nginx policy

Dominick Grift domg472 at gmail.com
Mon Mar 14 10:28:10 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/14/2011 11:14 AM, Mossburg wrote:
> On Mon, Mar 14, 2011 at 10:26 AM, Dominick Grift <domg472 at gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>> I'm currently trying to write a policy for the nginx webserver.
>>
>> It is probably better to make this webserver run in the httpd_t domain.
> 
> It was my first idea but i didn't if it was a good idea to use an
> existing policy, written for a specific process.
> 
>> That means that you would have to add file context specifications for
>> some files included with the nginx package:
>>
>> its executable file, configuration file, pid file, log, lib and init
>> script file.
> 
> To make it permanent i would have to write a policy only with a .fc file ?
> 
>> You did not include your nginx.fc file and so i cannot suggest these
>> changes.
> 
> # nginx executable will have:
> # label: system_u:object_r:nginx_exec_t
> # MLS sensitivity: s0
> # MCS categories: <none>
> 
> /usr/sbin/nginx		--	gen_context(system_u:object_r:nginx_exec_t,s0)

to test (temporary label)
chcon -t httpd_exec_t /usr/sbin/nginx

to make it permanent locally
semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx

> /var/run/nginx.pid		gen_context(system_u:object_r:nginx_var_run_t,s0)

semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid

> /var/log/nginx(/.*)?		gen_context(system_u:object_r:nginx_var_log_t,s0)

to test (temporary label)

chcon -R -t httpd_log_t /var/log/nginx

to make permanent locally

semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"

> /var/lib/nginx(/.*)?		gen_context(system_u:object_r:nginx_var_lib_t,s0)

chcon -R -t httpd_var_lib_t /var/lib/nginx

semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"

> /etc/nginx(/.*)?		        gen_context(system_u:object_r:nginx_conf_t,s0)

chcon -R -t httpd_config_t /etc/nginx

semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"

use existing apache locations/types:

default system webroot:

/var/www


you can also just add the above fc specs to a .fc file (you may need to
require the types used in the fc file in your te file)

Instead i would just use chcon or semanage fcontext plus restorecon.
Once you confirmed that it works, you can suggest your changes upstream
so that Fedora /refpolicy can make the changes to the apache module.

Then it should work by default for you on a future update of selinux-policy.

> 
> 
>> Of course you can also do it your way and write policy from scratch but
>> doing this for a web server is probably not the best idea. webservers
>> can be pretty complex and can be configured in many ways.
>>
>> So again, i would suggest trying to run nginx in the existing httpd_t
>> domain instead so that httpd's proven policy applies to nginx, Saves
>> work/time.
> 
> I totally agree.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk197boACgkQMlxVo39jgT//VwCeIUEoJtN1SXUKm4EFTeXw4wQG
6HEAn0nWI3J3YWvhW93PqiRi6NZDH2jk
=ycnB
-----END PGP SIGNATURE-----

More information about the selinux mailing list