From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 25 Sep 2012 23:02:44 +0200
Subject: [refpolicy] [PATCH v2] add socket support to phpfpm and
 switched to sysnet_use_ldap with tunable
In-Reply-To: <5062125D.10300@mthode.org>
References: <5061C2F2.1050900@mthode.org>
	<20120925150943.GA15878@d30.localdomain>
	<5061D6C0.8070307@mthode.org>
	<20120925164346.GC15878@d30.localdomain>
	<5062125D.10300@mthode.org>
Message-ID: <20120925210241.GA6259@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Sep 25, 2012 at 03:21:49PM -0500, Matthew Thode wrote:
> On 09/25/2012 11:43 AM, Dominick Grift wrote:
> > On Tue, Sep 25, 2012 at 11:07:28AM -0500, Matthew Thode wrote:
> >> On 09/25/2012 10:09 AM, Dominick Grift wrote:
> >>> On Tue, Sep 25, 2012 at 09:42:58AM -0500, Matthew Thode wrote:
> >>>> Subject: [PATCH] added postgres and mysql socket support along with running
> >>>>  phpfpm on a socket.  Also switched to sysnet_use_ldap (with
> >>>>  the default being false for the tunable)
> >>>
> >>> This seems to be a patch on a patch.
> >>>
> >>> Fedora also has a phpfpm policy module that i will port to contrib soon (maybe tomorrow)
> >>> When i do that i will probably also take some bits from your patches if you don't mind.
> >>>
> >>> I am not sure about the ldap boolean as auth_use_nsswitch() also provides this functionality via the
> >>> authlogin_nsswitch_use_ldap boolean so it seems reduntant to me.
> >>>
> >>> Also have you tried (atleast some) of the database functionality? mysql maybe? I wonder whether mysql_stream_connect() is enough or whether it needs more like writing db sockets or reading mysql config 
> >>>
> >>> Some comments inline below
> >>>
> >>>>
> >>>> ---
> >>>>  policy/modules/contrib/phpfpm.fc |    2 +-
> >>>>  policy/modules/contrib/phpfpm.if |   18 ++++++++++++++++++
> >>>>  policy/modules/contrib/phpfpm.te |   23 ++++++++++++++++-------
> >>>>  3 files changed, 35 insertions(+), 8 deletions(-)
> >>>>
> >>>> diff --git a/policy/modules/contrib/phpfpm.fc
> >>>> b/policy/modules/contrib/phpfpm.fc
> >>>> index 536a5c7..51da02a 100644
> >>>> --- a/policy/modules/contrib/phpfpm.fc
> >>>> +++ b/policy/modules/contrib/phpfpm.fc
> >>>> @@ -1,5 +1,5 @@
> >>>>  /usr/lib(64)?/php.*/bin/php-fpm	
> >>>> gen_context(system_u:object_r:phpfpm_exec_t,s0)
> >>>> +/var/run/php*-fpm/*.sock	
> >>>> gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >>>
> >>> A sock needs to be specified with -s, so example: "/var/run/php-fpm/.*\.sock -s gen_context(system_u:object_r:phpfpm_var_run_t,s0)"
> >>>
> >>> single files need --, dirs need -d, links need -l etc
> >>>
> >>>>  /var/log/php-fpm.log			gen_context(system_u:object_r:phpfpm_log_t,s0)
> >>>>  /var/run/php-fpm.pid			gen_context(system_u:object_r:phpfpm_var_run_t,s0)
> >>>
> >>> So these two above would need -- since they both single files
> >>>
> >>
> >> updated the file context to the have -s and the like.
> >>
> >>>> diff --git a/policy/modules/contrib/phpfpm.if
> >>>> b/policy/modules/contrib/phpfpm.if
> >>>> index d9481d9..fee2c17 100644
> >>>> --- a/policy/modules/contrib/phpfpm.if
> >>>> +++ b/policy/modules/contrib/phpfpm.if
> >>>> @@ -28,3 +28,21 @@ interface(`phpfpm_admin',`
> >>>>  	files_list_pids($1)
> >>>>  	admin_pattern($1, phpfpm_var_run_t)
> >>>>  ')
> >>>> +
> >>>> +########################################
> >>>> +## <summary>
> >>>> +##      Connect to phpfpm using a unix domain stream socket.
> >>>> +## </summary>
> >>>> +## <param name="domain">
> >>>> +##      <summary>
> >>>> +##      Domain allowed access.
> >>>> +##      </summary>
> >>>> +## </param>
> >>>> +## <rolecap/>
> >>>> +#
> >>>> +interface(`phpfpm_stream_connect',`
> >>>> +	gen_require(`
> >>>> +		type phpfpm_t, phpfpm_var_run_t;
> >>>> +	')
> >>>> +	stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
> >>>> +')
> >>>
> >>> The above could use a files_search_pids($1) so that callers can get to phpfpm_var_run_t
> >>>
> >>
> >> added it right after the stream_connect_pattern()
> >>
> >>>> diff --git a/policy/modules/contrib/phpfpm.te
> >>>> b/policy/modules/contrib/phpfpm.te
> >>>> index 2bd30d7..8758c01 100644
> >>>> --- a/policy/modules/contrib/phpfpm.te
> >>>> +++ b/policy/modules/contrib/phpfpm.te
> >>>> @@ -5,6 +5,8 @@
> >>>>  # Declarations
> >>>>  #
> >>>>
> >>>> +gen_tunable(phpfpm_use_ldap, false)
> >>>> +
> >>>>  type phpfpm_t;
> >>>>  type phpfpm_exec_t;
> >>>>  init_daemon_domain(phpfpm_t, phpfpm_exec_t)
> >>>> @@ -28,7 +30,7 @@ allow phpfpm_t self:process signal;
> >>>>  allow phpfpm_t self:capability { setuid setgid kill };
> >>>>  allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
> >>>>  allow phpfpm_t self:udp_socket connected_socket_perms;
> >>>> -allow phpfpm_t self:unix_stream_socket accept;
> >>>> +allow phpfpm_t self:unix_stream_socket { accept
> >>>> create_stream_socket_perms };
> >>>
> >>> In fedora phpfpm policy, phpfpm is allowed to send messages to syslog.
