Re: [PATCH] misc services patches with changes Dominick wanted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/21/21 8:46 AM, Russell Coker wrote:
This patch has some changes Dominick wanted and some parts that he disliked
removed.  The one place where I didn't make his change I gave less access than
he recommended.

I think this is ready for merging.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

I think I'm ok with the changes, though I have a couple questions/comments:


Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
  /usr/sbin/rotatelogs					--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
  /usr/sbin/suexec					--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
  /usr/sbin/wigwam					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+					--	gen_context(system_u:object_r:httpd_exec_t,s0)

I can fix this when merging, but please keep the fc entries in order.


@@ -71,6 +71,7 @@ template(`apache_content_template',`
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
  	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

There's a lot of mmapping being added. Can you provide any additional context on this? Is this induced by some config option? Is this apache only?


@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
  	files_search_runtime($1)
  	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
  ')
+
+######################################
+## <summary>
+##     read aptcacher config
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to read it.
+##     </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')

Is this the only useful way to read these files? There's no valid non-mmap access? If regular read can be useful, then this should be aptcatch_mmap_read_config().



@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
libs_read_lib_files(cupsd_t)
  libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)

This seems broken and should probably be in a debian distro block.



--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux