From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 25 Sep 2012 18:43:50 +0200
Subject: [refpolicy] [PATCH v2] add socket support to phpfpm and
 switched to sysnet_use_ldap with tunable
In-Reply-To: <5061D6C0.8070307@mthode.org>
References: <5061C2F2.1050900@mthode.org>
	<20120925150943.GA15878@d30.localdomain>
	<5061D6C0.8070307@mthode.org>
Message-ID: <20120925164346.GC15878@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
> On 09/25/2012 10:09 AM, Dominick Grift wrote:
> > On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> >> Subject: [PATCH] added postgres and mysql socket support along with running
> >>  phpfpm on a socket.  Also switched to sysnet_use_ldap (with
> >>  the default being false for the tunable)
> > 
> > This seems to be a patch on a patch.
> > 
> > Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> > When i do that i will probably also take some bits from your patches if you don't mind.
> > 
> > I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> > authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
> > 
> > Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config 
> > 
> > Some comments inline below
> > 
> >>
> >> ---
> >>  policy/modules/contrib/phpfpm.fc |    2 +-
> >>  policy/modules/contrib/phpfpm.if |   18 ++++++++++++++++++
> >>  policy/modules/contrib/phpfpm.te |   23 ++++++++++++++++-------
> >>  3 files changed, 35 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/policy/modules/contrib/phpfpm.fc
> >> b/policy/modules/contrib/phpfpm.fc
> >> index 536a5c7..51da02a 100644
> >> --- a/policy/modules/contrib/phpfpm.fc
> >> +++ b/policy/modules/contrib/phpfpm.fc
> >> @@ -1,5 +1,5 @@
> >>  /usr/lib(64)?/php.*/bin/php-fpm	
> >> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> >> +/var/run/php*-fpm/*.sock	
> >> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> > 
> > A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
> > 
> > single files need --, dirs need -d, links need -l etc
> > 
> >>  /var/log/php-fpm.log			gen_context(system_u:object_r:phpfpm_log_t,s0)
> >>  /var/run/php-fpm.pid			gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> > 
> > So these two above would need -- since they both single files
> > 
> 
> updated the file context to the have -s and the like.
> 
> >> diff --git a/policy/modules/contrib/phpfpm.if
> >> b/policy/modules/contrib/phpfpm.if
> >> index d9481d9..fee2c17 100644
> >> --- a/policy/modules/contrib/phpfpm.if
> >> +++ b/policy/modules/contrib/phpfpm.if
> >> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> >>  	files_list_pids($1)
> >>  	admin_pattern($1, phpfpm_var_run_t)
> >>  ')
> >> +
> >> +########################################
> >> +## <summary>
> >> +##      Connect to phpfpm using a unix domain stream socket.
> >> +## </summary>
> >> +## <param name="domain">
> >> +##      <summary>
> >> +##      Domain allowed access.
> >> +##      </summary>
> >> +## </param>
> >> +## <rolecap/>
> >> +#
> >> +interface(`phpfpm_stream_connect',`
> >> +	gen_require(`
> >> +		type phpfpm_t, phpfpm_var_run_t;
> >> +	')
> >> +	stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> >> +')
> > 
> > The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> > 
> 
> added it right after the stream_connect_pattern()
> 
> >> diff --git a/policy/modules/contrib/phpfpm.te
> >> b/policy/modules/contrib/phpfpm.te
> >> index 2bd30d7..8758c01 100644
> >> --- a/policy/modules/contrib/phpfpm.te
> >> +++ b/policy/modules/contrib/phpfpm.te
> >> @@ -5,6 +5,8 @@
> >>  # Declarations
> >>  #
> >>
> >> +gen_tunable(phpfpm_use_ldap, false)
> >> +
> >>  type phpfpm_t;
> >>  type phpfpm_exec_t;
> >>  init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> >> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> >>  allow phpfpm_t self:capability { setuid setgid kill };
> >>  allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> >>  allow phpfpm_t self:udp_socket connected_socket_perms;
> >> -allow phpfpm_t self:unix_stream_socket accept;
> >> +allow phpfpm_t self:unix_stream_socket { accept
> >> create_stream_socket_perms };
> > 
> > In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> > the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> > Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
> > 
> > It needs listen as far as i know to be able to accept
> > 
> >>
> >>  manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> >>  logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> >> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> >>  files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> > 
> >>  manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> >> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >> +
> >> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> > 
> > This should go just above the files_pid_filetrans()
> 
> what do you mean by that? do you mean that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> should be
> files_pid_filetrans()
> or that this
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> 
> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> should be this, I assume the first one?
> files_pid_filetrans()

In this case you can even make it more efficient like so:

allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })

because there are no phpfpm_var_run_t directories involved
so the patterns you used above are a little too coarse (they add rules that do not apply here)

These day's we focus more and more on writing policy efficiently.
This is to keep the policy footprint as small as possible and thereby performance as optimal as possible


> 
> > 
> >>  kernel_read_kernel_sysctls(phpfpm_t)
> >>
> >> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> >>  corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> >>  corenet_tcp_bind_generic_node(phpfpm_t)
> >>  corenet_tcp_bind_generic_port(phpfpm_t)
> >> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> >> -# Also, if it was optional because the application optionally does it,
> >> perhaps
> >> -# introduce a tunable for this? phpfpm_allow_ldap?
> >> -corenet_tcp_connect_ldap_port(phpfpm_t)
> >>
> >>  dev_read_rand(phpfpm_t)
> >>  dev_read_urand(phpfpm_t)
> >> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> >>  files_read_usr_files(phpfpm_t)
> >>  files_search_var_lib(phpfpm_t)
> >>
> >> +fs_getattr_xattr_fs(phpfpm_t)
> >> +
> >>  miscfiles_read_localization(phpfpm_t)
> >>
> >>  sysnet_dns_name_resolve(phpfpm_t)
> >> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> >>  apache_dontaudit_search_modules(phpfpm_t)
> >>
> >>  optional_policy(`
> >> +	mysql_stream_connect(phpfpm_t)
> >>  	mysql_tcp_connect(phpfpm_t)
> >>  ')
> >>
> >>  optional_policy(`
> >> +	postgresql_stream_connect(phpfpm_t)
> >>  	postgresql_tcp_connect(phpfpm_t)
> >>  ')
> >>
> >> @@ -84,3 +88,8 @@ optional_policy(`
> >>  	snmp_read_snmp_var_lib_files(phpfpm_t)
> >>  ')
> >>
> >> +optional_policy(`
> >> +	tunable_policy(`phpfpm_use_ldap',`
> >> +		sysnet_use_ldap(phpfpm_t)
> >> +	')
> >> +')
> >> -- 
> >> 1.7.8.5
> >>
> >> -- 
> >> -- Matthew Thode
> >>
> > 
> > Thanks!
> > 
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> > 
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> 
> It was my understanding that my previous patch was accepted.  It's fine
> if you pull stuff out of this for that, though I think it may be best if
> we focus on one module instead of two doing the same thing :D
> 
> I've used this policy with postgres (as has another person who may be
> commenting) but not mysql.
> 
> I'm prometheanfire on irc (freenode) if you want to work on it with me.
> 
> -- 
> -- Matthew Thode
> 



> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/57f671d7/attachment.bin