Re: [PATCH] misc services patches with changes Dominick wanted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote:
> >   gs_exec_t,s0)
> >   /usr/sbin/suexec					--	
gen_context(system_u:object_r:httpd_suexec_exec
> >   _t,s0)
> >   /usr/sbin/wigwam					--	
gen_context(system_u:object_r:httpd_exec_t,s0)> 
> > +/usr/sbin/php.*-fpm					--	
gen_context(system_u:object_r:httpd_exec_t,s0)
> > +/usr/sbin/php-fpm[^/]+					--	
gen_context(system_u:object_r:httpd_exec_t,
> > s0)
> I can fix this when merging, but please keep the fc entries in order.

OK, I'll do that in the next version.

> > @@ -71,6 +71,7 @@ template(`apache_content_template',`
> > 
> >   	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)> 
> > +	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> > 
> >   	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> >   	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t)
> There's a lot of mmapping being added.  Can you provide any additional
> context on this?  Is this induced by some config option? Is this apache
> only?

It's for Apache, it maps all files it sends with no special configuration.

> > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> > 
> >   	files_search_runtime($1)
> >   	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
> >   	aptcacher_t)>   
> >   ')
> > 
> > +
> > +######################################
> > +## <summary>
> > +##     read aptcacher config
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed to read it.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`aptcacher_read_config',`
> > +	gen_require(`
> > +		type aptcacher_etc_t;
> > +	')
> > +
> > +	files_search_etc($1)
> > +	allow $1 aptcacher_etc_t:dir list_dir_perms;
> > +	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> > +')
> 
> Is this the only useful way to read these files?  There's no valid non-mmap
> access?  If regular read can be useful, then this should be
> aptcatch_mmap_read_config().

OK.

> > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
> > 
> >   libs_read_lib_files(cupsd_t)
> >   libs_exec_lib_files(cupsd_t)
> > 
> > +libs_legacy_use_ld_so(cupsd_t)
> 
> This seems broken and should probably be in a debian distro block.

OK, I'll remove that and do more testing.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/






[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux