Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3861226yba;
        Tue, 7 May 2019 08:12:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxFaJWK/0AkJ0x2dyoMRcv4N4WsUuTelHCDUwV+jZ3ZybHQc85UbkBJAbpLJ0GnFLLSdYq2
X-Received: by 2002:a62:70c6:: with SMTP id l189mr41839443pfc.139.1557241955613;
        Tue, 07 May 2019 08:12:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557241955; cv=none;
        d=google.com; s=arc-20160816;
        b=UUxSLeb76fHyKbt9vy/f/GUybur7/abmg4PQ1VqIJPCSiX46pC3jQvTzx8EeQnPaj3
         gZDrWbaDuU8vA2smult3qmQY6dXVrQ5teIX8ydQ4ti33V6cr1+gJS46cqQuFGJesY/CE
         kmcbUxux2mSOUQP4Xe+WIuSKxcEgZm4CkluMJjCvABqJeuncr7rXrDGMo9DvYulLnilZ
         VshBpYSA2ruPJ2inLw0TJtfgleLCaHkux0Dw+Lw7CcdXLT/ZhRRS+lgOthFwPPyeR4z1
         giFPSuPTthgcc55b7acQF9H3p+5mCyQyGBNjpt/5MeyGqh4AW6OjeZqTO399Xt4RqdsO
         LW6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=/iddQbXZyxH/GoL4LKkYIFfKHwkjT1hqcyssTFMcVms=;
        b=v1lT25CAJn83B+6Vs19WWR+MHnaz0lS7JraQLlXbBwzInKLT+X5+dgoeFA9mSyIYD5
         O9JV7X014xD10z6qZAsrKyHb+vulFy6KThwDoyJQwp2HQwltf4Pw5z6OEB/pQ08oaahR
         Xgtp0+Xf2eqsw9okNlVBueh1X16S+1PEXdJLJxdQeJLA/F/CU9+j3/hI3VnpM9BoHQWN
         aaXkcFUam87Wq7OkT4q+jTZhszDKZgYz2i08G8JDdna4HVeC9olCaKWRiKgQbygRJ/p2
         PyLWuJFHOqLW1WrEZLb/AZxiYFeulcgwdrT3emWyovwYpjpQg34JjALaU36StP9D4At1
         UGOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@millerson.name header.s=mail header.b=LCtjN07T;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r77si19059496pgr.140.2019.05.07.08.12.29;
        Tue, 07 May 2019 08:12:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@millerson.name header.s=mail header.b=LCtjN07T;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726351AbfEGPM2 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Tue, 7 May 2019 11:12:28 -0400
Received: from host89-222-249-147.netorn.net ([89.222.249.147]:33894 "EHLO
        mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org
        with ESMTP id S1725859AbfEGPM2 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 7 May 2019 11:12:28 -0400
X-Greylist: delayed 1663 seconds by postgrey-1.27 at vger.kernel.org; Tue, 07 May 2019 11:12:26 EDT
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=millerson.name; s=mail; h=MIME-Version:Message-Id:Date:Subject:To:From:
        user-agent:in-reply-to; bh=/iddQbXZyxH/GoL4LKkYIFfKHwkjT1hqcyssTFMcVms=; b=LC
        tjN07TX/gtaSy72+yLnafSVw6i6JvJmtnELfCYKYAvyUM3OfXf4XgeeM32vN/SgUPaCwXHz6itquM
        0PFpO/e5CDLYVjInddKAtCmbw8zwhS8iLAX1wjleYfjo8FjAwLqrpZptW1cHdk15jZK+5I4dh3lkA
        CJy5eBK3S640Xlc=;
Received: from localhost ([127.0.0.1] helo=mail.millerson.name)
        by mail.millerson.name with esmtpsa id 1hO1Kh-0000YJ-8W
        (envelope-from <alex@millerson.name>); Tue, 07 May 2019 17:44:39 +0300
Received: from alex-desktop.home ([2a04:4a00:5:1014::101c])
        by mail.millerson.name with ESMTPSA
        id 7RLoI9aZ0VxMCAAAXPwaFA
        (envelope-from <alex@millerson.name>); Tue, 07 May 2019 17:44:38 +0300
From:   Alexander Miroshnichenko <alex@millerson.name>
To:     selinux-refpolicy@vger.kernel.org
Cc:     jason@perfinion.com, Alexander Miroshnichenko <alex@millerson.name>
Subject: [PATCH] Add nginx policy taken from Gentoo hardened-refpolicy
Date:   Tue,  7 May 2019 17:42:01 +0300
Message-Id: <20190507144201.1517-1-alex@millerson.name>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-GIT-Signature: 4e6bb70b69d1284b79588664265edc4b
X-Spam-Score: 0.9 (/)
X-Spam-Status: No
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 policy/modules/services/nginx.fc |  64 ++++++++++++
 policy/modules/services/nginx.if | 104 +++++++++++++++++++
 policy/modules/services/nginx.te | 169 +++++++++++++++++++++++++++++++
 3 files changed, 337 insertions(+)
 create mode 100644 policy/modules/services/nginx.fc
 create mode 100644 policy/modules/services/nginx.if
 create mode 100644 policy/modules/services/nginx.te

diff --git a/policy/modules/services/nginx.fc b/policy/modules/services/nginx.fc
new file mode 100644
index 000000000000..62f12620ea88
--- /dev/null
+++ b/policy/modules/services/nginx.fc
@@ -0,0 +1,64 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: scianos@alphavida.com
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+# nginx executable will have:
+# label: system_u:object_r:nginx_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+#
+# /etc
+#
+/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
+/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nginx/tmp(/.*)?			gen_context(system_u:object_r:nginx_tmp_t,s0)
+/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)
+/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)
diff --git a/policy/modules/services/nginx.if b/policy/modules/services/nginx.if
new file mode 100644
index 000000000000..ebef6e759e3f
--- /dev/null
+++ b/policy/modules/services/nginx.if
@@ -0,0 +1,104 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: scianos@alphavida.com
