-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2011 11:41 AM, Mossburg wrote:
On Mon, Mar 14, 2011 at 11:58 AM, Mossburg
<mossburg79(a)gmail.com> wrote:
>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>> I'm currently trying to write a policy for the nginx webserver.
>>>>
>>>> It is probably better to make this webserver run in the httpd_t domain.
>>>
>>> It was my first idea but i didn't if it was a good idea to use an
>>> existing policy, written for a specific process.
>>>
>>>> That means that you would have to add file context specifications for
>>>> some files included with the nginx package:
>>>>
>>>> its executable file, configuration file, pid file, log, lib and init
>>>> script file.
>>>
>>> To make it permanent i would have to write a policy only with a .fc file ?
>>>
>>>> You did not include your nginx.fc file and so i cannot suggest these
>>>> changes.
>>>
>>> # nginx executable will have:
>>> # label: system_u:object_r:nginx_exec_t
>>> # MLS sensitivity: s0
>>> # MCS categories: <none>
>>>
>>> /usr/sbin/nginx --
gen_context(system_u:object_r:nginx_exec_t,s0)
>>
>> to test (temporary label)
>> chcon -t httpd_exec_t /usr/sbin/nginx
>>
>> to make it permanent locally
>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>
>>> /var/run/nginx.pid
gen_context(system_u:object_r:nginx_var_run_t,s0)
>>
>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>
>>> /var/log/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_log_t,s0)
>>
>> to test (temporary label)
>>
>> chcon -R -t httpd_log_t /var/log/nginx
>>
>> to make permanent locally
>>
>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>
>>> /var/lib/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>
>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>
>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>
>>> /etc/nginx(/.*)?
gen_context(system_u:object_r:nginx_conf_t,s0)
>>
>> chcon -R -t httpd_config_t /etc/nginx
>>
>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>
>> use existing apache locations/types:
>>
>> default system webroot:
>>
>> /var/www
>>
>>
>> you can also just add the above fc specs to a .fc file (you may need to
>> require the types used in the fc file in your te file)
>>
>> Instead i would just use chcon or semanage fcontext plus restorecon.
>> Once you confirmed that it works, you can suggest your changes upstream
>> so that Fedora /refpolicy can make the changes to the apache module.
Hi Dominick,
What you suggested seems to work. Thanks again for your help.
How can i suggest this changes upstream ?
I have submitted a patch upstream here:
http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk2DPIAACgkQMlxVo39jgT+Z0wCgyE9auWDqgdHG1EUDBxVBhJ2S
zfcAn1tSLN9DP/U2n16Bje5p88u/1ZpK
=IQ3y
-----END PGP SIGNATURE-----