Subject: [PATCH] added postgres and mysql socket support along with running
phpfpm on a socket. Also switched to sysnet_use_ldap (with
the default being false for the tunable)
---
policy/modules/contrib/phpfpm.fc | 2 +-
policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/phpfpm.fc
b/policy/modules/contrib/phpfpm.fc
index 536a5c7..51da02a 100644
--- a/policy/modules/contrib/phpfpm.fc
+++ b/policy/modules/contrib/phpfpm.fc
@@ -1,5 +1,5 @@
/usr/lib(64)?/php.*/bin/php-fpm
gen_context(system_u:object_r:phpfpm_exec_t,s0)
+/var/run/php*-fpm/*.sock
gen_context(system_u:object_r:phpfpm_var_run_t,s0)
/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
-
diff --git a/policy/modules/contrib/phpfpm.if
b/policy/modules/contrib/phpfpm.if
index d9481d9..fee2c17 100644
--- a/policy/modules/contrib/phpfpm.if
+++ b/policy/modules/contrib/phpfpm.if
@@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
files_list_pids($1)
admin_pattern($1, phpfpm_var_run_t)
')
+
+########################################
+## <summary>
+## Connect to phpfpm using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`phpfpm_stream_connect',`
+ gen_require(`
+ type phpfpm_t, phpfpm_var_run_t;
+ ')
+ stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
+')
diff --git a/policy/modules/contrib/phpfpm.te
b/policy/modules/contrib/phpfpm.te
index 2bd30d7..8758c01 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -5,6 +5,8 @@
# Declarations
#
+gen_tunable(phpfpm_use_ldap, false)
+
type phpfpm_t;
type phpfpm_exec_t;
init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
allow phpfpm_t self:capability { setuid setgid kill };
allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
allow phpfpm_t self:udp_socket connected_socket_perms;
-allow phpfpm_t self:unix_stream_socket accept;
+allow phpfpm_t self:unix_stream_socket { accept
create_stream_socket_perms };
manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
+
+manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
kernel_read_kernel_sysctls(phpfpm_t)
@@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
corenet_tcp_bind_generic_node(phpfpm_t)
corenet_tcp_bind_generic_port(phpfpm_t)
-# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
-# Also, if it was optional because the application optionally does it,
perhaps
-# introduce a tunable for this? phpfpm_allow_ldap?
-corenet_tcp_connect_ldap_port(phpfpm_t)
dev_read_rand(phpfpm_t)
dev_read_urand(phpfpm_t)
@@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
files_read_usr_files(phpfpm_t)
files_search_var_lib(phpfpm_t)
+fs_getattr_xattr_fs(phpfpm_t)
+
miscfiles_read_localization(phpfpm_t)
sysnet_dns_name_resolve(phpfpm_t)
@@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
apache_dontaudit_search_modules(phpfpm_t)
optional_policy(`
+ mysql_stream_connect(phpfpm_t)
mysql_tcp_connect(phpfpm_t)
')
optional_policy(`
+ postgresql_stream_connect(phpfpm_t)
postgresql_tcp_connect(phpfpm_t)
')
@@ -84,3 +88,8 @@ optional_policy(`
snmp_read_snmp_var_lib_files(phpfpm_t)
')
+optional_policy(`
+ tunable_policy(`phpfpm_use_ldap',`
+ sysnet_use_ldap(phpfpm_t)
+ ')
+')
--
1.7.8.5
--
-- Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/5dbe2a54/attachment.bin
On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> Subject: [PATCH] added postgres and mysql socket support along with running
> phpfpm on a socket. Also switched to sysnet_use_ldap (with
> the default being false for the tunable)
This seems to be a patch on a patch.
Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
When i do that i will probably also take some bits from your patches if you don't mind.
I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
Some comments inline below
>
> ---
> policy/modules/contrib/phpfpm.fc | 2 +-
> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
> 3 files changed, 35 insertions(+), 8 deletions(-)
>
> diff --git a/policy/modules/contrib/phpfpm.fc
> b/policy/modules/contrib/phpfpm.fc
> index 536a5c7..51da02a 100644
> --- a/policy/modules/contrib/phpfpm.fc
> +++ b/policy/modules/contrib/phpfpm.fc
> @@ -1,5 +1,5 @@
> /usr/lib(64)?/php.*/bin/php-fpm
> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> +/var/run/php*-fpm/*.sock
> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
single files need --, dirs need -d, links need -l etc
> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
So these two above would need -- since they both single files
> diff --git a/policy/modules/contrib/phpfpm.if
> b/policy/modules/contrib/phpfpm.if
> index d9481d9..fee2c17 100644
> --- a/policy/modules/contrib/phpfpm.if
> +++ b/policy/modules/contrib/phpfpm.if
> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> files_list_pids($1)
> admin_pattern($1, phpfpm_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Connect to phpfpm using a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`phpfpm_stream_connect',`
> + gen_require(`
> + type phpfpm_t, phpfpm_var_run_t;
> + ')
> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> +')
The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> diff --git a/policy/modules/contrib/phpfpm.te
> b/policy/modules/contrib/phpfpm.te
> index 2bd30d7..8758c01 100644
> --- a/policy/modules/contrib/phpfpm.te
> +++ b/policy/modules/contrib/phpfpm.te
> @@ -5,6 +5,8 @@
> # Declarations
> #
>
> +gen_tunable(phpfpm_use_ldap, false)
> +
> type phpfpm_t;
> type phpfpm_exec_t;
> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> allow phpfpm_t self:capability { setuid setgid kill };
> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> allow phpfpm_t self:udp_socket connected_socket_perms;
> -allow phpfpm_t self:unix_stream_socket accept;
> +allow phpfpm_t self:unix_stream_socket { accept
> create_stream_socket_perms };
In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
It needs listen as far as i know to be able to accept
>
> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> +
> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
This should go just above the files_pid_filetrans()
> kernel_read_kernel_sysctls(phpfpm_t)
>
> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> corenet_tcp_bind_generic_node(phpfpm_t)
> corenet_tcp_bind_generic_port(phpfpm_t)
> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> -# Also, if it was optional because the application optionally does it,
> perhaps
> -# introduce a tunable for this? phpfpm_allow_ldap?
