Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4635766yba;
        Tue, 7 May 2019 23:34:09 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzborWrIqQUCRqk8iFDiRL+tx1QwvIAs4jWinWUKe2Lo7YcccMB1/esD4sM+KCLTRz8+l2y
X-Received: by 2002:a62:4351:: with SMTP id q78mr45614182pfa.86.1557297248973;
        Tue, 07 May 2019 23:34:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557297248; cv=none;
        d=google.com; s=arc-20160816;
        b=Ar9N9RH21ZHsT3JoiFVCV6Jv6cfssRadEMutTXHEXNAzi9JC21R7OdCSudZRsDaLx7
         LdFWbHMdewKpAlEFSnaXUjSGrtwuWDEywUxm7bCZR8UXf+WDYO9GviEsvZb0/XenkgYO
         8vJe2EX0vHNBWLmycjTCTS6Lon5O2g/R8kT4WYFQPkGYgVQqqY/xlQlAMmeFdQwLokyy
         o889zQw4Zf9EYvT72fePFzCuec1xm6Gn1bvL6CkTenYwkGpOBkeXgORBP9pVd6tFCgru
         MyN9t02dagx+LnN52Wv2cZlF7LbuiVwEuvPWxV0E5ThTAOG8Hq2P4EpCrXJe/cObrqjY
         1PKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=gyZUktbwJLax+Ay5wKZ7gV1fiJW1X6fk8SGyrGrYtzk=;
        b=R1Tt8O/BjS1KpID6K+G7//ik3dhqFFp/onaJ1AoQcuRb7QZ1pu70a+PeO0dQpvoiEk
         SofeTuzzSt6xq2f5U16+Y0kpW91jHyseOZ16SNMH1ey8DV+0cNSv1mDmmLs0YsjGhjFf
         Hv3po+bCNkEuExiBDA7xquLJk9khzKKroE2zPh+DSlMz6lwnhsdxOUnJK8wt53f2sKFn
         qOTElwW1kYAwNkDlwT/Cc+biz3z8GefNVJwk9kzzvYTwYVCXCxFFylF6Gt/gluZES+3u
         q3X6G/SOBQXid1jSXp2pf+ck+vdZVbnUr7zdpYov/zvtX9CHmKLsGHIiHwr34neC5qbv
         i1QA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PvzBqB9R;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l7si11143259pgh.79.2019.05.07.23.34.06;
        Tue, 07 May 2019 23:34:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PvzBqB9R;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726476AbfEHGdd (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Wed, 8 May 2019 02:33:33 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:46948 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726428AbfEHGdd (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 8 May 2019 02:33:33 -0400
Received: by mail-ed1-f67.google.com with SMTP id f37so20941607edb.13
        for <selinux-refpolicy@vger.kernel.org>; Tue, 07 May 2019 23:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=gyZUktbwJLax+Ay5wKZ7gV1fiJW1X6fk8SGyrGrYtzk=;
        b=PvzBqB9Rp1mLh+cuWY5OYbjBCUxYvrA3OVtcv15NMwg6Utqnsm3gIoW7rHE/CLRrGv
         Z8aTIMdS8sfN9rLiA1Q1+I9eUIUi9ETNC3QCWfeqqampdkW5MV8758rrVqPqfUXc1vsR
         tub4WN4JINT6HOJOK9Qt1zvMBe/b4/5Xo1qMlyMi6Cgcn0Gqqf7URAE4MCxoHSlnYyZz
         BwJivnQJ99A4xhdh7oI0+saQSHEMRugvrTWRQ24jnsKb9u3X6TNVt53GxqLYDoIC+VmF
         mtuSqcwWsOPqgG/wUKHaTvCgYkIohWET0l24dVNJ/1l9F+gjz4pgrKh998wcq20zOuSi
         p3UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=gyZUktbwJLax+Ay5wKZ7gV1fiJW1X6fk8SGyrGrYtzk=;
        b=idM6xfY3Z1Bn+S+mR+PFjKAqmOn6ZkYgeEIGFCZZjh+/YVKzBj6oTgxVmiGWNsQbZp
         wh0xXDdeW6/fUsGt/gGiRY08m2z3lU3esiJyKdwXa6s+sZdPblJeyRXriHDFlmeygs0h
         w83pSPTtsF6/qTX2ffa5Vy5T1W6EAw8Sib3/BpOv3h6LiO4tONT+VIZdmUFiPgzYYAaZ
         dMUiuYFGbXZluUPpFYg5RFXNLZAeyX4EKVWsWQPMJYWFUK2eiViNyknt0Bm3a0JfPitl
         W7DaoM44jfbxZ4Tgwhay1js8yAOsysNWC7K81N1F+mvZFj0yVM61xrC4X8+NK5PCzrGM
         +E0A==
X-Gm-Message-State: APjAAAXZBokbU7LeO4CGRUCP8gT1N32nSQ5pHe4Xi8OxFRSFKew44v7o
        2+vaGYexoEQwEMMBFqOoNgxkssrK
X-Received: by 2002:a17:906:f84:: with SMTP id q4mr28062433ejj.117.1557297210180;
        Tue, 07 May 2019 23:33:30 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id k18sm4862709eda.92.2019.05.07.23.33.28
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 07 May 2019 23:33:28 -0700 (PDT)
Date:   Wed, 8 May 2019 08:33:27 +0200
From:   Dominick Grift <dac.override@gmail.com>
To:     Alexander Miroshnichenko <alex@millerson.name>
Cc:     selinux-refpolicy@vger.kernel.org, jason@perfinion.com
Subject: Re: [PATCH] Add nginx policy taken from Gentoo hardened-refpolicy
Message-ID: <20190508063327.GA30701@brutus.lan>
Mail-Followup-To: Alexander Miroshnichenko <alex@millerson.name>,
        selinux-refpolicy@vger.kernel.org, jason@perfinion.com
References: <20190507144201.1517-1-alex@millerson.name>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe"
Content-Disposition: inline
In-Reply-To: <20190507144201.1517-1-alex@millerson.name>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 07, 2019 at 05:42:01PM +0300, Alexander Miroshnichenko wrote:
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>

Some observations below.

> ---
>  policy/modules/services/nginx.fc |  64 ++++++++++++
>  policy/modules/services/nginx.if | 104 +++++++++++++++++++
>  policy/modules/services/nginx.te | 169 +++++++++++++++++++++++++++++++
>  3 files changed, 337 insertions(+)
>  create mode 100644 policy/modules/services/nginx.fc
>  create mode 100644 policy/modules/services/nginx.if
>  create mode 100644 policy/modules/services/nginx.te
>=20
> diff --git a/policy/modules/services/nginx.fc b/policy/modules/services/n=
ginx.fc
> new file mode 100644
> index 000000000000..62f12620ea88
> --- /dev/null
> +++ b/policy/modules/services/nginx.fc
> @@ -0,0 +1,64 @@
> +########################################################################=
#######
> +# SELinux module for the NGINX Web Server
> +#
> +# Project Contact Information:
> +#   Stuart Cianos
> +#   Email: scianos@alphavida.com
> +#
> +########################################################################=
#######
> +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reser=
ved.
> +#
> +#
> +# Stuart Cianos licenses this file to You under the GNU General Public L=
icense,
> +# Version 3.0 (the "License"); you may not use this file except in compl=
iance
> +# with the License.  You may obtain a copy of the License at
> +#
> +#     http://www.gnu.org/licenses/gpl.txt
> +#
> +# or in the COPYING file included in the original archive.
> +#
> +# Disclaimer of Warranty.
> +#
> +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
> +# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
> +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRA=
NTY
> +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED T=
O,
> +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> +# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRO=
GRAM
> +# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST =
OF
> +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
> +#
> +# Limitation of Liability.
> +#
> +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
> +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONV=
EYS
> +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDIN=
G ANY
> +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF T=
HE
> +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS=
 OF
> +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR T=
HIRD
> +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS=
),
> +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY=
 OF
> +# SUCH DAMAGES.
> +########################################################################=
#######
> +# nginx executable will have:
> +# label: system_u:object_r:nginx_exec_t
> +# MLS sensitivity: s0
> +# MCS categories: <none>
> +
> +#
> +# /etc
> +#
> +/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
> +/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)

/etc/ssl is for certificates, should probably use a "cert_type" here

> +
> +#
> +# /usr
> +#
> +/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
> +
> +#
> +# /var
> +#
> +/var/lib/nginx/tmp(/.*)?			gen_context(system_u:object_r:nginx_tmp_t,s0)

I would just label /var/lib/nginx(/.*)?" type nginx_var_lib_t

> +/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)
> +/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)
> diff --git a/policy/modules/services/nginx.if b/policy/modules/services/n=
ginx.if
> new file mode 100644
> index 000000000000..ebef6e759e3f
> --- /dev/null
> +++ b/policy/modules/services/nginx.if
> @@ -0,0 +1,104 @@
> +########################################################################=
#######
> +# SELinux module for the NGINX Web Server
> +#
> +# Project Contact Information:
> +#   Stuart Cianos
> +#   Email: scianos@alphavida.com
> +#
> +########################################################################=
#######
> +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reser=
ved.
> +#
> +#
> +# Stuart Cianos licenses this file to You under the GNU General Public L=
icense,
> +# Version 3.0 (the "License"); you may not use this file except in compl=
iance
> +# with the License.  You may obtain a copy of the License at
> +#
> +#     http://www.gnu.org/licenses/gpl.txt
> +#
> +# or in the COPYING file included in the original archive.
> +#
> +# Disclaimer of Warranty.
> +#
> +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
> +# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
> +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRA=
NTY
> +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED T=
O,
> +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> +# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRO=
GRAM
> +# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST =
OF
> +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
> +#
> +# Limitation of Liability.
> +#
> +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
> +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONV=
EYS
> +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDIN=
G ANY
> +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF T=
HE
> +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS=
 OF
> +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR T=
HIRD
> +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS=
),
> +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY=
 OF
> +# SUCH DAMAGES.
> +########################################################################=
#######
> +## <summary>policy for nginx</summary>

Documentation (summary) is lacking.

> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run nginx.
> +## </summary>
> +## <param name=3D"domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`nginx_domtrans',`
> +	gen_require(`
> +		type nginx_t, nginx_exec_t;
> +	')
> +	allow nginx_t $1:fd use;
> +	allow nginx_t $1:fifo_file rw_file_perms;
> +	allow nginx_t $1:process sigchld;
> +
> +	domain_auto_transition_pattern($1, nginx_exec_t, nginx_t)
> +')

Use domtrans() here

> +
> +########################################
> +## <summary>
> +##   Administer the nginx domain
> +## </summary>
> +## <param name=3D"domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name=3D"role">
> +##	<summary>
> +##	The role to be allowed to manage the nginx domain.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`nginx_admin',`
> +	gen_require(`
> +		type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_ru=
n_t;
> +		type nginx_exec_t;
> +	')

you reference nginx_var_lib_t and nginx_var_run_t here but there are no ref=
erences to those types in the .fc file

> +
> +	allow $1 nginx_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, nginx_t)
> +
> +	files_list_etc($1)
> +	admin_pattern($1, nginx_conf_t)
> +
> +	can_exec($1, nginx_exec_t)
> +
> +	files_list_var_lib($1)
> +	admin_pattern($1, nginx_var_lib_t)
> +
> +	logging_list_logs($1)
> +	admin_pattern($1, nginx_log_t)
> +
> +	files_list_pids($1)
> +	admin_pattern($1, nginx_var_run_t)
> +')
> diff --git a/policy/modules/services/nginx.te b/policy/modules/services/n=
ginx.te
> new file mode 100644
> index 000000000000..be59babb8596
> --- /dev/null
> +++ b/policy/modules/services/nginx.te
> @@ -0,0 +1,169 @@
> +# SELinux module for the NGINX Web Server
> +policy_module(nginx,1.0.10)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow nginx to serve HTTP content (act as an http server)
> +## </p>
> +## </desc>
> +gen_tunable(nginx_enable_http_server, false)

Not sure if it worth it to make this conditional

> +
> +## <desc>
> +## <p>
> +## Allow nginx to act as an imap proxy server)
> +## </p>
> +## </desc>
> +gen_tunable(nginx_enable_imap_server, false)
> +
> +## <desc>
> +## <p>
> +## Allow nginx to act as a pop3 server)
> +## </p>
> +## </desc>
> +gen_tunable(nginx_enable_pop3_server, false)
> +
> +## <desc>
> +## <p>
> +## Allow nginx to act as an smtp server)
> +## </p>
> +## </desc>
> +gen_tunable(nginx_enable_smtp_server, false)
> +
> +## <desc>
> +## <p>
> +## Allow nginx to connect to remote HTTP servers
> +## </p>
> +## </desc>
> +gen_tunable(nginx_can_network_connect_http, false)
> +
> +## <desc>
> +## <p>
> +## Allow nginx to connect to remote servers (regardless of protocol)
> +## </p>
> +## </desc>
> +gen_tunable(nginx_can_network_connect, false)
> +
> +type nginx_t;
> +type nginx_exec_t;
> +init_daemon_domain(nginx_t, nginx_exec_t)
> +
> +# conf files
> +type nginx_conf_t;
> +files_type(nginx_conf_t)

use files_config_file()

> +
> +# log files
> +type nginx_log_t;
> +logging_log_file(nginx_log_t)
> +
> +# tmp files
> +type nginx_tmp_t;
> +files_tmp_file(nginx_tmp_t)
> +
> +# var/lib files
> +type nginx_var_lib_t;
> +files_type(nginx_var_lib_t)
> +
> +# pid files
> +type nginx_var_run_t;
> +files_pid_file(nginx_var_run_t)
> +
> +########################################
> +#
> +# nginx local policy
> +#
> +
> +allow nginx_t self:fifo_file { read write };

use rw_fifo_file_perms

> +allow nginx_t self:unix_stream_socket create_stream_socket_perms;

I see below that it maintains a socket in /var/lib/.* what is that for.
Can entities connect to nginx with a unix domain socket?

> +allow nginx_t self:tcp_socket { listen accept };
> +allow nginx_t self:capability { setuid net_bind_service setgid chown };
> +
> +# conf files
> +list_dirs_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
> +read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
> +
> +# log files
> +manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)

you may be able to ommit the "write" permission here.

> +logging_log_filetrans(nginx_t, nginx_log_t, { file dir })

the dir here does not make sense, as nginx_t is not allowed to create it an=
yway. Either allow nginx to manage nginx_log_t dirs or remove it

> +
> +
> +# pid file
> +manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
> +manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
> +files_pid_filetrans(nginx_t, nginx_var_run_t, file)

Here its the opposite. you allos it to create dirs but theres no file trans=
ition rule. In addition .fc spec is missing.

> +
> +# tmp files
> +manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
> +manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
> +files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
> +
> +# var/lib files
> +create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
> +create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
> +files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })

fc spec is missing. Its not allowed to create nginx_var_lib_t dirs.

> +
> +
> +kernel_read_kernel_sysctls(nginx_t)
> +corenet_tcp_bind_generic_node(nginx_t)
> +corenet_tcp_sendrecv_generic_if(nginx_t)
> +corenet_tcp_sendrecv_generic_node(nginx_t)
> +
> +dev_read_rand(nginx_t)
> +dev_read_urand(nginx_t)
> +
> +domain_use_interactive_fds(nginx_t)

Probaby not needed

> +
> +files_read_etc_files(nginx_t)
> +
> +
> +miscfiles_read_localization(nginx_t)
> +sysnet_dns_name_resolve(nginx_t)
> +
> +
> +tunable_policy(`nginx_enable_http_server',`
> +	corenet_tcp_bind_http_port(nginx_t)
> +	apache_read_all_content(nginx_t)
> +	apache_manage_all_rw_content(nginx_t)
> +')
> +
> +# We enable both binding and connecting, since nginx acts here as a reve=
rse proxy
> +tunable_policy(`nginx_enable_imap_server',`
> +	corenet_tcp_bind_pop_port(nginx_t)
> +	corenet_tcp_connect_pop_port(nginx_t)
> +')
> +
> +tunable_policy(`nginx_enable_pop3_server',`
> +	corenet_tcp_bind_pop_port(nginx_t)
> +	corenet_tcp_connect_pop_port(nginx_t)
> +')
> +
> +tunable_policy(`nginx_enable_smtp_server',`
> +	corenet_tcp_bind_smtp_port(nginx_t)
> +	corenet_tcp_connect_smtp_port(nginx_t)
> +')
> +
> +tunable_policy(`nginx_can_network_connect_http',`
> +	corenet_tcp_connect_http_port(nginx_t)
> +')
> +
> +tunable_policy(`nginx_can_network_connect',`
> +	corenet_tcp_connect_all_ports(nginx_t)
> +')
> +
> +optional_policy(`
> +	phpfpm_stream_connect(nginx_t)
> +')
> +
> +ifdef(`distro_gentoo',`
> +
> +	# needs to be able to signal its children
> +	allow nginx_t self:process { signal sigchld };
> +
> +	optional_policy(`
> +		uwsgi_stream_connect(nginx_t)
> +	')
> +')
> --=20
> 2.21.0
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlzSeDIACgkQJXSOVTf5
R2mnhQv+KHOTLSSLXrMQmBqgKdZGkX5jW0ewEC+JpvsHlF6cwO403+LgHTZ8g6A0
VIsH2Yx1yOR+VsCdrE9Q4GWs/hgRcG8qA/AfsUoEgiAPEvanst4tRUHr6iVAhq+u
rEasbrSeXGM/aLAE7eqM63JSFkkiqZAnpz4pwBT/ICbCnOJloUT6L3cG3lLfsuvN
7em4MBf/QJaC+oZmC8nFeu527P1N8XOSnp/LLCOYvPP/pM2E2YQL+TgtB8PjK6AP
Vgq8tgkCBwoVjPjy8MPV2e4FcFww/r986osFSiHuzE3QiuLcZm4w1R6DEshjo05F
pdtnnIIdNFWP0p3t6B0TMY1QCm+x9ucTQbU69u17szB8lssnAE4CZjc7XJd4WuJ9
3484g7KIzjvLX5Njht+OCvlfXer4r5+AEHiug/gRqiQldLET+qNlI4XWJJceVsSZ
03SbDGuajUYzjiOkP9lKpd7fAN3qTW97XsuLijcFmF1RhO2ggp6BbYbnAQbhsax9
pj9dOPgT
=raNW
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--