From: russell@coker.com.au (Russell Coker) Date: Thu, 24 Mar 2011 00:53:04 +1100 Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain. In-Reply-To: <4D89EFFF.4040807@tresys.com> References: <20110318110259.GA25236@localhost.localdomain> <4D89EFFF.4040807@tresys.com> Message-ID: <201103240053.04434.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 24 Mar 2011, "Christopher J. PeBenito" wrote: > On 03/18/11 07:03, Dominick Grift wrote: > > http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html > > I don't agree with nginx running in httpd_t. Its more than a web server > (reverse proxy server and mail proxy server too). If someone uses these > other features and they require more rules, we don't want them added to > httpd_t. http://httpd.apache.org/docs/2.0/mod/mod_proxy.html Apache also supports running as a forward or reverse HTTP proxy server and as a FTP proxy server. It seems to me that the only case where a different policy for Nginx and Apache is a benefit is if Nginx and Apache are running on the same system but doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server. This is probably a sufficient reason for having a different domain. Now if we have different domains for multiple web servers will we have different type for content files that they server? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/