Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434888 - selinux-phpfpm-2.20120725-r5: use stream sockets
Summary: selinux-phpfpm-2.20120725-r5: use stream sockets
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Matthew Thode ( prometheanfire )
URL:
Whiteboard: sec-policy r6
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-13 11:55 UTC by Vincent Brillault
Modified: 2012-12-13 10:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Proposed patch to implement the enhancement (phpfpm.patch,1.68 KB, text/plain)
2012-09-13 11:55 UTC, Vincent Brillault 		Details
phpfpm patch for hardened-refpolicy (phpfpm.patch,3.83 KB, text/plain)
2012-09-13 16:41 UTC, Matthew Thode ( prometheanfire ) 		Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-09-13 11:55:05 UTC 
Created attachment 323652 [details]
Proposed patch to implement the enhancement

The current phpfpm policy doesn't allow to use stream sockets.
Here is a patch that at least partially allows it.

Optional policies should also be added to the different servers, e.g for nginx: 
'''
optional_policy(`
	phpfpm_stream_connect(nginx_t)
')
'''
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-13 16:41:20 UTC 
Created attachment 323690 [details]
phpfpm patch for hardened-refpolicy
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 17:52:41 UTC 
Matthew, if you don't mind me changing the state of your bug(s) ;-) The patch is pulled in from refpolicy so will be part of -r6 (and is already in the live ebuilds).
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-10-04 19:23:00 UTC 
I don't know if this should go in r6 given it's state upstream (dunno what's happening with it with grift doing what he wants with it...)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-03 17:39:45 UTC 
In hardened-dev, r6 release
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:28:35 UTC 
In main tree, ~arch'ed
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:15:15 UTC 
r8 is now stable