From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 26 Dec 2011 15:41:10 +0100
Subject: [refpolicy] php-fpm policy
In-Reply-To: <20111122192223.GA4416@siphos.be>
References: <86F5FCC8-C379-450B-9CB9-A73E42018349@mthode.org>
	<20111122192223.GA4416@siphos.be>
Message-ID: <20111226144109.GA11737@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Nov 22, 2011 at 08:22:24PM +0100, Sven Vermeulen wrote:
> The use of apache_manage_sys_content() seems wrong in my opinion. PHP-FPM is
> a parser which should have read access. The moment it needs to write stuff
> as well, that "stuff" should be labeled appropriately (either
> http_sys_rw_content_t, or create a type like httpd_squirrelmail_t did).

Been looking at this thing a bit more closely; shouldn't we include an
interface apache_rw_sys_rw_content, which offers read/write access to the
httpd_sys_rw_content_t type? 

Using apache_manage_sys_content also provides read/write access to the
regular httpd_sys_content_t whereas we would need to use this on
httpd_sys_rw_content_t only.

Another approach would be to use attributes to differentiate between the
regular ("httpdcontent"), ra ("httpd_ra_content") and rw
("httpd_rw_content") file types in use by the various apache-related
domains, and then use those attributes to provide the necessary accesses,
like:
  apache_manage_all_content --> httpdcontent (which is already in place)
  apache_manage_ra_content  --> httpd_ra_content
  apache_manage_rw_content  --> httpd_rw_content

Any thoughts on this?

Wkr,
	Sven Vermeulen