-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2011 08:07 PM, Kurian Thayil wrote:
Hi Dominick,
How can we say that confining nginx with Apache Module policy works? Both
are http server. But they both work in different ways, libraries,
functions
they look up are different.
libraries are labelled with generic types (lib_t, shlib_t), and so these
can be used by any domain. These libraries do not have module specific
types. This is a design property of refpolicy.
So shouldn't we need to write a new policy for
nginx (eventhough its quite hectic and too too complex)? Just a
thought.
No, not if httpd_t domain works fine for it. Currently lighttpd also
runs in the httpd_t domain.
Regards,
--Kurian.
On Fri, Mar 18, 2011 at 4:35 PM, Dominick Grift <domg472(a)gmail.com> wrote:
On 03/18/2011 11:41 AM, Mossburg wrote:
>>> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79(a)gmail.com>
wrote:
>>>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>>>> I'm currently trying to write a policy for the nginx
webserver.
>>>>>
>
>>>>>>> It
is probably better to make this webserver run in the httpd_t
domain.
>>>>
>
>>>>>> It was
my first idea but i didn't if it was a good idea to use an
>>>>>> existing policy, written for a specific process.
>>>>
>
>>>>>>>
That means that you would have to add file context specifications for
>>>>>>> some files included with the nginx package:
>>>>>
>
>>>>>>> its
executable file, configuration file, pid file, log, lib and init
>>>>>>> script file.
>>>>
>
>>>>>> To make
it permanent i would have to write a policy only with a .fc
file ?
>>>>
>
>>>>>>> You
did not include your nginx.fc file and so i cannot suggest these
>>>>>>> changes.
>>>>
>
>>>>>> # nginx
executable will have:
>>>>>> # label: system_u:object_r:nginx_exec_t
>>>>>> # MLS sensitivity: s0
>>>>>> # MCS categories: <none>
>>>>
>
>>>>>>
/usr/sbin/nginx --
gen_context(system_u:object_r:nginx_exec_t,s0)
>>>
>
>>>>> to test
(temporary label)
>>>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>
>
>>>>> to make it
permanent locally
>>>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>
>
>>>>>>
/var/run/nginx.pid
gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>
>
>>>>> semanage
fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>
>
>>>>>>
/var/log/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>
>
>>>>> to test
(temporary label)
>>>
>
>>>>> chcon -R -t
httpd_log_t /var/log/nginx
>>>
>
>>>>> to make
permanent locally
>>>
>
>>>>> semanage
fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>
>
>>>>>>
/var/lib/nginx(/.*)?
gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>
>
>>>>> chcon -R -t
httpd_var_lib_t /var/lib/nginx
>>>
>
>>>>> semanage
fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>
>
>>>>>>
/etc/nginx(/.*)?
gen_context(system_u:object_r:nginx_conf_t,s0)
>>>
>
>>>>> chcon -R -t
httpd_config_t /etc/nginx
>>>
>
>>>>> semanage
fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>
>
>>>>> use
existing apache locations/types:
>>>
>
>>>>> default
system webroot:
>>>
>
>>>>> /var/www
>>>
>
>>>
>
>>>>> you can also just add the above fc
specs to a .fc file (you may need to
>>>>> require the types used in the fc file in your te file)
>>>
>
>>>>> Instead i
would just use chcon or semanage fcontext plus restorecon.
>>>>> Once you confirmed that it works, you can suggest your changes
upstream
>>>>> so that Fedora /refpolicy can make the changes to the apache module.
>
>
>
>
>>> Hi Dominick,
>
>
>>> What you suggested seems to work. Thanks again
for your help.
>>> How can i suggest this changes upstream ?
>
>
I have submitted a patch upstream here:
http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk2DryEACgkQMlxVo39jgT82YwCgloM7hFIi2kARAbx+2DW1bvr7
onEAn03vBz2r9GU4n3DzNU1dT/lD5hQX
=LOqr
-----END PGP SIGNATURE-----