From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 22 Nov 2011 20:22:24 +0100
Subject: [refpolicy] php-fpm policy
In-Reply-To: <86F5FCC8-C379-450B-9CB9-A73E42018349@mthode.org>
References: <86F5FCC8-C379-450B-9CB9-A73E42018349@mthode.org>
Message-ID: <20111122192223.GA4416@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Nov 11, 2011 at 11:57:44AM -0600, Matt Thode wrote:
> It may need a little bit of work as far as what permissions it needs on apache (I think it needs rw access to apache).
> Some of the optional stuff may need to be fleshed out (different connect options and the like).

Apart from the coding style itself, a few remarks that I had at the first
skim through the policy...

The use of apache_manage_sys_content() seems wrong in my opinion. PHP-FPM is
a parser which should have read access. The moment it needs to write stuff
as well, that "stuff" should be labeled appropriately (either
http_sys_rw_content_t, or create a type like httpd_squirrelmail_t did).

I also am not clear on why you have the following:
  #allow search on /usr/include/netipx (I don't know if this is really necessary)
  userdom_search_user_home_dirs(phpfpm_t)

Seems that the comment doesn't match the policy, and I think the policy is a
result of trying stuff out while you were located in someone's $HOME (in
which case, just by getting the current working directory, most applications
have "search" done although not needed).

Wkr,
	Sven Vermeulen