From: mthode@mthode.org (Matthew Thode)
Date: Tue, 25 Sep 2012 15:21:49 -0500
Subject: [refpolicy] [PATCH v2] add socket support to phpfpm and
switched to sysnet_use_ldap with tunable
In-Reply-To: <20120925164346.GC15878@d30.localdomain>
References: <5061C2F2.1050900@mthode.org>
<20120925150943.GA15878@d30.localdomain>
<5061D6C0.8070307@mthode.org>
<20120925164346.GC15878@d30.localdomain>
Message-ID: <5062125D.10300@mthode.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 09/25/2012 11:43 AM, Dominick Grift wrote:
> On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
>> On 09/25/2012 10:09 AM, Dominick Grift wrote:
>>> On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
>>>> Subject: [PATCH] added postgres and mysql socket support along with running
>>>> phpfpm on a socket. Also switched to sysnet_use_ldap (with
>>>> the default being false for the tunable)
>>>
>>> This seems to be a patch on a patch.
>>>
>>> Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
>>> When i do that i will probably also take some bits from your patches if you don't mind.
>>>
>>> I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
>>> authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
>>>
>>> Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config
>>>
>>> Some comments inline below
>>>
>>>>
>>>> ---
>>>> policy/modules/contrib/phpfpm.fc | 2 +-
>>>> policy/modules/contrib/phpfpm.if | 18 ++++++++++++++++++
>>>> policy/modules/contrib/phpfpm.te | 23 ++++++++++++++++-------
>>>> 3 files changed, 35 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/policy/modules/contrib/phpfpm.fc
>>>> b/policy/modules/contrib/phpfpm.fc
>>>> index 536a5c7..51da02a 100644
>>>> --- a/policy/modules/contrib/phpfpm.fc
>>>> +++ b/policy/modules/contrib/phpfpm.fc
>>>> @@ -1,5 +1,5 @@
>>>> /usr/lib(64)?/php.*/bin/php-fpm
>>>> gen_context(system_u:object_r:phpfpm_exec_t,s0)
>>>> +/var/run/php*-fpm/*.sock
>>>> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>>>
>>> A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
>>>
>>> single files need --, dirs need -d, links need -l etc
>>>
>>>> /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
>>>> /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
>>>
>>> So these two above would need -- since they both single files
>>>
>>
>> updated the file context to the have -s and the like.
>>
>>>> diff --git a/policy/modules/contrib/phpfpm.if
>>>> b/policy/modules/contrib/phpfpm.if
>>>> index d9481d9..fee2c17 100644
>>>> --- a/policy/modules/contrib/phpfpm.if
>>>> +++ b/policy/modules/contrib/phpfpm.if
>>>> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
>>>> files_list_pids($1)
>>>> admin_pattern($1, phpfpm_var_run_t)
>>>> ')
>>>> +
>>>> +########################################
>>>> +##
>>>> +## Connect to phpfpm using a unix domain stream socket.
>>>> +##
>>>> +##
>>>> +##
>>>> +## Domain allowed access.
>>>> +##
>>>> +##
>>>> +##
>>>> +#
>>>> +interface(`phpfpm_stream_connect',`
>>>> + gen_require(`
>>>> + type phpfpm_t, phpfpm_var_run_t;
>>>> + ')
>>>> + stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
>>>> +')
>>>
>>> The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
>>>
>>
>> added it right after the stream_connect_pattern()
>>
>>>> diff --git a/policy/modules/contrib/phpfpm.te
>>>> b/policy/modules/contrib/phpfpm.te
>>>> index 2bd30d7..8758c01 100644
>>>> --- a/policy/modules/contrib/phpfpm.te
>>>> +++ b/policy/modules/contrib/phpfpm.te
>>>> @@ -5,6 +5,8 @@
>>>> # Declarations
>>>> #
>>>>
>>>> +gen_tunable(phpfpm_use_ldap, false)
>>>> +
>>>> type phpfpm_t;
>>>> type phpfpm_exec_t;
>>>> init_daemon_domain(phpfpm_t, phpfpm_exec_t)
>>>> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
>>>> allow phpfpm_t self:capability { setuid setgid kill };
>>>> allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
>>>> allow phpfpm_t self:udp_socket connected_socket_perms;
>>>> -allow phpfpm_t self:unix_stream_socket accept;
>>>> +allow phpfpm_t self:unix_stream_socket { accept
>>>> create_stream_socket_perms };
>>>
>>> In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
>>> the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
>>> Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
>>>
>>> It needs listen as far as i know to be able to accept
>>>
>>>>
>>>> manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
>>>> logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
>>>> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
>>>> files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
>>>
>>>> manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>>>> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
>>>> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>>>> +
>>>> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>>>
>>> This should go just above the files_pid_filetrans()
>>
>> what do you mean by that? do you mean that this
>> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>> should be
>> files_pid_filetrans()
>> or that this
>> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>>
>> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
>> should be this, I assume the first one?
>> files_pid_filetrans()
>
> In this case you can even make it more efficient like so:
>
> allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
> allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
>
> because there are no phpfpm_var_run_t directories involved
> so the patterns you used above are a little too coarse (they add rules that do not apply here)
>
> These day's we focus more and more on writing policy efficiently.
> This is to keep the policy footprint as small as possible and thereby performance as optimal as possible
>
>
>>
>>>
>>>> kernel_read_kernel_sysctls(phpfpm_t)
>>>>
>>>> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
>>>> corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
>>>> corenet_tcp_bind_generic_node(phpfpm_t)
>>>> corenet_tcp_bind_generic_port(phpfpm_t)
>>>> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
>>>> -# Also, if it was optional because the application optionally does it,
>>>> perhaps
>>>> -# introduce a tunable for this? phpfpm_allow_ldap?
>>>> -corenet_tcp_connect_ldap_port(phpfpm_t)
>>>>
>>>> dev_read_rand(phpfpm_t)
>>>> dev_read_urand(phpfpm_t)
>>>> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
>>>> files_read_usr_files(phpfpm_t)
>>>> files_search_var_lib(phpfpm_t)
>>>>
>>>> +fs_getattr_xattr_fs(phpfpm_t)
>>>> +
>>>> miscfiles_read_localization(phpfpm_t)
>>>>
>>>> sysnet_dns_name_resolve(phpfpm_t)
>>>> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
>>>> apache_dontaudit_search_modules(phpfpm_t)
>>>>
>>>> optional_policy(`
>>>> + mysql_stream_connect(phpfpm_t)
>>>> mysql_tcp_connect(phpfpm_t)
>>>> ')
>>>>
>>>> optional_policy(`
>>>> + postgresql_stream_connect(phpfpm_t)
>>>> postgresql_tcp_connect(phpfpm_t)
>>>> ')
>>>>
>>>> @@ -84,3 +88,8 @@ optional_policy(`
>>>> snmp_read_snmp_var_lib_files(phpfpm_t)
>>>> ')
>>>>
>>>> +optional_policy(`
>>>> + tunable_policy(`phpfpm_use_ldap',`
>>>> + sysnet_use_ldap(phpfpm_t)
>>>> + ')
>>>> +')
>>>> --
>>>> 1.7.8.5
>>>>
>>>> --
>>>> -- Matthew Thode
>>>>
>>>
>>> Thanks!
>>>
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>> It was my understanding that my previous patch was accepted. It's fine
>> if you pull stuff out of this for that, though I think it may be best if
>> we focus on one module instead of two doing the same thing :D
>>
>> I've used this policy with postgres (as has another person who may be
>> commenting) but not mysql.
>>
>> I'm prometheanfire on irc (freenode) if you want to work on it with me.
>>
>> --
>> -- Matthew Thode
>>
>
>
>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Ok, and how about working on this together?
--
-- Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/c717ec22/attachment.bin