From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ABA55C433DB
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 27 Jan 2021 05:05:21 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 8385D2068D
	for <selinux-refpolicy@archiver.kernel.org>; Wed, 27 Jan 2021 05:05:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231197AbhA0FFL (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 27 Jan 2021 00:05:11 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38690 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231421AbhA0DHF (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 26 Jan 2021 22:07:05 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 507CDC061794
        for <selinux-refpolicy@vger.kernel.org>; Tue, 26 Jan 2021 19:04:52 -0800 (PST)
Received: from liv.coker.com.au (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id 1FDC41709B;
        Wed, 27 Jan 2021 14:04:47 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1611716688;
        bh=l/T2BNaMap6kkC9KoMMIjdnbZp0czbf1Uxi5A8UJVvk=; l=2652;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=0QwJQgx4hcJNp5MLJlSoYVVr9pGfJ4JUktAC70whuAXJqUY0t5O6YNLAQmXV+K96Y
         fLGluYdsYFuKXPZDi6ZYoSAHuQqqRZjaEaQ0WF+D6LW5l4hTo+e54S0B3SoV/fqf3U
         MwQZJgPD1xmdc/UQgxUYHQvhQl6rLivQzkmRzdSU=
From:   Russell Coker <russell@coker.com.au>
To:     Chris PeBenito <pebenito@ieee.org>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc services patches with changes Dominick wanted
Date:   Wed, 27 Jan 2021 14:04:45 +1100
Message-ID: <53731370.JSHSjNzumS@liv>
In-Reply-To: <a1537f1d-fdf1-f05e-363a-c20ba77e6fa5@ieee.org>
References: <YAmFvVmpuYxNxmOC@xev> <a1537f1d-fdf1-f05e-363a-c20ba77e6fa5@ieee.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote:
> >   gs_exec_t,s0)
> >   /usr/sbin/suexec					--	
gen_context(system_u:object_r:httpd_suexec_exec
> >   _t,s0)
> >   /usr/sbin/wigwam					--	
gen_context(system_u:object_r:httpd_exec_t,s0)> 
> > +/usr/sbin/php.*-fpm					--	
gen_context(system_u:object_r:httpd_exec_t,s0)
> > +/usr/sbin/php-fpm[^/]+					--	
gen_context(system_u:object_r:httpd_exec_t,
> > s0)
> I can fix this when merging, but please keep the fc entries in order.

OK, I'll do that in the next version.

> > @@ -71,6 +71,7 @@ template(`apache_content_template',`
> > 
> >   	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)> 
> > +	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> > 
> >   	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t,
> >   	httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> >   	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> >   	httpd_$1_rw_content_t)
> There's a lot of mmapping being added.  Can you provide any additional
> context on this?  Is this induced by some config option? Is this apache
> only?

It's for Apache, it maps all files it sends with no special configuration.

> > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> > 
> >   	files_search_runtime($1)
> >   	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
> >   	aptcacher_t)>   
> >   ')
> > 
> > +
> > +######################################
> > +## <summary>
> > +##     read aptcacher config
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed to read it.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`aptcacher_read_config',`
> > +	gen_require(`
> > +		type aptcacher_etc_t;
> > +	')
> > +
> > +	files_search_etc($1)
> > +	allow $1 aptcacher_etc_t:dir list_dir_perms;
> > +	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> > +')
> 
> Is this the only useful way to read these files?  There's no valid non-mmap
> access?  If regular read can be useful, then this should be
> aptcatch_mmap_read_config().

OK.

> > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
> > 
> >   libs_read_lib_files(cupsd_t)
> >   libs_exec_lib_files(cupsd_t)
> > 
> > +libs_legacy_use_ld_so(cupsd_t)
> 
> This seems broken and should probably be in a debian distro block.

OK, I'll remove that and do more testing.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/