> >>> the logging send syslog msg() interface provides: allow $1 self:unix_stream_socket create_socket_perms;
> >>> Thus thhe rule above can be: allow phpfpm_t self:unix_stream_socket { accept listen }; instead
> >>>
> >>> It needs listen as far as i know to be able to accept
> >>>
> >>>>
> >>>>  manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
> >>>>  logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
> >>>> @@ -38,7 +40,9 @@ manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
> >>>>  files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
> >>>
> >>>>  manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >>>> -files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
> >>>> +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >>>> +
> >>>> +manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >>>
> >>> This should go just above the files_pid_filetrans()
> >>
> >> what do you mean by that? do you mean that this
> >> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >> should be
> >> files_pid_filetrans()
> >> or that this
> >> files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> >>
> >> manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
> >> should be this, I assume the first one?
> >> files_pid_filetrans()
> > 
> > In this case you can even make it more efficient like so:
> > 
> > allow phpfpm_t phpfpm_var_run_t:file manage_file_perms;
> > allow phpfpm_t phpfpm_var_run_t:sock_file manage_sock_file_perms;
> > files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
> > 
> > because there are no phpfpm_var_run_t directories involved
> > so the patterns you used above are a little too coarse (they add rules that do not apply here)
> > 
> > These day's we focus more and more on writing policy efficiently.
> > This is to keep the policy footprint as small as possible and thereby performance as optimal as possible
> > 
> > 
> >>
> >>>
> >>>>  kernel_read_kernel_sysctls(phpfpm_t)
> >>>>
> >>>> @@ -48,10 +52,6 @@ corecmd_search_bin(phpfpm_t)
> >>>>  corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
> >>>>  corenet_tcp_bind_generic_node(phpfpm_t)
> >>>>  corenet_tcp_bind_generic_port(phpfpm_t)
> >>>> -# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
> >>>> -# Also, if it was optional because the application optionally does it,
> >>>> perhaps
> >>>> -# introduce a tunable for this? phpfpm_allow_ldap?
> >>>> -corenet_tcp_connect_ldap_port(phpfpm_t)
> >>>>
> >>>>  dev_read_rand(phpfpm_t)
> >>>>  dev_read_urand(phpfpm_t)
> >>>> @@ -60,6 +60,8 @@ files_read_etc_files(phpfpm_t)
> >>>>  files_read_usr_files(phpfpm_t)
> >>>>  files_search_var_lib(phpfpm_t)
> >>>>
> >>>> +fs_getattr_xattr_fs(phpfpm_t)
> >>>> +
> >>>>  miscfiles_read_localization(phpfpm_t)
> >>>>
> >>>>  sysnet_dns_name_resolve(phpfpm_t)
> >>>> @@ -73,10 +75,12 @@ apache_read_sys_content(phpfpm_t)
> >>>>  apache_dontaudit_search_modules(phpfpm_t)
> >>>>
> >>>>  optional_policy(`
> >>>> +	mysql_stream_connect(phpfpm_t)
> >>>>  	mysql_tcp_connect(phpfpm_t)
> >>>>  ')
> >>>>
> >>>>  optional_policy(`
> >>>> +	postgresql_stream_connect(phpfpm_t)
> >>>>  	postgresql_tcp_connect(phpfpm_t)
> >>>>  ')
> >>>>
> >>>> @@ -84,3 +88,8 @@ optional_policy(`
> >>>>  	snmp_read_snmp_var_lib_files(phpfpm_t)
> >>>>  ')
> >>>>
> >>>> +optional_policy(`
> >>>> +	tunable_policy(`phpfpm_use_ldap',`
> >>>> +		sysnet_use_ldap(phpfpm_t)
> >>>> +	')
> >>>> +')
> >>>> -- 
> >>>> 1.7.8.5
> >>>>
> >>>> -- 
> >>>> -- Matthew Thode
> >>>>
> >>>
> >>> Thanks!
> >>>
> >>>> _______________________________________________
> >>>> refpolicy mailing list
> >>>> refpolicy at oss.tresys.com
> >>>> http://oss.tresys.com/mailman/listinfo/refpolicy
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> refpolicy mailing list
> >>> refpolicy at oss.tresys.com
> >>> http://oss.tresys.com/mailman/listinfo/refpolicy
> >>>
> >>
> >> It was my understanding that my previous patch was accepted.  It's fine
> >> if you pull stuff out of this for that, though I think it may be best if
> >> we focus on one module instead of two doing the same thing :D
> >>
> >> I've used this policy with postgres (as has another person who may be
> >> commenting) but not mysql.
> >>
> >> I'm prometheanfire on irc (freenode) if you want to work on it with me.
> >>
> >> -- 
> >> -- Matthew Thode
> >>
> > 
> > 
> > 
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> > 
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> Ok, and how about working on this together?

I contacted you on irc
> 
> -- 
> -- Matthew Thode
> 



> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120925/9370cf80/attachment.bin