Hi Dominick,
How can we say that confining nginx with Apache Module policy works? Both
are http server. But they both work in different ways, libraries, functions
they look up are different. So shouldn't we need to write a new policy for
nginx (eventhough its quite hectic and too too complex)? Just a thought.
Regards,
--Kurian.
On Fri, Mar 18, 2011 at 4:35 PM, Dominick Grift <domg472(a)gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2011 11:41 AM, Mossburg wrote:
> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79(a)gmail.com> wrote:
>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>> I'm currently trying to write a policy for the nginx
webserver.
>>>>>
>>>>> It is probably better to make this webserver run in the httpd_t
domain.
>>>>
>>>> It was my first idea but i didn't if it was a good idea to use an
>>>> existing policy, written for a specific process.
>>>>
>>>>> That means that you would have to add file context specifications
for
>>>>> some files included with the nginx package:
>>>>>
>>>>> its executable file, configuration file, pid file, log, lib and
init
>>>>> script file.
>>>>
>>>> To make it permanent i would have to write a policy only with a .fc
file ?
>>>>
>>>>> You did not include your nginx.fc file and so i cannot suggest
these
>>>>> changes.
>>>>
>>>> # nginx executable will have:
>>>> # label: system_u:object_r:nginx_exec_t
>>>> # MLS sensitivity: s0
>>>> # MCS categories: <none>
>>>>
>>>> /usr/sbin/nginx --
gen_context(system_u:object_r:nginx_exec_t,s0)
>>>
>>> to test (temporary label)
>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>
>>> to make it permanent locally
>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>
>>>> /var/run/nginx.pid
gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>
>>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>
>>>> /var/log/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>
>>> to test (temporary label)
>>>
>>> chcon -R -t httpd_log_t /var/log/nginx
>>>
>>> to make permanent locally
>>>
>>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>
>>>> /var/lib/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>
>>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>>
>>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>
>>>> /etc/nginx(/.*)?
gen_context(system_u:object_r:nginx_conf_t,s0)
>>>
>>> chcon -R -t httpd_config_t /etc/nginx
>>>
>>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>
>>> use existing apache locations/types:
>>>
>>> default system webroot:
>>>
>>> /var/www
>>>
>>>
>>> you can also just add the above fc specs to a .fc file (you may need to
>>> require the types used in the fc file in your te file)
>>>
>>> Instead i would just use chcon or semanage fcontext plus restorecon.
>>> Once you confirmed that it works, you can suggest your changes upstream
>>> so that Fedora /refpolicy can make the changes to the apache module.
>
>
> Hi Dominick,
>
> What you suggested seems to work. Thanks again for your help.
> How can i suggest this changes upstream ?
>
I have submitted a patch upstream here:
http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk2DPIAACgkQMlxVo39jgT+Z0wCgyE9auWDqgdHG1EUDBxVBhJ2S
zfcAn1tSLN9DP/U2n16Bje5p88u/1ZpK
=IQ3y
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux