67u32bA59b+scpUXQoY0chAZ4kIMRGuXug+Xv X-Received: by 2002:a17:906:3b44:: with SMTP id h4mr6162969ejf.414.1611733667453; Tue, 26 Jan 2021 23:47:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611733667; cv=none; d=google.com; s=arc-20160816; b=GVX0nXaxrWAnRxivhwbOn2qldwffhorKL7Ob27bc3DBHcZZq60DoZoPTMWQ1U/jh3H 2R66Nmp4lQ3+cmyZ7SZvwUTMu8EbNIPouJbPDJ138CSUv3Y51ICcBJ+q1/KHDzA6pSZt G+LqazOU6bBZZky7VrlwoNVU7zafHNY1/Ev1L+3CbTf9va+JNUyiZA22EAvQeBHaj7FQ mj9uPRK/wHtKV0FuAFkzSqGfAJunL1z/0dqRl6FRBfi868K3ng6EAOg/Lt35YUHCzzML 7distiNRvFjcdP5OdLqVxWkecs6qcomfEKxO6efz8FzkDhpGwYUq0dHzi++pJ4hBrJ21 7N7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=l/T2BNaMap6kkC9KoMMIjdnbZp0czbf1Uxi5A8UJVvk=; b=yUXnfm0iRyyIaZwPFL5Flc2l0JEwc0c67wtCQqMGLViXhb5D8qJPDPtsKOkmB7tCmB B8n1LR5tCP2aQbVi5y6Yx9qmRczqeyfvxcVtPHE9vZi0Pu+6nUpR5+ZTEVIJ2zLD8zP3 +G2LuAeNC7iV5Zxu9qVwa/SjVGaj2wirpMm6l4Vi3tuCbIG3HsSjcUB5nk62a6TunrO+ vKeG2zc1VeUzgbKOb8MNmC/9okB394mHMPljHHIDQ+XTPnLi69mMHqSAmk4QKUo4ttK6 amFovXAVaLYtTb01Qe/KBozn20h5q+sD4bMTctf1Nl616mpBIL+Gs7baUl2Vu/KOEbnE 74sA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=0QwJQgx4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n2si548508ejl.444.2021.01.26.23.47.40; Tue, 26 Jan 2021 23:47:47 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=0QwJQgx4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231197AbhA0FFL (ORCPT + 16 others); Wed, 27 Jan 2021 00:05:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231421AbhA0DHF (ORCPT ); Tue, 26 Jan 2021 22:07:05 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 507CDC061794 for ; Tue, 26 Jan 2021 19:04:52 -0800 (PST) Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 1FDC41709B; Wed, 27 Jan 2021 14:04:47 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611716688; bh=l/T2BNaMap6kkC9KoMMIjdnbZp0czbf1Uxi5A8UJVvk=; l=2652; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0QwJQgx4hcJNp5MLJlSoYVVr9pGfJ4JUktAC70whuAXJqUY0t5O6YNLAQmXV+K96Y fLGluYdsYFuKXPZDi6ZYoSAHuQqqRZjaEaQ0WF+D6LW5l4hTo+e54S0B3SoV/fqf3U MwQZJgPD1xmdc/UQgxUYHQvhQl6rLivQzkmRzdSU= From: Russell Coker To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc services patches with changes Dominick wanted Date: Wed, 27 Jan 2021 14:04:45 +1100 Message-ID: <53731370.JSHSjNzumS@liv> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote: > > gs_exec_t,s0) > > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec > > _t,s0) > > /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)> > > +/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) > > +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t, > > s0) > I can fix this when merging, but please keep the fc entries in order. OK, I'll do that in the next version. > > @@ -71,6 +71,7 @@ template(`apache_content_template',` > > > > manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, > > httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t, > > httpd_$1_rw_content_t, httpd_$1_rw_content_t)> > > + allow httpd_$1_script_t httpd_$1_rw_content_t:file map; > > > > manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, > > httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, > > httpd_$1_rw_content_t, httpd_$1_rw_content_t) > > manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, > > httpd_$1_rw_content_t) > There's a lot of mmapping being added. Can you provide any additional > context on this? Is this induced by some config option? Is this apache > only? It's for Apache, it maps all files it sends with no special configuration. > > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',` > > > > files_search_runtime($1) > > stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, > > aptcacher_t)> > > ') > > > > + > > +###################################### > > +## > > +## read aptcacher config > > +## > > +## > > +## > > +## Domain allowed to read it. > > +## > > +## > > +# > > +interface(`aptcacher_read_config',` > > + gen_require(` > > + type aptcacher_etc_t; > > + ') > > + > > + files_search_etc($1) > > + allow $1 aptcacher_etc_t:dir list_dir_perms; > > + allow $1 aptcacher_etc_t:file mmap_read_file_perms; > > +') > > Is this the only useful way to read these files? There's no valid non-mmap > access? If regular read can be useful, then this should be > aptcatch_mmap_read_config(). OK. > > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t) > > > > libs_read_lib_files(cupsd_t) > > libs_exec_lib_files(cupsd_t) > > > > +libs_legacy_use_ld_so(cupsd_t) > > This seems broken and should probably be in a debian distro block. OK, I'll remove that and do more testing. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/