From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SihER-0006lN-PO for garchives@archives.gentoo.org; Sun, 24 Jun 2012 07:27:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C8814E0B87; Sun, 24 Jun 2012 07:27:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 8C765E0B87 for ; Sun, 24 Jun 2012 07:27:27 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9B1531B4041 for ; Sun, 24 Jun 2012 07:27:26 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 6165DE5438 for ; Sun, 24 Jun 2012 07:27:25 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1340522794.c65a86598307c356d4b8b005f7ab2634a070bd5d.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/phpfpm.fc policy/modules/contrib/phpfpm.if policy/modules/contrib/phpfpm.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c65a86598307c356d4b8b005f7ab2634a070bd5d X-VCS-Branch: master Date: Sun, 24 Jun 2012 07:27:25 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 548f4727-a51a-4555-af81-362ac8322451 X-Archives-Hash: 2a5ff775aceccb76979654c4f14ce774 commit: c65a86598307c356d4b8b005f7ab2634a070bd5d Author: Sven Vermeulen siphos be> AuthorDate: Sun Jun 24 07:26:34 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Jun 24 07:26:34 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-refp= olicy.git;a=3Dcommit;h=3Dc65a8659 Adding phpfpm module --- policy/modules/contrib/phpfpm.fc | 5 ++ policy/modules/contrib/phpfpm.if | 30 +++++++++++++ policy/modules/contrib/phpfpm.te | 86 ++++++++++++++++++++++++++++++++= ++++++ 3 files changed, 121 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/phpfpm.fc b/policy/modules/contrib/ph= pfpm.fc new file mode 100644 index 0000000..536a5c7 --- /dev/null +++ b/policy/modules/contrib/phpfpm.fc @@ -0,0 +1,5 @@ +/usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_ex= ec_t,s0) + +/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0) +/var/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0= ) + diff --git a/policy/modules/contrib/phpfpm.if b/policy/modules/contrib/ph= pfpm.if new file mode 100644 index 0000000..2038ed5 --- /dev/null +++ b/policy/modules/contrib/phpfpm.if @@ -0,0 +1,30 @@ +# PHP FastCGI Process Manager + +################################################# +## +## Administrate a phpfpm environment +## +## +## +## Domain allowed access +## +## +#=20 +interface(`phpfpm_admin',` + gen_require(` + type phpfpm_t; + type phpfpm_log_t, phpfpm_tmp_t, phpfpm_var_run_t; + ') + + allow $1 phpfpm_t:process { ptrace signal_perms }; + ps_process_pattern($1, phpfpm_t) + + logging_list_logs($1) + admin_pattern($1, phpfpm_log_t) + + files_list_tmp($1) + admin_pattern($1, phpfpm_tmp_t) + + files_list_pids($1) + admin_pattern($1, phpfpm_var_run_t) +') diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/ph= pfpm.te new file mode 100644 index 0000000..2bd30d7 --- /dev/null +++ b/policy/modules/contrib/phpfpm.te @@ -0,0 +1,86 @@ +policy_module(phpfpm, 1.0) + +####################################### +# +# Declarations +# + +type phpfpm_t; +type phpfpm_exec_t; +init_daemon_domain(phpfpm_t, phpfpm_exec_t) + +type phpfpm_tmp_t; +files_tmp_file(phpfpm_tmp_t) + +type phpfpm_var_run_t; +files_pid_file(phpfpm_var_run_t) + +type phpfpm_log_t; +logging_log_file(phpfpm_log_t) + +####################################### +# +# Local policy +# + + +allow phpfpm_t self:process signal; +allow phpfpm_t self:capability { setuid setgid kill }; +allow phpfpm_t self:tcp_socket rw_stream_socket_perms; +allow phpfpm_t self:udp_socket connected_socket_perms; +allow phpfpm_t self:unix_stream_socket accept; + +manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) +logging_log_filetrans(phpfpm_t, phpfpm_log_t, file) + +manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) +manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) +files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir}) + +manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) +files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, file) + +kernel_read_kernel_sysctls(phpfpm_t) + +corecmd_read_bin_symlinks(phpfpm_t) +corecmd_search_bin(phpfpm_t) + +corenet_tcp_bind_all_unreserved_ports(phpfpm_t) +corenet_tcp_bind_generic_node(phpfpm_t) +corenet_tcp_bind_generic_port(phpfpm_t) +# Comment was 'allow ldap connections' -> sysnet_use_ldap ? +# Also, if it was optional because the application optionally does it, p= erhaps +# introduce a tunable for this? phpfpm_allow_ldap? +corenet_tcp_connect_ldap_port(phpfpm_t) + +dev_read_rand(phpfpm_t) +dev_read_urand(phpfpm_t) + +files_read_etc_files(phpfpm_t) +files_read_usr_files(phpfpm_t) +files_search_var_lib(phpfpm_t) + +miscfiles_read_localization(phpfpm_t) + +sysnet_dns_name_resolve(phpfpm_t) +sysnet_read_config(phpfpm_t) + +userdom_search_user_home_dirs(phpfpm_t) + +apache_append_all_ra_content(phpfpm_t) +apache_manage_all_rw_content(phpfpm_t) +apache_read_sys_content(phpfpm_t) +apache_dontaudit_search_modules(phpfpm_t) + +optional_policy(` + mysql_tcp_connect(phpfpm_t) +') + +optional_policy(` + postgresql_tcp_connect(phpfpm_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(phpfpm_t) +') +