From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Mar 2011 11:21:27 -0400
Subject: [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
In-Reply-To: <201103240053.04434.russell@coker.com.au>
References: <20110318110259.GA25236@localhost.localdomain>
	<4D89EFFF.4040807@tresys.com>
	<201103240053.04434.russell@coker.com.au>
Message-ID: <4D8A0FF7.30008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/23/11 09:53, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t.  Its more than a web server
>> (reverse proxy server and mail proxy server too).  If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
> 
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
> 
> Apache also supports running as a forward or reverse HTTP proxy server and as 
> a FTP proxy server.

I forgot about that.

> It seems to me that the only case where a different policy for Nginx and 
> Apache is a benefit is if Nginx and Apache are running on the same system but 
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.  
> This is probably a sufficient reason for having a different domain.

I think that its an uncommon case.  If its necessary, a simple copy with
some find/replace can fix most of it (save some .fc mangling).  The
future CIL-based policy copying will make it even easier.

> Now if we have different domains for multiple web servers will we have 
> different type for content files that they server?
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com