[refpolicy] php-fpm policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] php-fpm policy
Date: Mon, 26 Dec 2011 15:41:10 +0100	[thread overview]
Message-ID: <20111226144109.GA11737@siphos.be> (raw)
In-Reply-To: <20111122192223.GA4416@siphos.be>

On Tue, Nov 22, 2011 at 08:22:24PM +0100, Sven Vermeulen wrote:
> The use of apache_manage_sys_content() seems wrong in my opinion. PHP-FPM is
> a parser which should have read access. The moment it needs to write stuff
> as well, that "stuff" should be labeled appropriately (either
> http_sys_rw_content_t, or create a type like httpd_squirrelmail_t did).

Been looking at this thing a bit more closely; shouldn't we include an
interface apache_rw_sys_rw_content, which offers read/write access to the
httpd_sys_rw_content_t type? 

Using apache_manage_sys_content also provides read/write access to the
regular httpd_sys_content_t whereas we would need to use this on
httpd_sys_rw_content_t only.

Another approach would be to use attributes to differentiate between the
regular ("httpdcontent"), ra ("httpd_ra_content") and rw
("httpd_rw_content") file types in use by the various apache-related
domains, and then use those attributes to provide the necessary accesses,
like:
  apache_manage_all_content --> httpdcontent (which is already in place)
  apache_manage_ra_content  --> httpd_ra_content
  apache_manage_rw_content  --> httpd_rw_content

Any thoughts on this?

Wkr,
	Sven Vermeulen

     prev parent reply	other threads:[~2011-12-26 14:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-11 17:57 [refpolicy] php-fpm policy Matt Thode
2011-11-22 19:22 ` Sven Vermeulen
2011-12-26 14:41   ` Sven Vermeulen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111226144109.GA11737@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.