From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] nginx policy
Date: Fri, 18 Mar 2011 20:14:41 +0100 [thread overview]
Message-ID: <4D83AF21.4000203@gmail.com> (raw)
In-Reply-To: <AANLkTi=tOY088hVcyvSLb2b-vKvrzBnE0_ZnMvAcoHgK@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2011 08:07 PM, Kurian Thayil wrote:
> Hi Dominick,
>
> How can we say that confining nginx with Apache Module policy works? Both
It was tested by Mossburg and he confirmed that httpd policy works for
nginx.
> are http server. But they both work in different ways, libraries, functions
> they look up are different.
libraries are labelled with generic types (lib_t, shlib_t), and so these
can be used by any domain. These libraries do not have module specific
types. This is a design property of refpolicy.
So shouldn't we need to write a new policy for
> nginx (eventhough its quite hectic and too too complex)? Just a thought.
No, not if httpd_t domain works fine for it. Currently lighttpd also
runs in the httpd_t domain.
>
> Regards,
> --Kurian.
>
> On Fri, Mar 18, 2011 at 4:35 PM, Dominick Grift <domg472@gmail.com> wrote:
>
> On 03/18/2011 11:41 AM, Mossburg wrote:
>>>> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79@gmail.com> wrote:
>>>>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>>>>> I'm currently trying to write a policy for the nginx webserver.
>>>>>>>>
>>>>>>>> It is probably better to make this webserver run in the httpd_t
> domain.
>>>>>>>
>>>>>>> It was my first idea but i didn't if it was a good idea to use an
>>>>>>> existing policy, written for a specific process.
>>>>>>>
>>>>>>>> That means that you would have to add file context specifications for
>>>>>>>> some files included with the nginx package:
>>>>>>>>
>>>>>>>> its executable file, configuration file, pid file, log, lib and init
>>>>>>>> script file.
>>>>>>>
>>>>>>> To make it permanent i would have to write a policy only with a .fc
> file ?
>>>>>>>
>>>>>>>> You did not include your nginx.fc file and so i cannot suggest these
>>>>>>>> changes.
>>>>>>>
>>>>>>> # nginx executable will have:
>>>>>>> # label: system_u:object_r:nginx_exec_t
>>>>>>> # MLS sensitivity: s0
>>>>>>> # MCS categories: <none>
>>>>>>>
>>>>>>> /usr/sbin/nginx --
> gen_context(system_u:object_r:nginx_exec_t,s0)
>>>>>>
>>>>>> to test (temporary label)
>>>>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>>>>
>>>>>> to make it permanent locally
>>>>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>>>>
>>>>>>> /var/run/nginx.pid
> gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>>>>
>>>>>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>>>>
>>>>>>> /var/log/nginx(/.*)?
> gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>>>>
>>>>>> to test (temporary label)
>>>>>>
>>>>>> chcon -R -t httpd_log_t /var/log/nginx
>>>>>>
>>>>>> to make permanent locally
>>>>>>
>>>>>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>>>>
>>>>>>> /var/lib/nginx(/.*)?
> gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>>>>
>>>>>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>>>>>
>>>>>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>>>>
>>>>>>> /etc/nginx(/.*)?
> gen_context(system_u:object_r:nginx_conf_t,s0)
>>>>>>
>>>>>> chcon -R -t httpd_config_t /etc/nginx
>>>>>>
>>>>>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>>>>
>>>>>> use existing apache locations/types:
>>>>>>
>>>>>> default system webroot:
>>>>>>
>>>>>> /var/www
>>>>>>
>>>>>>
>>>>>> you can also just add the above fc specs to a .fc file (you may need to
>>>>>> require the types used in the fc file in your te file)
>>>>>>
>>>>>> Instead i would just use chcon or semanage fcontext plus restorecon.
>>>>>> Once you confirmed that it works, you can suggest your changes upstream
>>>>>> so that Fedora /refpolicy can make the changes to the apache module.
>>>>
>>>>
>>>> Hi Dominick,
>>>>
>>>> What you suggested seems to work. Thanks again for your help.
>>>> How can i suggest this changes upstream ?
>>>>
>
> I have submitted a patch upstream here:
>
> http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
>
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2DryEACgkQMlxVo39jgT82YwCgloM7hFIi2kARAbx+2DW1bvr7
onEAn03vBz2r9GU4n3DzNU1dT/lD5hQX
=LOqr
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2011-03-18 19:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AANLkTi=xupBs3p5yFSzBx35vJRUNQmv1NhjHBZFMhJGt@mail.gmail.com>
[not found] ` <4D7DDF2C.4080501@gmail.com>
[not found] ` <AANLkTi=023+71aQcOAbeV6VBi3sW=sxcu2Y+6ZTsk=Q4@mail.gmail.com>
[not found] ` <4D7DEDBA.3040609@gmail.com>
[not found] ` <AANLkTi=JAR03Lk37=p4sVRVeeucNzSyYTL_EBG6BCDTb@mail.gmail.com>
[not found] ` <AANLkTi=c1Jwazu3Mh84VuT+NTNV4R=kZSx9XA_DAFi76@mail.gmail.com>
2011-03-18 11:05 ` [refpolicy] nginx policy Dominick Grift
[not found] ` <AANLkTi=tOY088hVcyvSLb2b-vKvrzBnE0_ZnMvAcoHgK@mail.gmail.com>
2011-03-18 19:14 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D83AF21.4000203@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.