nginx policy

Fri Mar 18 19:07:08 UTC 2011

Hi Dominick,

How can we say that confining nginx with Apache Module policy works? Both
are http server. But they both work in different ways, libraries, functions
they look up are different. So shouldn't we need to write a new policy for
nginx (eventhough its quite hectic and too too complex)? Just a thought.

Regards,
--Kurian.

On Fri, Mar 18, 2011 at 4:35 PM, Dominick Grift <domg472 at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/18/2011 11:41 AM, Mossburg wrote:
> > On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79 at gmail.com> wrote:
> >>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
> >>>>>> I'm currently trying to write a policy for the nginx webserver.
> >>>>>
> >>>>> It is probably better to make this webserver run in the httpd_t
> domain.
> >>>>
> >>>> It was my first idea but i didn't if it was a good idea to use an
> >>>> existing policy, written for a specific process.
> >>>>
> >>>>> That means that you would have to add file context specifications for
> >>>>> some files included with the nginx package:
> >>>>>
> >>>>> its executable file, configuration file, pid file, log, lib and init
> >>>>> script file.
> >>>>
> >>>> To make it permanent i would have to write a policy only with a .fc
> file ?
> >>>>
> >>>>> You did not include your nginx.fc file and so i cannot suggest these
> >>>>> changes.
> >>>>
> >>>> # nginx executable will have:
> >>>> # label: system_u:object_r:nginx_exec_t
> >>>> # MLS sensitivity: s0
> >>>> # MCS categories: <none>
> >>>>
> >>>> /usr/sbin/nginx               --
>  gen_context(system_u:object_r:nginx_exec_t,s0)
> >>>
> >>> to test (temporary label)
> >>> chcon -t httpd_exec_t /usr/sbin/nginx
> >>>
> >>> to make it permanent locally
> >>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
> >>>
> >>>> /var/run/nginx.pid
>  gen_context(system_u:object_r:nginx_var_run_t,s0)
> >>>
> >>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
> >>>
> >>>> /var/log/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_var_log_t,s0)
> >>>
> >>> to test (temporary label)
> >>>
> >>> chcon -R -t httpd_log_t /var/log/nginx
> >>>
> >>> to make permanent locally
> >>>
> >>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
> >>>
> >>>> /var/lib/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_var_lib_t,s0)
> >>>
> >>> chcon -R -t httpd_var_lib_t /var/lib/nginx
> >>>
> >>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
> >>>
> >>>> /etc/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_conf_t,s0)
> >>>
> >>> chcon -R -t httpd_config_t /etc/nginx
> >>>
> >>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
> >>>
> >>> use existing apache locations/types:
> >>>
> >>> default system webroot:
> >>>
> >>> /var/www
> >>>
> >>>
> >>> you can also just add the above fc specs to a .fc file (you may need to
> >>> require the types used in the fc file in your te file)
> >>>
> >>> Instead i would just use chcon or semanage fcontext plus restorecon.
> >>> Once you confirmed that it works, you can suggest your changes upstream
> >>> so that Fedora /refpolicy can make the changes to the apache module.
> >
> >
> > Hi Dominick,
> >
> > What you suggested seems to work. Thanks again for your help.
> > How can i suggest this changes upstream ?
> >
>
> I have submitted a patch upstream here:
>
> http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2DPIAACgkQMlxVo39jgT+Z0wCgyE9auWDqgdHG1EUDBxVBhJ2S
> zfcAn1tSLN9DP/U2n16Bje5p88u/1ZpK
> =IQ3y
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110319/35b6dd54/attachment.html 