2011-03-18 11:03:03

by domg472

[permalink] [raw]
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 9e39aa5... 6d60ffb... M policy/modules/services/apache.fc
policy/modules/services/apache.fc | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..6d60ffb 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)

/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)

@@ -77,6 +80,7 @@ ifdef(`distro_suse', `
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)

@@ -86,6 +90,7 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)

ifdef(`distro_debian', `
@@ -97,6 +102,7 @@ ifdef(`distro_debian', `
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)

/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--
1.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110318/b8c876e0/attachment.bin


2011-03-23 13:05:03

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

On 03/18/11 07:03, Dominick Grift wrote:
> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html

I don't agree with nginx running in httpd_t. Its more than a web server
(reverse proxy server and mail proxy server too). If someone uses these
other features and they require more rules, we don't want them added to
httpd_t.

> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 9e39aa5... 6d60ffb... M policy/modules/services/apache.fc
> policy/modules/services/apache.fc | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
> index 9e39aa5..6d60ffb 100644
> --- a/policy/modules/services/apache.fc
> +++ b/policy/modules/services/apache.fc
> @@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
> /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>
> /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
> /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
>
> @@ -77,6 +80,7 @@ ifdef(`distro_suse', `
> /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
>
> @@ -86,6 +90,7 @@ ifdef(`distro_suse', `
> /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
>
> ifdef(`distro_debian', `
> @@ -97,6 +102,7 @@ ifdef(`distro_debian', `
> /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
>
> /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-03-23 13:53:04

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

On Thu, 24 Mar 2011, "Christopher J. PeBenito" <[email protected]> wrote:
> On 03/18/11 07:03, Dominick Grift wrote:
> > http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>
> I don't agree with nginx running in httpd_t. Its more than a web server
> (reverse proxy server and mail proxy server too). If someone uses these
> other features and they require more rules, we don't want them added to
> httpd_t.

http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

Apache also supports running as a forward or reverse HTTP proxy server and as
a FTP proxy server.

It seems to me that the only case where a different policy for Nginx and
Apache is a benefit is if Nginx and Apache are running on the same system but
doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
This is probably a sufficient reason for having a different domain.

Now if we have different domains for multiple web servers will we have
different type for content files that they server?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2011-03-23 14:21:01

by domg472

[permalink] [raw]
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/23/2011 02:53 PM, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <[email protected]> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t. Its more than a web server
>> (reverse proxy server and mail proxy server too). If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
>
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
>
> Apache also supports running as a forward or reverse HTTP proxy server and as
> a FTP proxy server.
>
> It seems to me that the only case where a different policy for Nginx and
> Apache is a benefit is if Nginx and Apache are running on the same system but
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
> This is probably a sufficient reason for having a different domain.

The same would apply for lighttpd vs apache. Yes they also both run in
the httpd_t domain.

>
> Now if we have different domains for multiple web servers will we have
> different type for content files that they server?
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2KAc0ACgkQMlxVo39jgT+ZUwCcCoypllwmxQOLv+GYxjFR5nJD
GbkAn1AtxblzqtNNTp9q5jDnOlWZthcJ
=/1Cq
-----END PGP SIGNATURE-----

2011-03-23 15:21:27

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

On 03/23/11 09:53, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <[email protected]> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t. Its more than a web server
>> (reverse proxy server and mail proxy server too). If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
>
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
>
> Apache also supports running as a forward or reverse HTTP proxy server and as
> a FTP proxy server.

I forgot about that.

> It seems to me that the only case where a different policy for Nginx and
> Apache is a benefit is if Nginx and Apache are running on the same system but
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
> This is probably a sufficient reason for having a different domain.

I think that its an uncommon case. If its necessary, a simple copy with
some find/replace can fix most of it (save some .fc mangling). The
future CIL-based policy copying will make it even easier.

> Now if we have different domains for multiple web servers will we have
> different type for content files that they server?
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com