diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.fc hardened-refpolicy/policy/modules/contrib/phpfpm.fc
--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.fc 2012-09-13 09:45:24.401810474 -0500
+++ hardened-refpolicy/policy/modules/contrib/phpfpm.fc 2012-09-13 10:44:18.496682579 -0500
@@ -1,5 +1,5 @@
/usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0)
+/var/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0)
/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0)
-
diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.if hardened-refpolicy/policy/modules/contrib/phpfpm.if
--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.if 2012-09-13 09:45:24.402810473 -0500
+++ hardened-refpolicy/policy/modules/contrib/phpfpm.if 2012-09-13 10:44:14.825682715 -0500
@@ -28,3 +28,21 @@
files_list_pids($1)
admin_pattern($1, phpfpm_var_run_t)
')
+
+########################################
+##
+## Connect to phpfpm using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`phpfpm_stream_connect',`
+ gen_require(`
+ type phpfpm_t, phpfpm_var_run_t;
+ ')
+ stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t)
+')
diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.te hardened-refpolicy/policy/modules/contrib/phpfpm.te
--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.te 2012-09-13 09:45:24.402810473 -0500
+++ hardened-refpolicy/policy/modules/contrib/phpfpm.te 2012-09-13 11:37:15.527567615 -0500
@@ -1,10 +1,12 @@
-policy_module(phpfpm, 1.0)
+policy_module(phpfpm, 1.1)
#######################################
#
# Declarations
#
+gen_tunable(phpfpm_allow_ldap_connect, false)
+
type phpfpm_t;
type phpfpm_exec_t;
init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -28,7 +30,7 @@
allow phpfpm_t self:capability { setuid setgid kill };
allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
allow phpfpm_t self:udp_socket connected_socket_perms;
-allow phpfpm_t self:unix_stream_socket accept;
+allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms };
manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -38,7 +40,9 @@
files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir})
manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file)
+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file })
+
+manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
kernel_read_kernel_sysctls(phpfpm_t)
@@ -48,10 +52,6 @@
corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
corenet_tcp_bind_generic_node(phpfpm_t)
corenet_tcp_bind_generic_port(phpfpm_t)
-# Comment was 'allow ldap connections' -> sysnet_use_ldap ?
-# Also, if it was optional because the application optionally does it, perhaps
-# introduce a tunable for this? phpfpm_allow_ldap?
-corenet_tcp_connect_ldap_port(phpfpm_t)
dev_read_rand(phpfpm_t)
dev_read_urand(phpfpm_t)
@@ -60,6 +60,8 @@
files_read_usr_files(phpfpm_t)
files_search_var_lib(phpfpm_t)
+fs_getattr_xattr_fs(phpfpm_t)
+
miscfiles_read_localization(phpfpm_t)
sysnet_dns_name_resolve(phpfpm_t)
@@ -73,10 +75,12 @@
apache_dontaudit_search_modules(phpfpm_t)
optional_policy(`
+ mysql_stream_connect(phpfpm_t)
mysql_tcp_connect(phpfpm_t)
')
optional_policy(`
+ postgresql_stream_connect(phpfpm_t)
postgresql_tcp_connect(phpfpm_t)
')
@@ -84,3 +88,8 @@
snmp_read_snmp_var_lib_files(phpfpm_t)
')
+optional_policy(`
+ tunable_policy(`phpfpm_allow_ldap_connect',`
+ corenet_tcp_connect_ldap_port(phpfpm_t)
+ ')
+')