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+## <summary>policy for nginx</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nginx.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nginx_domtrans',`
+	gen_require(`
+		type nginx_t, nginx_exec_t;
+	')
+	allow nginx_t $1:fd use;
+	allow nginx_t $1:fifo_file rw_file_perms;
+	allow nginx_t $1:process sigchld;
+
+	domain_auto_transition_pattern($1, nginx_exec_t, nginx_t)
+')
+
+########################################
+## <summary>
+##   Administer the nginx domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nginx domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nginx_admin',`
+	gen_require(`
+		type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_run_t;
+		type nginx_exec_t;
+	')
+
+	allow $1 nginx_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nginx_t)
+
+	files_list_etc($1)
+	admin_pattern($1, nginx_conf_t)
+
+	can_exec($1, nginx_exec_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, nginx_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, nginx_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nginx_var_run_t)
+')
diff --git a/policy/modules/services/nginx.te b/policy/modules/services/nginx.te
new file mode 100644
index 000000000000..be59babb8596
--- /dev/null
+++ b/policy/modules/services/nginx.te
@@ -0,0 +1,169 @@
+# SELinux module for the NGINX Web Server
+policy_module(nginx,1.0.10)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nginx to serve HTTP content (act as an http server)
+## </p>
+## </desc>
+gen_tunable(nginx_enable_http_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as an imap proxy server)
+## </p>
+## </desc>
+gen_tunable(nginx_enable_imap_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as a pop3 server)
+## </p>
+## </desc>
+gen_tunable(nginx_enable_pop3_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to act as an smtp server)
+## </p>
+## </desc>
+gen_tunable(nginx_enable_smtp_server, false)
+
+## <desc>
+## <p>
+## Allow nginx to connect to remote HTTP servers
+## </p>
+## </desc>
+gen_tunable(nginx_can_network_connect_http, false)
+
+## <desc>
+## <p>
+## Allow nginx to connect to remote servers (regardless of protocol)
+## </p>
+## </desc>
+gen_tunable(nginx_can_network_connect, false)
+
+type nginx_t;
+type nginx_exec_t;
+init_daemon_domain(nginx_t, nginx_exec_t)
+
+# conf files
+type nginx_conf_t;
+files_type(nginx_conf_t)
+
+# log files
+type nginx_log_t;
+logging_log_file(nginx_log_t)
+
+# tmp files
+type nginx_tmp_t;
+files_tmp_file(nginx_tmp_t)
+
+# var/lib files
+type nginx_var_lib_t;
+files_type(nginx_var_lib_t)
+
+# pid files
+type nginx_var_run_t;
+files_pid_file(nginx_var_run_t)
+
+########################################
+#
+# nginx local policy
+#
+
+allow nginx_t self:fifo_file { read write };
+allow nginx_t self:unix_stream_socket create_stream_socket_perms;
+allow nginx_t self:tcp_socket { listen accept };
+allow nginx_t self:capability { setuid net_bind_service setgid chown };
+
+# conf files
+list_dirs_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
+
+# log files
+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
+logging_log_filetrans(nginx_t, nginx_log_t, { file dir })
+
+
+# pid file
+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
+files_pid_filetrans(nginx_t, nginx_var_run_t, file)
+
+# tmp files
+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
+
+# var/lib files
+create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
+create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
+
+
+kernel_read_kernel_sysctls(nginx_t)
+corenet_tcp_bind_generic_node(nginx_t)
+corenet_tcp_sendrecv_generic_if(nginx_t)
+corenet_tcp_sendrecv_generic_node(nginx_t)
+
+dev_read_rand(nginx_t)
+dev_read_urand(nginx_t)
+
+domain_use_interactive_fds(nginx_t)
+
+files_read_etc_files(nginx_t)
+
+
+miscfiles_read_localization(nginx_t)
+sysnet_dns_name_resolve(nginx_t)
+
+
+tunable_policy(`nginx_enable_http_server',`
+	corenet_tcp_bind_http_port(nginx_t)
+	apache_read_all_content(nginx_t)
+	apache_manage_all_rw_content(nginx_t)
+')
+
+# We enable both binding and connecting, since nginx acts here as a reverse proxy
+tunable_policy(`nginx_enable_imap_server',`
+	corenet_tcp_bind_pop_port(nginx_t)
+	corenet_tcp_connect_pop_port(nginx_t)
+')
+
+tunable_policy(`nginx_enable_pop3_server',`
+	corenet_tcp_bind_pop_port(nginx_t)
+	corenet_tcp_connect_pop_port(nginx_t)
+')
+
+tunable_policy(`nginx_enable_smtp_server',`
+	corenet_tcp_bind_smtp_port(nginx_t)
+	corenet_tcp_connect_smtp_port(nginx_t)
+')
+
+tunable_policy(`nginx_can_network_connect_http',`
+	corenet_tcp_connect_http_port(nginx_t)
+')
+
+tunable_policy(`nginx_can_network_connect',`
+	corenet_tcp_connect_all_ports(nginx_t)
+')
+
+optional_policy(`
+	phpfpm_stream_connect(nginx_t)
+')
+
+ifdef(`distro_gentoo',`
+
+	# needs to be able to signal its children
+	allow nginx_t self:process { signal sigchld };
+
+	optional_policy(`
+		uwsgi_stream_connect(nginx_t)
+	')
+')
-- 
2.21.0