nginx policy
Dominick Grift
domg472 at gmail.com
Mon Mar 14 10:28:10 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/14/2011 11:14 AM, Mossburg wrote:
> On Mon, Mar 14, 2011 at 10:26 AM, Dominick Grift <domg472 at gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>> I'm currently trying to write a policy for the nginx webserver.
>>
>> It is probably better to make this webserver run in the httpd_t domain.
>
> It was my first idea but i didn't if it was a good idea to use an
> existing policy, written for a specific process.
>
>> That means that you would have to add file context specifications for
>> some files included with the nginx package:
>>
>> its executable file, configuration file, pid file, log, lib and init
>> script file.
>
> To make it permanent i would have to write a policy only with a .fc file ?
>
>> You did not include your nginx.fc file and so i cannot suggest these
>> changes.
>
> # nginx executable will have:
> # label: system_u:object_r:nginx_exec_t
> # MLS sensitivity: s0
> # MCS categories: <none>
>
> /usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0)
to test (temporary label)
chcon -t httpd_exec_t /usr/sbin/nginx
to make it permanent locally
semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
> /var/run/nginx.pid gen_context(system_u:object_r:nginx_var_run_t,s0)
semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
> /var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_var_log_t,s0)
to test (temporary label)
chcon -R -t httpd_log_t /var/log/nginx
to make permanent locally
semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
> /var/lib/nginx(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0)
chcon -R -t httpd_var_lib_t /var/lib/nginx
semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
> /etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0)
chcon -R -t httpd_config_t /etc/nginx
semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
use existing apache locations/types:
default system webroot:
/var/www
you can also just add the above fc specs to a .fc file (you may need to
require the types used in the fc file in your te file)
Instead i would just use chcon or semanage fcontext plus restorecon.
Once you confirmed that it works, you can suggest your changes upstream
so that Fedora /refpolicy can make the changes to the apache module.
Then it should work by default for you on a future update of selinux-policy.
>
>
>> Of course you can also do it your way and write policy from scratch but
>> doing this for a web server is probably not the best idea. webservers
>> can be pretty complex and can be configured in many ways.
>>
>> So again, i would suggest trying to run nginx in the existing httpd_t
>> domain instead so that httpd's proven policy applies to nginx, Saves
>> work/time.
>
> I totally agree.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk197boACgkQMlxVo39jgT//VwCeIUEoJtN1SXUKm4EFTeXw4wQG
6HEAn0nWI3J3YWvhW93PqiRi6NZDH2jk
=ycnB
-----END PGP SIGNATURE-----
More information about the selinux
mailing list