> -corenet_tcp_connect_ldap_port(phpfpm_t)
>
> dev_read_rand(phpfpm_t)
> dev_read_urand(phpfpm_t)
> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> files_read_usr_files(phpfpm_t)
> files_search_var_lib(phpfpm_t)
>
> +fs_getattr_xattr_fs(phpfpm_t)
> +
> miscfiles_read_localization(phpfpm_t)
>
> sysnet_dns_name_resolve(phpfpm_t)
> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> apache_dontaudit_search_modules(phpfpm_t)
>
> optional_policy(`
> + mysql_stream_connect(phpfpm_t)
> mysql_tcp_connect(phpfpm_t)
> ')
>
> optional_policy(`
> + postgresql_stream_connect(phpfpm_t)
> postgresql_tcp_connect(phpfpm_t)
> ')
>
> @@ -84,3 +88,8 @@ optional_policy(`
> snmp_read_snmp_var_lib_files(phpfpm_t)
> ')
>
> +optional_policy(`
> + tunable_policy(`phpfpm_use_ldap',`
> + sysnet_use_ldap(phpfpm_t)
> + ')
> +')
> --
> 1.7.8.5
>
> --
> -- Matthew Thode
>
Thanks!
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/6b2be9b8/attachment.bin
On 09/25/2012 10:09 AM, Dominick Grift wrote:
> On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
>> Subject: [PATCH] added postgres and mysql socket support along with running
>> phpfpm on a socket. Also switched to sysnet_use_ldap (with
>> the default being false for the tunable)
>
> This seems to be a patch on a patch.
>
> Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> When i do that i will probably also take some bits from your patches if you don't mind.
>
> I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
>
> Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
>
> Some comments inline below
>
>>
>> ---
>> policy/modules/contrib/phpfpm.fc | 2 +-
>> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
>> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
>> 3 files changed, 35 insertions(+), 8 deletions(-)
>>
>> diff --git a/policy/modules/contrib/phpfpm.fc
>> b/policy/modules/contrib/phpfpm.fc
>> index 536a5c7..51da02a 100644
>> --- a/policy/modules/contrib/phpfpm.fc
>> +++ b/policy/modules/contrib/phpfpm.fc
>> @@ -1,5 +1,5 @@
>> /usr/lib(64)?/php.*/bin/php-fpm
>> gen_context(system_u:object_r:phpfpm_exec_t,s0)
>> +/var/run/php*-fpm/*.sock
>> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>
> A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
>
> single files need --, dirs need -d, links need -l etc
>
>> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
>> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>
> So these two above would need -- since they both single files
>
updated the file context to the have -s and the like.
>> diff --git a/policy/modules/contrib/phpfpm.if
>> b/policy/modules/contrib/phpfpm.if
>> index d9481d9..fee2c17 100644
>> --- a/policy/modules/contrib/phpfpm.if
>> +++ b/policy/modules/contrib/phpfpm.if
>> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
>> files_list_pids($1)
>> admin_pattern($1, phpfpm_var_run_t)
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## Connect to phpfpm using a unix domain stream socket.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`phpfpm_stream_connect',`
>> + gen_require(`
>> + type phpfpm_t, phpfpm_var_run_t;
>> + ')
>> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
>> +')
>
> The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
>
added it right after the stream_connect_pattern()
>> diff --git a/policy/modules/contrib/phpfpm.te
>> b/policy/modules/contrib/phpfpm.te
>> index 2bd30d7..8758c01 100644
>> --- a/policy/modules/contrib/phpfpm.te
>> +++ b/policy/modules/contrib/phpfpm.te
>> @@ -5,6 +5,8 @@
>> # Declarations
>> #
>>
>> +gen_tunable(phpfpm_use_ldap, false)
>> +
>> type phpfpm_t;
>> type phpfpm_exec_t;
>> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
>> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
>> allow phpfpm_t self:capability { setuid setgid kill };
>> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
>> allow phpfpm_t self:udp_socket connected_socket_perms;
>> -allow phpfpm_t self:unix_stream_socket accept;
>> +allow phpfpm_t self:unix_stream_socket { accept
>> create_stream_socket_perms };
>
> In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
>
> It needs listen as far as i know to be able to accept
>
>>
>> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
>> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
>> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
>> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
>
>> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
>> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>> +
>> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>
> This should go just above the files_pid_filetrans()
what do you mean by that? do you mean that this
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
should be
files_pid_filetrans()
or that this
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
should be this, I assume the first one?
