debian-selinux-policies/policy/modules/php-fpm.te

policy_module(php-fpm, 0.2.13)

########################################
#
# Declarations
#

attribute_role phpfpm_roles;

type phpfpm_t;
type phpfpm_exec_t;
init_daemon_domain(phpfpm_t, phpfpm_exec_t)
role phpfpm_roles types phpfpm_t;

type phpfpm_etc_t;
files_config_file(phpfpm_etc_t)

type php_etc_t;
files_config_file(php_etc_t)

type phpfpm_initrc_exec_t;
init_script_file(phpfpm_initrc_exec_t)

type phpfpm_var_run_t;
files_pid_file(phpfpm_var_run_t)

type php_usr_lib_t;
files_type(php_usr_lib_t)

type phpfpm_tmp_t;
files_tmp_file(phpfpm_tmp_t)

type phpfpm_var_log_t;
logging_log_file(phpfpm_var_log_t)

type phpfpm_var_lib_t;
files_type(phpfpm_var_lib_t)


########################################
#
# Local policy
#

allow phpfpm_t self:capability { setuid setgid };
allow phpfpm_t self:fifo_file { write read };
allow phpfpm_t self:tcp_socket { setopt getopt bind create accept listen };
allow phpfpm_t self:capability kill;
allow phpfpm_t self:process { signal execmem };
allow phpfpm_t self:fifo_file getattr;

read_files_pattern(phpfpm_t, phpfpm_etc_t, phpfpm_etc_t)
read_files_pattern(phpfpm_t, php_etc_t, php_etc_t)
read_files_pattern(phpfpm_t,php_usr_lib_t, php_usr_lib_t)

manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t)
files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, { file dir })

manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file dir })

manage_files_pattern(phpfpm_t, phpfpm_var_log_t, phpfpm_var_log_t)
append_files_pattern(phpfpm_t, phpfpm_var_log_t, phpfpm_var_log_t)
create_files_pattern(phpfpm_t, phpfpm_var_log_t, phpfpm_var_log_t)
setattr_files_pattern(phpfpm_t, phpfpm_var_log_t, phpfpm_var_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_var_log_t, file)

manage_files_pattern(phpfpm_t, phpfpm_var_lib_t, phpfpm_var_lib_t)
create_files_pattern(phpfpm_t, phpfpm_var_lib_t, phpfpm_var_lib_t)
manage_dirs_pattern(phpfpm_t, phpfpm_var_lib_t, phpfpm_var_lib_t)
files_var_lib_filetrans(phpfpm_t, phpfpm_var_lib_t, { file dir })

mysql_stream_connect(phpfpm_t)
mta_sendmail_exec(phpfpm_t)
dev_read_urand(phpfpm_t)
miscfiles_read_all_certs(phpfpm_t)

corecmd_exec_shell(phpfpm_t)
corenet_tcp_bind_cslistener_port(phpfpm_t)
corenet_tcp_bind_generic_node(phpfpm_t)
corenet_tcp_connect_tor_port(phpfpm_t)
corenet_tcp_bind_all_unreserved_ports(phpfpm_t)

kernel_read_kernel_sysctls(phpfpm_t)
kernel_read_crypto_sysctls(phpfpm_t)

fs_getattr_xattr_fs(phpfpm_t)
fs_rw_hugetlbfs_files(phpfpm_t)

corenet_tcp_connect_http_port(phpfpm_t)
corenet_sendrecv_smtp_client_packets(phpfpm_t)
corenet_tcp_connect_smtp_port(phpfpm_t)
corenet_tcp_sendrecv_smtp_port(phpfpm_t)
corenet_sendrecv_pop_client_packets(phpfpm_t)
corenet_tcp_connect_pop_port(phpfpm_t)
corenet_tcp_sendrecv_pop_port(phpfpm_t)
corenet_tcp_connect_all_unreserved_ports(phpfpm_t)

miscfiles_read_localization(phpfpm_t)
auth_use_nsswitch(phpfpm_t)

read_files_pattern(phpfpm_t, php_usr_lib_t, php_usr_lib_t)
allow phpfpm_t php_usr_lib_t:file execute;

apache_manage_sys_content(phpfpm_t)
kernel_read_system_state(phpfpm_t)
mta_send_mail(phpfpm_t)
mta_signal_system_mail(phpfpm_t)

gen_require(`
  type bin_t;
')
allow phpfpm_t bin_t:dir getattr;

gen_require(`
  type initrc_t;
')
allow initrc_t phpfpm_etc_t:file { read getattr open };

gen_require(`
  type usr_t;
')
read_files_pattern(phpfpm_t, usr_t, usr_t)

optional_policy(`
	gen_require(`
		type httpd_sys_ra_content_t;
	')
	manage_files_pattern(phpfpm_t, httpd_sys_ra_content_t, httpd_sys_ra_content_t)
	create_files_pattern(phpfpm_t, httpd_sys_ra_content_t, httpd_sys_ra_content_t)
')