From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] php-fpm policy
Date: Tue, 22 Nov 2011 20:22:24 +0100 [thread overview]
Message-ID: <20111122192223.GA4416@siphos.be> (raw)
In-Reply-To: <86F5FCC8-C379-450B-9CB9-A73E42018349@mthode.org>
On Fri, Nov 11, 2011 at 11:57:44AM -0600, Matt Thode wrote:
> It may need a little bit of work as far as what permissions it needs on apache (I think it needs rw access to apache).
> Some of the optional stuff may need to be fleshed out (different connect options and the like).
Apart from the coding style itself, a few remarks that I had at the first
skim through the policy...
The use of apache_manage_sys_content() seems wrong in my opinion. PHP-FPM is
a parser which should have read access. The moment it needs to write stuff
as well, that "stuff" should be labeled appropriately (either
http_sys_rw_content_t, or create a type like httpd_squirrelmail_t did).
I also am not clear on why you have the following:
#allow search on /usr/include/netipx (I don't know if this is really necessary)
userdom_search_user_home_dirs(phpfpm_t)
Seems that the comment doesn't match the policy, and I think the policy is a
result of trying stuff out while you were located in someone's $HOME (in
which case, just by getting the current working directory, most applications
have "search" done although not needed).
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2011-11-22 19:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-11 17:57 [refpolicy] php-fpm policy Matt Thode
2011-11-22 19:22 ` Sven Vermeulen [this message]
2011-12-26 14:41 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111122192223.GA4416@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.