files_pid_filetrans()
>
>> kernel_read_kernel_sysctls(phpfpm_t)
>>
>> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
>> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
>> corenet_tcp_bind_generic_node(phpfpm_t)
>> corenet_tcp_bind_generic_port(phpfpm_t)
>> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
>> -# Also, if it was optional because the application optionally does it,
>> perhaps
>> -# introduce a tunable for this? phpfpm_allow_ldap?
>> -corenet_tcp_connect_ldap_port(phpfpm_t)
>>
>> dev_read_rand(phpfpm_t)
>> dev_read_urand(phpfpm_t)
>> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
>> files_read_usr_files(phpfpm_t)
>> files_search_var_lib(phpfpm_t)
>>
>> +fs_getattr_xattr_fs(phpfpm_t)
>> +
>> miscfiles_read_localization(phpfpm_t)
>>
>> sysnet_dns_name_resolve(phpfpm_t)
>> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
>> apache_dontaudit_search_modules(phpfpm_t)
>>
>> optional_policy(`
>> + mysql_stream_connect(phpfpm_t)
>> mysql_tcp_connect(phpfpm_t)
>> ')
>>
>> optional_policy(`
>> + postgresql_stream_connect(phpfpm_t)
>> postgresql_tcp_connect(phpfpm_t)
>> ')
>>
>> @@ -84,3 +88,8 @@ optional_policy(`
>> snmp_read_snmp_var_lib_files(phpfpm_t)
>> ')
>>
>> +optional_policy(`
>> + tunable_policy(`phpfpm_use_ldap',`
>> + sysnet_use_ldap(phpfpm_t)
>> + ')
>> +')
>> --
>> 1.7.8.5
>>
>> --
>> -- Matthew Thode
>>
>
> Thanks!
>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
It was my understanding that my previous patch was accepted. It's fine
if you pull stuff out of this for that, though I think it may be best if
we focus on one module instead of two doing the same thing :D
I've used this policy with postgres (as has another person who may be
commenting) but not mysql.
I'm prometheanfire on irc (freenode) if you want to work on it with me.
--
-- Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/d5224e31/attachment.bin
On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
> On 09/25/2012 10:09 AM, Dominick Grift wrote:
> > On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> >> Subject: [PATCH] added postgres and mysql socket support along with running
> >> phpfpm on a socket. Also switched to sysnet_use_ldap (with
> >> the default being false for the tunable)
> >
> > This seems to be a patch on a patch.
> >
> > Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> > When i do that i will probably also take some bits from your patches if you don't mind.
> >
> > I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> > authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
> >
> > Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
> >
> > Some comments inline below
> >
> >>
> >> ---
> >> policy/modules/contrib/phpfpm.fc | 2 +-
> >> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
> >> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
> >> 3 files changed, 35 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/policy/modules/contrib/phpfpm.fc
> >> b/policy/modules/contrib/phpfpm.fc
> >> index 536a5c7..51da02a 100644
> >> --- a/policy/modules/contrib/phpfpm.fc
> >> +++ b/policy/modules/contrib/phpfpm.fc
> >> @@ -1,5 +1,5 @@
> >> /usr/lib(64)?/php.*/bin/php-fpm
> >> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> >> +/var/run/php*-fpm/*.sock
> >> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >
> > A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
> >
> > single files need --, dirs need -d, links need -l etc
> >
> >> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
> >> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >
> > So these two above would need -- since they both single files
> >
>
> updated the file context to the have -s and the like.
>
> >> diff --git a/policy/modules/contrib/phpfpm.if
> >> b/policy/modules/contrib/phpfpm.if
> >> index d9481d9..fee2c17 100644
> >> --- a/policy/modules/contrib/phpfpm.if
> >> +++ b/policy/modules/contrib/phpfpm.if
> >> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> >> files_list_pids($1)
> >> admin_pattern($1, phpfpm_var_run_t)
> >> ')
> >> +
> >> +########################################
> >> +## <summary>
> >> +## Connect to phpfpm using a unix domain stream socket.
> >> +## </summary>
> >> +## <param name="domain">
> >> +## <summary>
> >> +## Domain allowed access.
