On 1/21/21 8:46 AM, Russell Coker wrote:
This patch has some changes Dominick wanted and some parts that he disliked
removed. The one place where I didn't make his change I gave less access than
he recommended.
I think this is ready for merging.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
I think I'm ok with the changes, though I have a couple questions/comments:
Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
I can fix this when merging, but please keep the fc entries in order.
@@ -71,6 +71,7 @@ template(`apache_content_template',`
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
There's a lot of mmapping being added. Can you provide any additional context
on this? Is this induced by some config option? Is this apache only?
@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Is this the only useful way to read these files? There's no valid non-mmap
access? If regular read can be useful, then this should be
aptcatch_mmap_read_config().
@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)
This seems broken and should probably be in a debian distro block.
--
Chris PeBenito