From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 23 Mar 2011 09:05:03 -0400 Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain. In-Reply-To: <20110318110259.GA25236@localhost.localdomain> References: <20110318110259.GA25236@localhost.localdomain> Message-ID: <4D89EFFF.4040807@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/18/11 07:03, Dominick Grift wrote: > http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html I don't agree with nginx running in httpd_t. Its more than a web server (reverse proxy server and mail proxy server too). If someone uses these other features and they require more rules, we don't want them added to httpd_t. > Signed-off-by: Dominick Grift > --- > :100644 100644 9e39aa5... 6d60ffb... M policy/modules/services/apache.fc > policy/modules/services/apache.fc | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc > index 9e39aa5..6d60ffb 100644 > --- a/policy/modules/services/apache.fc > +++ b/policy/modules/services/apache.fc > @@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u > /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) > /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > +/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) > /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) > > /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) > /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > @@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u > /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) > +/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) > > @@ -77,6 +80,7 @@ ifdef(`distro_suse', ` > /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) > +/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) > /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) > > @@ -86,6 +90,7 @@ ifdef(`distro_suse', ` > /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > > ifdef(`distro_debian', ` > @@ -97,6 +102,7 @@ ifdef(`distro_debian', ` > /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) > +/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) > /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) > > /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com