From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 25 Sep 2012 17:09:46 +0200
Subject: [refpolicy] [PATCH v2] add socket support to phpfpm and
switched to sysnet_use_ldap with tunable
In-Reply-To: <5061C2F2.1050900@mthode.org>
References: <5061C2F2.1050900@mthode.org>
Message-ID: <20120925150943.GA15878@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> Subject: [PATCH] added postgres and mysql socket support along with running
> phpfpm on a socket. Also switched to sysnet_use_ldap (with
> the default being false for the tunable)
This seems to be a patch on a patch.
Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
When i do that i will probably also take some bits from your patches if you don't mind.
I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
Some comments inline below
>
> ---
> policy/modules/contrib/phpfpm.fc | 2 +-
> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
> 3 files changed, 35 insertions(+), 8 deletions(-)
>
> diff --git a/policy/modules/contrib/phpfpm.fc
> b/policy/modules/contrib/phpfpm.fc
> index 536a5c7..51da02a 100644
> --- a/policy/modules/contrib/phpfpm.fc
> +++ b/policy/modules/contrib/phpfpm.fc
> @@ -1,5 +1,5 @@
> /usr/lib(64)?/php.*/bin/php-fpm
> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> +/var/run/php*-fpm/*.sock
> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
single files need --, dirs need -d, links need -l etc
> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
So these two above would need -- since they both single files
> diff --git a/policy/modules/contrib/phpfpm.if
> b/policy/modules/contrib/phpfpm.if
> index d9481d9..fee2c17 100644
> --- a/policy/modules/contrib/phpfpm.if
> +++ b/policy/modules/contrib/phpfpm.if
> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> files_list_pids($1)
> admin_pattern($1, phpfpm_var_run_t)
> ')
> +
> +########################################
> +##
> +## Connect to phpfpm using a unix domain stream socket.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`phpfpm_stream_connect',`
> + gen_require(`
> + type phpfpm_t, phpfpm_var_run_t;
> + ')
> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> +')
The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> diff --git a/policy/modules/contrib/phpfpm.te
> b/policy/modules/contrib/phpfpm.te
> index 2bd30d7..8758c01 100644
> --- a/policy/modules/contrib/phpfpm.te
> +++ b/policy/modules/contrib/phpfpm.te
> @@ -5,6 +5,8 @@
> # Declarations
> #
>
> +gen_tunable(phpfpm_use_ldap, false)
> +
> type phpfpm_t;
> type phpfpm_exec_t;
> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> allow phpfpm_t self:capability { setuid setgid kill };
> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> allow phpfpm_t self:udp_socket connected_socket_perms;
> -allow phpfpm_t self:unix_stream_socket accept;
> +allow phpfpm_t self:unix_stream_socket { accept
> create_stream_socket_perms };
In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
It needs listen as far as i know to be able to accept
>
> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> +
> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
This should go just above the files_pid_filetrans()
> kernel_read_kernel_sysctls(phpfpm_t)
>
> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> corenet_tcp_bind_generic_node(phpfpm_t)
> corenet_tcp_bind_generic_port(phpfpm_t)
> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> -# Also, if it was optional because the application optionally does it,
> perhaps
> -# introduce a tunable for this? phpfpm_allow_ldap?
> -corenet_tcp_connect_ldap_port(phpfpm_t)
>
> dev_read_rand(phpfpm_t)
> dev_read_urand(phpfpm_t)
> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> files_read_usr_files(phpfpm_t)
> files_search_var_lib(phpfpm_t)
>
> +fs_getattr_xattr_fs(phpfpm_t)
> +
> miscfiles_read_localization(phpfpm_t)
>
> sysnet_dns_name_resolve(phpfpm_t)
> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> apache_dontaudit_search_modules(phpfpm_t)
>
> optional_policy(`
> + mysql_stream_connect(phpfpm_t)
> mysql_tcp_connect(phpfpm_t)
> ')
>
> optional_policy(`
> + postgresql_stream_connect(phpfpm_t)
> postgresql_tcp_connect(phpfpm_t)
> ')
>
> @@ -84,3 +88,8 @@ optional_policy(`
> snmp_read_snmp_var_lib_files(phpfpm_t)
> ')
>
> +optional_policy(`
> + tunable_policy(`phpfpm_use_ldap',`
> + sysnet_use_ldap(phpfpm_t)
> + ')
> +')
> --
> 1.7.8.5
>
> --
> -- Matthew Thode
>
Thanks!
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/6b2be9b8/attachment.bin