Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 323690 Details for
Bug 434888
selinux-phpfpm-2.20120725-r5: use stream sockets
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
phpfpm patch for hardened-refpolicy
phpfpm.patch (text/plain), 3.83 KB, created by
Matthew Thode ( prometheanfire )
on 2012-09-13 16:41:20 UTC
(
hide
)
Description:
phpfpm patch for hardened-refpolicy
Filename:
MIME Type:
Creator:
Matthew Thode ( prometheanfire )
Created:
2012-09-13 16:41:20 UTC
Size:
3.83 KB
patch
obsolete
>diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.fc hardened-refpolicy/policy/modules/contrib/phpfpm.fc >--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.fc 2012-09-13 09:45:24.401810474 -0500 >+++ hardened-refpolicy/policy/modules/contrib/phpfpm.fc 2012-09-13 10:44:18.496682579 -0500 >@@ -1,5 +1,5 @@ > /usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0) >+/var/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0) > > /var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0) > /var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0) >- >diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.if hardened-refpolicy/policy/modules/contrib/phpfpm.if >--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.if 2012-09-13 09:45:24.402810473 -0500 >+++ hardened-refpolicy/policy/modules/contrib/phpfpm.if 2012-09-13 10:44:14.825682715 -0500 >@@ -28,3 +28,21 @@ > files_list_pids($1) > admin_pattern($1, phpfpm_var_run_t) > ') >+ >+######################################## >+## <summary> >+## Connect to phpfpm using a unix domain stream socket. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <rolecap/> >+# >+interface(`phpfpm_stream_connect',` >+ gen_require(` >+ type phpfpm_t, phpfpm_var_run_t; >+ ') >+ stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t) >+') >diff -Naur hardened-refpolicy.orig/policy/modules/contrib/phpfpm.te hardened-refpolicy/policy/modules/contrib/phpfpm.te >--- hardened-refpolicy.orig/policy/modules/contrib/phpfpm.te 2012-09-13 09:45:24.402810473 -0500 >+++ hardened-refpolicy/policy/modules/contrib/phpfpm.te 2012-09-13 11:37:15.527567615 -0500 >@@ -1,10 +1,12 @@ >-policy_module(phpfpm, 1.0) >+policy_module(phpfpm, 1.1) > > ####################################### > # > # Declarations > # > >+gen_tunable(phpfpm_allow_ldap_connect, false) >+ > type phpfpm_t; > type phpfpm_exec_t; > init_daemon_domain(phpfpm_t, phpfpm_exec_t) >@@ -28,7 +30,7 @@ > allow phpfpm_t self:capability { setuid setgid kill }; > allow phpfpm_t self:tcp_socket rw_stream_socket_perms; > allow phpfpm_t self:udp_socket connected_socket_perms; >-allow phpfpm_t self:unix_stream_socket accept; >+allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms }; > > manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) > logging_log_filetrans(phpfpm_t, phpfpm_log_t, file) >@@ -38,7 +40,9 @@ > files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir}) > > manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) >-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file) >+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file }) >+ >+manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) > > kernel_read_kernel_sysctls(phpfpm_t) > >@@ -48,10 +52,6 @@ > corenet_tcp_bind_all_unreserved_ports(phpfpm_t) > corenet_tcp_bind_generic_node(phpfpm_t) > corenet_tcp_bind_generic_port(phpfpm_t) >-# Comment was 'allow ldap connections' -> sysnet_use_ldap ? >-# Also, if it was optional because the application optionally does it, perhaps >-# introduce a tunable for this? phpfpm_allow_ldap? >-corenet_tcp_connect_ldap_port(phpfpm_t) > > dev_read_rand(phpfpm_t) > dev_read_urand(phpfpm_t) >@@ -60,6 +60,8 @@ > files_read_usr_files(phpfpm_t) > files_search_var_lib(phpfpm_t) > >+fs_getattr_xattr_fs(phpfpm_t) >+ > miscfiles_read_localization(phpfpm_t) > > sysnet_dns_name_resolve(phpfpm_t) >@@ -73,10 +75,12 @@ > apache_dontaudit_search_modules(phpfpm_t) > > optional_policy(` >+ mysql_stream_connect(phpfpm_t) > mysql_tcp_connect(phpfpm_t) > ') > > optional_policy(` >+ postgresql_stream_connect(phpfpm_t) > postgresql_tcp_connect(phpfpm_t) > ') > >@@ -84,3 +88,8 @@ > snmp_read_snmp_var_lib_files(phpfpm_t) > ') > >+optional_policy(` >+ tunable_policy(`phpfpm_allow_ldap_connect',` >+ corenet_tcp_connect_ldap_port(phpfpm_t) >+ ') >+')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=323690">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 434888
:
323652
| 323690