> >> +## </summary>
> >> +## </param>
> >> +## <rolecap/>
> >> +#
> >> +interface(`phpfpm_stream_connect',`
> >> + gen_require(`
> >> + type phpfpm_t, phpfpm_var_run_t;
> >> + ')
> >> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> >> +')
> >
> > The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> >
>
> added it right after the stream_connect_pattern()
>
> >> diff --git a/policy/modules/contrib/phpfpm.te
> >> b/policy/modules/contrib/phpfpm.te
> >> index 2bd30d7..8758c01 100644
> >> --- a/policy/modules/contrib/phpfpm.te
> >> +++ b/policy/modules/contrib/phpfpm.te
> >> @@ -5,6 +5,8 @@
> >> # Declarations
> >> #
> >>
> >> +gen_tunable(phpfpm_use_ldap, false)
> >> +
> >> type phpfpm_t;
> >> type phpfpm_exec_t;
> >> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> >> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> >> allow phpfpm_t self:capability { setuid setgid kill };
> >> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> >> allow phpfpm_t self:udp_socket connected_socket_perms;
> >> -allow phpfpm_t self:unix_stream_socket accept;
> >> +allow phpfpm_t self:unix_stream_socket { accept
> >> create_stream_socket_perms };
> >
> > In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> > the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> > Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
> >
> > It needs listen as far as i know to be able to accept
> >
> >>
> >> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> >> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> >> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> >> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> >
> >> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> >> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >> +
> >> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >
> > This should go just above the files_pid_filetrans()
>
> what do you mean by that? do you mean that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> should be
> files_pid_filetrans()
> or that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>
> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> should be this, I assume the first one?
> files_pid_filetrans()
Sorry , no mean that:
manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
should be above
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
like so:
manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
minor style issue, nothing too important
>
> >
> >> kernel_read_kernel_sysctls(phpfpm_t)
> >>
> >> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> >> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> >> corenet_tcp_bind_generic_node(phpfpm_t)
> >> corenet_tcp_bind_generic_port(phpfpm_t)
> >> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> >> -# Also, if it was optional because the application optionally does it,
> >> perhaps
> >> -# introduce a tunable for this? phpfpm_allow_ldap?
> >> -corenet_tcp_connect_ldap_port(phpfpm_t)
> >>
> >> dev_read_rand(phpfpm_t)
> >> dev_read_urand(phpfpm_t)
> >> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> >> files_read_usr_files(phpfpm_t)
> >> files_search_var_lib(phpfpm_t)
> >>
> >> +fs_getattr_xattr_fs(phpfpm_t)
> >> +
> >> miscfiles_read_localization(phpfpm_t)
> >>
> >> sysnet_dns_name_resolve(phpfpm_t)
> >> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> >> apache_dontaudit_search_modules(phpfpm_t)
> >>
> >> optional_policy(`
> >> + mysql_stream_connect(phpfpm_t)
> >> mysql_tcp_connect(phpfpm_t)
> >> ')
> >>
> >> optional_policy(`
> >> + postgresql_stream_connect(phpfpm_t)
> >> postgresql_tcp_connect(phpfpm_t)
> >> ')
> >>
> >> @@ -84,3 +88,8 @@ optional_policy(`
> >> snmp_read_snmp_var_lib_files(phpfpm_t)
> >> ')
> >>
> >> +optional_policy(`
> >> + tunable_policy(`phpfpm_use_ldap',`
> >> + sysnet_use_ldap(phpfpm_t)
> >> + ')
> >> +')
> >> --
> >> 1.7.8.5
> >>
> >> --
> >> -- Matthew Thode
> >>
> >
> > Thanks!
> >
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
>
> It was my understanding that my previous patch was accepted. It's fine
> if you pull stuff out of this for that, though I think it may be best if
> we focus on one module instead of two doing the same thing :D
>
> I've used this policy with postgres (as has another person who may be
> commenting) but not mysql.
>
> I'm prometheanfire on irc (freenode) if you want to work on it with me.
>
> --
> -- Matthew Thode
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/fb571e23/attachment-0001.bin
On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
> On 09/25/2012 10:09 AM, Dominick Grift wrote:
> > On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> >> Subject: [PATCH] added postgres and mysql socket support along with running
> >> phpfpm on a socket. Also switched to sysnet_use_ldap (with
> >> the default being false for the tunable)
> >
> > This seems to be a patch on a patch.
> >
> > Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> > When i do that i will probably also take some bits from your patches if you don't mind.
> >
> > I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> > authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
> >
> > Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
> >
> > Some comments inline below
> >
> >>
> >> ---
> >> policy/modules/contrib/phpfpm.fc | 2 +-
> >> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
> >> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
> >> 3 files changed, 35 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/policy/modules/contrib/phpfpm.fc
> >> b/policy/modules/contrib/phpfpm.fc
> >> index 536a5c7..51da02a 100644
> >> --- a/policy/modules/contrib/phpfpm.fc
> >> +++ b/policy/modules/contrib/phpfpm.fc
> >> @@ -1,5 +1,5 @@
> >> /usr/lib(64)?/php.*/bin/php-fpm
> >> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> >> +/var/run/php*-fpm/*.sock
> >> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >
> > A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
> >
> > single files need --, dirs need -d, links need -l etc
> >
> >> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
> >> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >
> > So these two above would need -- since they both single files
> >
>
> updated the file context to the have -s and the like.
