From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Mar 2011 09:05:03 -0400
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
In-Reply-To: <20110318110259.GA25236@localhost.localdomain>
References: <20110318110259.GA25236@localhost.localdomain>
Message-ID: <4D89EFFF.4040807@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/18/11 07:03, Dominick Grift wrote:
> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html

I don't agree with nginx running in httpd_t.  Its more than a web server
(reverse proxy server and mail proxy server too).  If someone uses these
other features and they require more rules, we don't want them added to
httpd_t.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 9e39aa5... 6d60ffb... M	policy/modules/services/apache.fc
>  policy/modules/services/apache.fc |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
> index 9e39aa5..6d60ffb 100644
> --- a/policy/modules/services/apache.fc
> +++ b/policy/modules/services/apache.fc
> @@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
>  /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
>  /etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/nginx(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/nginx	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>  
>  /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
>  /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/nginx		--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
>  /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
>  
> @@ -77,6 +80,7 @@ ifdef(`distro_suse', `
>  /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/nginx(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
>  
> @@ -86,6 +90,7 @@ ifdef(`distro_suse', `
>  /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/nginx(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  
>  ifdef(`distro_debian', `
> @@ -97,6 +102,7 @@ ifdef(`distro_debian', `
>  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/run/nginx.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
>  
>  /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com