From: mthode@mthode.org (Matthew Thode)
Date: Tue, 25 Sep 2012 09:42:58 -0500
Subject: [refpolicy] [PATCH v2] add socket support to phpfpm and switched to
 sysnet_use_ldap with tunable
Message-ID: <5061C2F2.1050900@mthode.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Subject: [PATCH] added postgres and mysql socket support along with running
 phpfpm on a socket.  Also switched to sysnet_use_ldap (with
 the default being false for the tunable)

---
 policy/modules/contrib/phpfpm.fc |    2 +-
 policy/modules/contrib/phpfpm.if |   18 ++++++++++++++++++
 policy/modules/contrib/phpfpm.te |   23 ++++++++++++++++-------
 3 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/phpfpm.fc
b/policy/modules/contrib/phpfpm.fc
index 536a5c7..51da02a 100644
--- a/policy/modules/contrib/phpfpm.fc
+++ b/policy/modules/contrib/phpfpm.fc
@@ -1,5 +1,5 @@
 /usr/lib(64)?/php.*/bin/php-fpm	
gen_context(system_u:object_r:phpfpm_exec_t,s0)
+/var/run/php*-fpm/*.sock	
gen_context(system_u:object_r:phpfpm_var_run_t,s0)

 /var/log/php-fpm.log			gen_context(system_u:object_r:phpfpm_log_t,s0)
 /var/run/php-fpm.pid			gen_context(system_u:object_r:phpfpm_var_run_t,s0)
-
diff --git a/policy/modules/contrib/phpfpm.if
b/policy/modules/contrib/phpfpm.if
index d9481d9..fee2c17 100644
--- a/policy/modules/contrib/phpfpm.if
+++ b/policy/modules/contrib/phpfpm.if
@@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
 	files_list_pids($1)
 	admin_pattern($1, phpfpm_var_run_t)
 ')
+
+########################################
+## <summary>
+##      Connect to phpfpm using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`phpfpm_stream_connect',`
+	gen_require(`
+		type phpfpm_t, phpfpm_var_run_t;
+	')
+	stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
+')
diff --git a/policy/modules/contrib/phpfpm.te
b/policy/modules/contrib/phpfpm.te
index 2bd30d7..8758c01 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -5,6 +5,8 @@
 # Declarations
 #

+gen_tunable(phpfpm_use_ldap, false)
+
 type phpfpm_t;
 type phpfpm_exec_t;
 init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
 allow phpfpm_t self:capability { setuid setgid kill };
 allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
 allow phpfpm_t self:udp_socket connected_socket_perms;
-allow phpfpm_t self:unix_stream_socket accept;
+allow phpfpm_t self:unix_stream_socket { accept
create_stream_socket_perms };

 manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
 logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
 files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})

 manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
+
+manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)

 kernel_read_kernel_sysctls(phpfpm_t)

@@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
 corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
 corenet_tcp_bind_generic_node(phpfpm_t)
 corenet_tcp_bind_generic_port(phpfpm_t)
-# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
-# Also, if it was optional because the application optionally does it,
perhaps
-# introduce a tunable for this? phpfpm_allow_ldap?
-corenet_tcp_connect_ldap_port(phpfpm_t)

 dev_read_rand(phpfpm_t)
 dev_read_urand(phpfpm_t)
@@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
 files_read_usr_files(phpfpm_t)
 files_search_var_lib(phpfpm_t)

+fs_getattr_xattr_fs(phpfpm_t)
+
 miscfiles_read_localization(phpfpm_t)

 sysnet_dns_name_resolve(phpfpm_t)
@@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
 apache_dontaudit_search_modules(phpfpm_t)

 optional_policy(`
+	mysql_stream_connect(phpfpm_t)
 	mysql_tcp_connect(phpfpm_t)
 ')

 optional_policy(`
+	postgresql_stream_connect(phpfpm_t)
 	postgresql_tcp_connect(phpfpm_t)
 ')

@@ -84,3 +88,8 @@ optional_policy(`
 	snmp_read_snmp_var_lib_files(phpfpm_t)
 ')

+optional_policy(`
+	tunable_policy(`phpfpm_use_ldap',`
+		sysnet_use_ldap(phpfpm_t)
+	')
+')
-- 
1.7.8.5

-- 
-- Matthew Thode

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/5dbe2a54/attachment.bin