>
> >> diff --git a/policy/modules/contrib/phpfpm.if
> >> b/policy/modules/contrib/phpfpm.if
> >> index d9481d9..fee2c17 100644
> >> --- a/policy/modules/contrib/phpfpm.if
> >> +++ b/policy/modules/contrib/phpfpm.if
> >> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> >> files_list_pids($1)
> >> admin_pattern($1, phpfpm_var_run_t)
> >> ')
> >> +
> >> +########################################
> >> +## <summary>
> >> +## Connect to phpfpm using a unix domain stream socket.
> >> +## </summary>
> >> +## <param name="domain">
> >> +## <summary>
> >> +## Domain allowed access.
> >> +## </summary>
> >> +## </param>
> >> +## <rolecap/>
> >> +#
> >> +interface(`phpfpm_stream_connect',`
> >> + gen_require(`
> >> + type phpfpm_t, phpfpm_var_run_t;
> >> + ')
> >> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> >> +')
> >
> > The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> >
>
> added it right after the stream_connect_pattern()
>
> >> diff --git a/policy/modules/contrib/phpfpm.te
> >> b/policy/modules/contrib/phpfpm.te
> >> index 2bd30d7..8758c01 100644
> >> --- a/policy/modules/contrib/phpfpm.te
> >> +++ b/policy/modules/contrib/phpfpm.te
> >> @@ -5,6 +5,8 @@
> >> # Declarations
> >> #
> >>
> >> +gen_tunable(phpfpm_use_ldap, false)
> >> +
> >> type phpfpm_t;
> >> type phpfpm_exec_t;
> >> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> >> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> >> allow phpfpm_t self:capability { setuid setgid kill };
> >> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> >> allow phpfpm_t self:udp_socket connected_socket_perms;
> >> -allow phpfpm_t self:unix_stream_socket accept;
> >> +allow phpfpm_t self:unix_stream_socket { accept
> >> create_stream_socket_perms };
> >
> > In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> > the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> > Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
> >
> > It needs listen as far as i know to be able to accept
> >
> >>
> >> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> >> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> >> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> >> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> >
> >> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> >> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >> +
> >> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >
> > This should go just above the files_pid_filetrans()
>
> what do you mean by that? do you mean that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> should be
> files_pid_filetrans()
> or that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>
> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> should be this, I assume the first one?
> files_pid_filetrans()
In this case you can even make it more efficient like so:
allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
because there are no phpfpm_var_run_t directories involved
so the patterns you used above are a little too coarse (they add rules that do not apply here)
These day's we focus more and more on writing policy efficiently.
This is to keep the policy footprint as small as possible and thereby performance as optimal as possible
>
> >
> >> kernel_read_kernel_sysctls(phpfpm_t)
> >>
> >> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> >> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> >> corenet_tcp_bind_generic_node(phpfpm_t)
> >> corenet_tcp_bind_generic_port(phpfpm_t)
> >> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> >> -# Also, if it was optional because the application optionally does it,
> >> perhaps
> >> -# introduce a tunable for this? phpfpm_allow_ldap?
> >> -corenet_tcp_connect_ldap_port(phpfpm_t)
> >>
> >> dev_read_rand(phpfpm_t)
> >> dev_read_urand(phpfpm_t)
> >> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> >> files_read_usr_files(phpfpm_t)
> >> files_search_var_lib(phpfpm_t)
> >>
> >> +fs_getattr_xattr_fs(phpfpm_t)
> >> +
> >> miscfiles_read_localization(phpfpm_t)
> >>
> >> sysnet_dns_name_resolve(phpfpm_t)
> >> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> >> apache_dontaudit_search_modules(phpfpm_t)
> >>
> >> optional_policy(`
> >> + mysql_stream_connect(phpfpm_t)
> >> mysql_tcp_connect(phpfpm_t)
> >> ')
> >>
> >> optional_policy(`
> >> + postgresql_stream_connect(phpfpm_t)
> >> postgresql_tcp_connect(phpfpm_t)
> >> ')
> >>
> >> @@ -84,3 +88,8 @@ optional_policy(`
> >> snmp_read_snmp_var_lib_files(phpfpm_t)
> >> ')
> >>
> >> +optional_policy(`
> >> + tunable_policy(`phpfpm_use_ldap',`
> >> + sysnet_use_ldap(phpfpm_t)
> >> + ')
> >> +')
> >> --
> >> 1.7.8.5
> >>
> >> --
> >> -- Matthew Thode
> >>
> >
> > Thanks!
> >
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
>
> It was my understanding that my previous patch was accepted. It's fine
> if you pull stuff out of this for that, though I think it may be best if
> we focus on one module instead of two doing the same thing :D
>
> I've used this policy with postgres (as has another person who may be
> commenting) but not mysql.
>
> I'm prometheanfire on irc (freenode) if you want to work on it with me.
