From: domg472@gmail.com (Dominick Grift) Date: Wed, 23 Mar 2011 15:21:01 +0100 Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain. In-Reply-To: <201103240053.04434.russell@coker.com.au> References: <20110318110259.GA25236@localhost.localdomain> <4D89EFFF.4040807@tresys.com> <201103240053.04434.russell@coker.com.au> Message-ID: <4D8A01CD.6090706@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/23/2011 02:53 PM, Russell Coker wrote: > On Thu, 24 Mar 2011, "Christopher J. PeBenito" wrote: >> On 03/18/11 07:03, Dominick Grift wrote: >>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html >> >> I don't agree with nginx running in httpd_t. Its more than a web server >> (reverse proxy server and mail proxy server too). If someone uses these >> other features and they require more rules, we don't want them added to >> httpd_t. > > http://httpd.apache.org/docs/2.0/mod/mod_proxy.html > > Apache also supports running as a forward or reverse HTTP proxy server and as > a FTP proxy server. > > It seems to me that the only case where a different policy for Nginx and > Apache is a benefit is if Nginx and Apache are running on the same system but > doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server. > This is probably a sufficient reason for having a different domain. The same would apply for lighttpd vs apache. Yes they also both run in the httpd_t domain. > > Now if we have different domains for multiple web servers will we have > different type for content files that they server? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2KAc0ACgkQMlxVo39jgT+ZUwCcCoypllwmxQOLv+GYxjFR5nJD GbkAn1AtxblzqtNNTp9q5jDnOlWZthcJ =/1Cq -----END PGP SIGNATURE-----