Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Kenton Groombridge <concord@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:various-20211111 commit in: policy/modules/contrib/
Date: Mon, 06 Jun 2022 15:13:37
Message-Id: 1654528388.822b048c53c7b0362a74333fba24a151569be6bc.concord@gentoo
1 commit: 822b048c53c7b0362a74333fba24a151569be6bc
2 Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
3 AuthorDate: Fri Nov 12 01:27:06 2021 +0000
4 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
5 CommitDate: Mon Jun 6 15:13:08 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=822b048c
7
8 phpfpm: various fixes and new tunables
9
10 Minor fixes for phpfpm and add several new tunables, primarily designed
11 to get various webapps working under SELinux.
12
13 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
14
15 policy/modules/contrib/phpfpm.te | 73 ++++++++++++++++++++++++++++++++++++++++
16 1 file changed, 73 insertions(+)
17
18 diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
19 index cffae6d7..a1044f31 100644
20 --- a/policy/modules/contrib/phpfpm.te
21 +++ b/policy/modules/contrib/phpfpm.te
22 @@ -19,6 +19,49 @@ gen_tunable(phpfpm_use_ldap, false)
23 ## </desc>
24 gen_tunable(phpfpm_send_syslog_msg, false)
25
26 +## <desc>
27 +## <p>
28 +## Allow phpfpm to execute shells. This
29 +## is needed by some webapps.
30 +## </p>
31 +## </desc>
32 +gen_tunable(phpfpm_exec_shell, false)
33 +
34 +## <desc>
35 +## <p>
36 +## Allow phpfpm to connect to http ports.
37 +## </p>
38 +## </desc>
39 +gen_tunable(phpfpm_connect_http, false)
40 +
41 +## <desc>
42 +## <p>
43 +## Allow phpfpm to connect to pop ports.
44 +## </p>
45 +## </desc>
46 +gen_tunable(phpfpm_connect_pop, false)
47 +
48 +## <desc>
49 +## <p>
50 +## Allow phpfpm to connect to redis ports.
51 +## </p>
52 +## </desc>
53 +gen_tunable(phpfpm_connect_redis, false)
54 +
55 +## <desc>
56 +## <p>
57 +## Allow phpfpm to connect to sieve ports.
58 +## </p>
59 +## </desc>
60 +gen_tunable(phpfpm_connect_sieve, false)
61 +
62 +## <desc>
63 +## <p>
64 +## Allow phpfpm to connect to smtp ports.
65 +## </p>
66 +## </desc>
67 +gen_tunable(phpfpm_connect_smtp, false)
68 +
69 type phpfpm_t;
70 type phpfpm_exec_t;
71 init_daemon_domain(phpfpm_t, phpfpm_exec_t)
72 @@ -44,6 +87,8 @@ allow phpfpm_t self:fifo_file rw_fifo_file_perms;
73 allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
74 allow phpfpm_t self:udp_socket connected_socket_perms;
75 allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms };
76 +allow phpfpm_t self:unix_dgram_socket { create_socket_perms };
77 +dontaudit phpfpm_t self:capability net_admin;
78
79 manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
80 logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
81 @@ -86,6 +131,10 @@ apache_manage_all_rw_content(phpfpm_t)
82 apache_read_sys_content(phpfpm_t)
83 apache_dontaudit_search_modules(phpfpm_t)
84
85 +optional_policy(`
86 + apache_map_sys_content(phpfpm_t)
87 +')
88 +
89 optional_policy(`
90 mysql_stream_connect(phpfpm_t)
91 mysql_tcp_connect(phpfpm_t)
92 @@ -106,6 +155,30 @@ optional_policy(`
93 ')
94 ')
95
96 +tunable_policy(`phpfpm_exec_shell',`
97 + corecmd_exec_shell(phpfpm_t)
98 +')
99 +
100 +tunable_policy(`phpfpm_connect_http',`
101 + corenet_tcp_connect_http_port(phpfpm_t)
102 +')
103 +
104 +tunable_policy(`phpfpm_connect_pop',`
105 + corenet_tcp_connect_pop_port(phpfpm_t)
106 +')
107 +
108 +tunable_policy(`phpfpm_connect_redis',`
109 + corenet_tcp_connect_redis_port(phpfpm_t)
110 +')
111 +
112 +tunable_policy(`phpfpm_connect_sieve',`
113 + corenet_tcp_connect_sieve_port(phpfpm_t)
114 +')
115 +
116 +tunable_policy(`phpfpm_connect_smtp',`
117 + corenet_tcp_connect_smtp_port(phpfpm_t)
118 +')
119 +
120 tunable_policy(`phpfpm_send_syslog_msg',`
121 logging_send_syslog_msg(phpfpm_t)
122 ')
Report Message
Find on MARC Find on Google Groups