>
> --
> -- Matthew Thode
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/57f671d7/attachment.bin
On 09/25/2012 11:43 AM, Dominick Grift wrote:
> On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
>> On 09/25/2012 10:09 AM, Dominick Grift wrote:
>>> On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
>>>> Subject: [PATCH] added postgres and mysql socket support along with running
>>>> phpfpm on a socket. Also switched to sysnet_use_ldap (with
>>>> the default being false for the tunable)
>>>
>>> This seems to be a patch on a patch.
>>>
>>> Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
>>> When i do that i will probably also take some bits from your patches if you don't mind.
>>>
>>> I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
>>> authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
>>>
>>> Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
>>>
>>> Some comments inline below
>>>
>>>>
>>>> ---
>>>> policy/modules/contrib/phpfpm.fc | 2 +-
>>>> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
>>>> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
>>>> 3 files changed, 35 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/policy/modules/contrib/phpfpm.fc
>>>> b/policy/modules/contrib/phpfpm.fc
>>>> index 536a5c7..51da02a 100644
>>>> --- a/policy/modules/contrib/phpfpm.fc
>>>> +++ b/policy/modules/contrib/phpfpm.fc
>>>> @@ -1,5 +1,5 @@
>>>> /usr/lib(64)?/php.*/bin/php-fpm
>>>> gen_context(system_u:object_r:phpfpm_exec_t,s0)
>>>> +/var/run/php*-fpm/*.sock
>>>> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>>>
>>> A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
>>>
>>> single files need --, dirs need -d, links need -l etc
>>>
>>>> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
>>>> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>>>
>>> So these two above would need -- since they both single files
>>>
>>
>> updated the file context to the have -s and the like.
>>
>>>> diff --git a/policy/modules/contrib/phpfpm.if
>>>> b/policy/modules/contrib/phpfpm.if
>>>> index d9481d9..fee2c17 100644
>>>> --- a/policy/modules/contrib/phpfpm.if
>>>> +++ b/policy/modules/contrib/phpfpm.if
>>>> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
>>>> files_list_pids($1)
>>>> admin_pattern($1, phpfpm_var_run_t)
>>>> ')
>>>> +
>>>> +########################################
>>>> +## <summary>
>>>> +## Connect to phpfpm using a unix domain stream socket.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +## <summary>
>>>> +## Domain allowed access.
>>>> +## </summary>
>>>> +## </param>
>>>> +## <rolecap/>
>>>> +#
>>>> +interface(`phpfpm_stream_connect',`
>>>> + gen_require(`
>>>> + type phpfpm_t, phpfpm_var_run_t;
>>>> + ')
>>>> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
>>>> +')
>>>
>>> The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
>>>
>>
>> added it right after the stream_connect_pattern()
>>
>>>> diff --git a/policy/modules/contrib/phpfpm.te
>>>> b/policy/modules/contrib/phpfpm.te
>>>> index 2bd30d7..8758c01 100644
>>>> --- a/policy/modules/contrib/phpfpm.te
>>>> +++ b/policy/modules/contrib/phpfpm.te
>>>> @@ -5,6 +5,8 @@
>>>> # Declarations
>>>> #
>>>>
>>>> +gen_tunable(phpfpm_use_ldap, false)
>>>> +
>>>> type phpfpm_t;
>>>> type phpfpm_exec_t;
>>>> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
>>>> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
>>>> allow phpfpm_t self:capability { setuid setgid kill };
>>>> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
>>>> allow phpfpm_t self:udp_socket connected_socket_perms;
>>>> -allow phpfpm_t self:unix_stream_socket accept;
>>>> +allow phpfpm_t self:unix_stream_socket { accept
>>>> create_stream_socket_perms };
>>>
>>> In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
>>> the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
>>> Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
>>>
>>> It needs listen as far as i know to be able to accept
>>>
>>>>
>>>> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
>>>> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
>>>> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
>>>> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
>>>
>>>> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>>>> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
>>>> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>>>> +
>>>> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>>>
>>> This should go just above the files_pid_filetrans()
>>
>> what do you mean by that? do you mean that this
>> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>> should be
>> files_pid_filetrans()
>> or that this
>> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>>
>> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>> should be this, I assume the first one?
>> files_pid_filetrans()
>
> In this case you can even make it more efficient like so:
>
> allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
> allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>
> because there are no phpfpm_var_run_t directories involved
> so the patterns you used above are a little too coarse (they add rules that do not apply here)
>
> These day's we focus more and more on writing policy efficiently.
> This is to keep the policy footprint as small as possible and thereby performance as optimal as possible
>
>
>>
>>>
>>>> kernel_read_kernel_sysctls(phpfpm_t)
>>>>
>>>> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
>>>> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
>>>> corenet_tcp_bind_generic_node(phpfpm_t)
>>>> corenet_tcp_bind_generic_port(phpfpm_t)
>>>> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
>>>> -# Also, if it was optional because the application optionally does it,
>>>> perhaps
>>>> -# introduce a tunable for this? phpfpm_allow_ldap?
>>>> -corenet_tcp_connect_ldap_port(phpfpm_t)
>>>>
>>>> dev_read_rand(phpfpm_t)
>>>> dev_read_urand(phpfpm_t)
>>>> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
>>>> files_read_usr_files(phpfpm_t)
>>>> files_search_var_lib(phpfpm_t)
>>>>
>>>> +fs_getattr_xattr_fs(phpfpm_t)
>>>> +
>>>> miscfiles_read_localization(phpfpm_t)
>>>>
>>>> sysnet_dns_name_resolve(phpfpm_t)
>>>> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
>>>> apache_dontaudit_search_modules(phpfpm_t)
>>>>
>>>> optional_policy(`
>>>> + mysql_stream_connect(phpfpm_t)
>>>> mysql_tcp_connect(phpfpm_t)
>>>> ')
>>>>
>>>> optional_policy(`
>>>> + postgresql_stream_connect(phpfpm_t)
>>>> postgresql_tcp_connect(phpfpm_t)
>>>> ')
>>>>
>>>> @@ -84,3 +88,8 @@ optional_policy(`
>>>> snmp_read_snmp_var_lib_files(phpfpm_t)
>>>> ')
>>>>
>>>> +optional_policy(`
>>>> + tunable_policy(`phpfpm_use_ldap',`
>>>> + sysnet_use_ldap(phpfpm_t)
>>>> + ')
>>>> +')
>>>> --
>>>> 1.7.8.5
>>>>
>>>> --
>>>> -- Matthew Thode
>>>>
>>>
>>> Thanks!
>>>
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>> It was my understanding that my previous patch was accepted. It's fine
>> if you pull stuff out of this for that, though I think it may be best if
>> we focus on one module instead of two doing the same thing :D
>>
>> I've used this policy with postgres (as has another person who may be
>> commenting) but not mysql.
>>
>> I'm prometheanfire on irc (freenode) if you want to work on it with me.
>>
>> --
>> -- Matthew Thode
>>
>
>
>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Ok, and how about working on this together?
--
-- Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/c717ec22/attachment.bin
On Tue, Sep 25, 2012 at 03:21:49PM -0500, Matthew Thode wrote:
> On 09/25/2012 11:43 AM, Dominick Grift wrote:
> > On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
> >> On 09/25/2012 10:09 AM, Dominick Grift wrote:
> >>> On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> >>>> Subject: [PATCH] added postgres and mysql socket support along with running
> >>>> phpfpm on a socket. Also switched to sysnet_use_ldap (with
> >>>> the default being false for the tunable)
> >>>
> >>> This seems to be a patch on a patch.
> >>>
> >>> Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> >>> When i do that i will probably also take some bits from your patches if you don't mind.
> >>>
> >>> I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> >>> authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
> >>>
> >>> Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
> >>>
> >>> Some comments inline below
> >>>
> >>>>
> >>>> ---
> >>>> policy/modules/contrib/phpfpm.fc | 2 +-
> >>>> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
> >>>> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
> >>>> 3 files changed, 35 insertions(+), 8 deletions(-)
> >>>>
> >>>> diff --git a/policy/modules/contrib/phpfpm.fc
> >>>> b/policy/modules/contrib/phpfpm.fc
> >>>> index 536a5c7..51da02a 100644
> >>>> --- a/policy/modules/contrib/phpfpm.fc
> >>>> +++ b/policy/modules/contrib/phpfpm.fc
> >>>> @@ -1,5 +1,5 @@
> >>>> /usr/lib(64)?/php.*/bin/php-fpm
> >>>> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> >>>> +/var/run/php*-fpm/*.sock
> >>>> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >>>
> >>> A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
> >>>
> >>> single files need --, dirs need -d, links need -l etc
> >>>
> >>>> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
> >>>> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >>>
> >>> So these two above would need -- since they both single files
> >>>
> >>
> >> updated the file context to the have -s and the like.
> >>
> >>>> diff --git a/policy/modules/contrib/phpfpm.if
> >>>> b/policy/modules/contrib/phpfpm.if
> >>>> index d9481d9..fee2c17 100644
> >>>> --- a/policy/modules/contrib/phpfpm.if
> >>>> +++ b/policy/modules/contrib/phpfpm.if
> >>>> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> >>>> files_list_pids($1)
> >>>> admin_pattern($1, phpfpm_var_run_t)
> >>>> ')
> >>>> +
> >>>> +########################################
> >>>> +## <summary>
> >>>> +## Connect to phpfpm using a unix domain stream socket.
> >>>> +## </summary>
> >>>> +## <param name="domain">
> >>>> +## <summary>
> >>>> +## Domain allowed access.
> >>>> +## </summary>
> >>>> +## </param>
> >>>> +## <rolecap/>
> >>>> +#
> >>>> +interface(`phpfpm_stream_connect',`
> >>>> + gen_require(`
> >>>> + type phpfpm_t, phpfpm_var_run_t;
> >>>> + ')
> >>>> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> >>>> +')
> >>>
> >>> The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> >>>
> >>
> >> added it right after the stream_connect_pattern()
> >>
> >>>> diff --git a/policy/modules/contrib/phpfpm.te
> >>>> b/policy/modules/contrib/phpfpm.te
> >>>> index 2bd30d7..8758c01 100644
> >>>> --- a/policy/modules/contrib/phpfpm.te
> >>>> +++ b/policy/modules/contrib/phpfpm.te
> >>>> @@ -5,6 +5,8 @@
> >>>> # Declarations
> >>>> #
> >>>>
> >>>> +gen_tunable(phpfpm_use_ldap, false)
> >>>> +
> >>>> type phpfpm_t;
> >>>> type phpfpm_exec_t;
> >>>> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> >>>> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> >>>> allow phpfpm_t self:capability { setuid setgid kill };
> >>>> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> >>>> allow phpfpm_t self:udp_socket connected_socket_perms;
> >>>> -allow phpfpm_t self:unix_stream_socket accept;
> >>>> +allow phpfpm_t self:unix_stream_socket { accept
> >>>> create_stream_socket_perms };
> >>>
> >>> In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> >>> the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> >>> Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
> >>>
> >>> It needs listen as far as i know to be able to accept
> >>>
> >>>>
> >>>> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> >>>> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> >>>> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> >>>> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> >>>
> >>>> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >>>> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> >>>> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >>>> +
> >>>> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >>>
> >>> This should go just above the files_pid_filetrans()
> >>
> >> what do you mean by that? do you mean that this
> >> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >> should be
> >> files_pid_filetrans()
> >> or that this
> >> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >>
> >> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >> should be this, I assume the first one?
> >> files_pid_filetrans()
> >
> > In this case you can even make it more efficient like so:
> >
> > allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
> > allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
> > files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >
> > because there are no phpfpm_var_run_t directories involved
> > so the patterns you used above are a little too coarse (they add rules that do not apply here)
> >
> > These day's we focus more and more on writing policy efficiently.
> > This is to keep the policy footprint as small as possible and thereby performance as optimal as possible
> >
> >
> >>
> >>>
> >>>> kernel_read_kernel_sysctls(phpfpm_t)
> >>>>
> >>>> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> >>>> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> >>>> corenet_tcp_bind_generic_node(phpfpm_t)
> >>>> corenet_tcp_bind_generic_port(phpfpm_t)
> >>>> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> >>>> -# Also, if it was optional because the application optionally does it,
> >>>> perhaps
> >>>> -# introduce a tunable for this? phpfpm_allow_ldap?
> >>>> -corenet_tcp_connect_ldap_port(phpfpm_t)
> >>>>
> >>>> dev_read_rand(phpfpm_t)
> >>>> dev_read_urand(phpfpm_t)
> >>>> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> >>>> files_read_usr_files(phpfpm_t)
> >>>> files_search_var_lib(phpfpm_t)
> >>>>
> >>>> +fs_getattr_xattr_fs(phpfpm_t)
> >>>> +
> >>>> miscfiles_read_localization(phpfpm_t)
> >>>>
> >>>> sysnet_dns_name_resolve(phpfpm_t)
> >>>> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> >>>> apache_dontaudit_search_modules(phpfpm_t)
> >>>>
> >>>> optional_policy(`
> >>>> + mysql_stream_connect(phpfpm_t)
> >>>> mysql_tcp_connect(phpfpm_t)
> >>>> ')
> >>>>
> >>>> optional_policy(`
> >>>> + postgresql_stream_connect(phpfpm_t)
> >>>> postgresql_tcp_connect(phpfpm_t)
> >>>> ')
> >>>>
> >>>> @@ -84,3 +88,8 @@ optional_policy(`
> >>>> snmp_read_snmp_var_lib_files(phpfpm_t)
> >>>> ')
> >>>>
> >>>> +optional_policy(`
> >>>> + tunable_policy(`phpfpm_use_ldap',`
> >>>> + sysnet_use_ldap(phpfpm_t)
> >>>> + ')
> >>>> +')
> >>>> --
> >>>> 1.7.8.5
> >>>>
> >>>> --
> >>>> -- Matthew Thode
> >>>>
> >>>
> >>> Thanks!
> >>>
> >>>> _______________________________________________
> >>>> refpolicy mailing list
> >>>> refpolicy at oss.tresys.com
> >>>> http://oss.tresys.com/mailman/listinfo/refpolicy
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> refpolicy mailing list
> >>> refpolicy at oss.tresys.com
> >>> http://oss.tresys.com/mailman/listinfo/refpolicy
> >>>
> >>
> >> It was my understanding that my previous patch was accepted. It's fine
> >> if you pull stuff out of this for that, though I think it may be best if
> >> we focus on one module instead of two doing the same thing :D
> >>
> >> I've used this policy with postgres (as has another person who may be
> >> commenting) but not mysql.
> >>
> >> I'm prometheanfire on irc (freenode) if you want to work on it with me.
> >>
> >> --
> >> -- Matthew Thode
> >>
> >
> >
> >
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Ok, and how about working on this together?
I contacted you on irc
>
> --
> -- Matthew Thode
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/9370cf80/attachment.bin