From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 26 Jun 2012 09:29:08 -0400 Subject: [refpolicy] [PATCH v3 2/3] Introducing phpfpm_t domain In-Reply-To: <20120624110853.GC995@siphos.be> References: <20120624110736.GA995@siphos.be> <20120624110853.GC995@siphos.be> Message-ID: <4FE9B924.7000401@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/24/12 07:08, Sven Vermeulen wrote: > The PHP FactCGI Process Manager is a standalone daemon capable of handling web > content and is specifically targeting high-traffic, dynamic sites. > > Since it too is a web server, it needs access to the various http content types > as declared through the apache module. > > Signed-off-by: Sven Vermeulen > --- > phpfpm.fc | 5 +++ > phpfpm.if | 30 +++++++++++++++++++++ > phpfpm.te | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 121 insertions(+), 0 deletions(-) > create mode 100644 phpfpm.fc > create mode 100644 phpfpm.if > create mode 100644 phpfpm.te > > diff --git a/phpfpm.te b/phpfpm.te > new file mode 100644 > index 0000000..2bd30d7 > --- /dev/null > +++ b/phpfpm.te > @@ -0,0 +1,86 @@ > +policy_module(phpfpm, 1.0) > + > +####################################### > +# > +# Declarations > +# > + > +type phpfpm_t; > +type phpfpm_exec_t; > +init_daemon_domain(phpfpm_t, phpfpm_exec_t) > + > +type phpfpm_tmp_t; > +files_tmp_file(phpfpm_tmp_t) > + > +type phpfpm_var_run_t; > +files_pid_file(phpfpm_var_run_t) > + > +type phpfpm_log_t; > +logging_log_file(phpfpm_log_t) > + > +####################################### > +# > +# Local policy > +# > + > + > +allow phpfpm_t self:process signal; > +allow phpfpm_t self:capability { setuid setgid kill }; > +allow phpfpm_t self:tcp_socket rw_stream_socket_perms; > +allow phpfpm_t self:udp_socket connected_socket_perms; > +allow phpfpm_t self:unix_stream_socket accept; > + > +manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) > +logging_log_filetrans(phpfpm_t, phpfpm_log_t, file) > + > +manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) > +manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) > +files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir}) > + > +manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) > +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file) > + > +kernel_read_kernel_sysctls(phpfpm_t) > + > +corecmd_read_bin_symlinks(phpfpm_t) > +corecmd_search_bin(phpfpm_t) > + > +corenet_tcp_bind_all_unreserved_ports(phpfpm_t) > +corenet_tcp_bind_generic_node(phpfpm_t) > +corenet_tcp_bind_generic_port(phpfpm_t) This is a lot of binding. This can't be narrowed further? > +# Comment was 'allow ldap connections' -> sysnet_use_ldap ? > +# Also, if it was optional because the application optionally does it, perhaps > +# introduce a tunable for this? phpfpm_allow_ldap? > +corenet_tcp_connect_ldap_port(phpfpm_t) I'm undecided on this; either way can work. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com