[refpolicy] nginx policy

[refpolicy] nginx policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2011 11:41 AM, Mossburg wrote:
> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79@gmail.com> wrote:
>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>> I'm currently trying to write a policy for the nginx webserver.
>>>>>
>>>>> It is probably better to make this webserver run in the httpd_t domain.
>>>>
>>>> It was my first idea but i didn't if it was a good idea to use an
>>>> existing policy, written for a specific process.
>>>>
>>>>> That means that you would have to add file context specifications for
>>>>> some files included with the nginx package:
>>>>>
>>>>> its executable file, configuration file, pid file, log, lib and init
>>>>> script file.
>>>>
>>>> To make it permanent i would have to write a policy only with a .fc file ?
>>>>
>>>>> You did not include your nginx.fc file and so i cannot suggest these
>>>>> changes.
>>>>
>>>> # nginx executable will have:
>>>> # label: system_u:object_r:nginx_exec_t
>>>> # MLS sensitivity: s0
>>>> # MCS categories: <none>
>>>>
>>>> /usr/sbin/nginx               --      gen_context(system_u:object_r:nginx_exec_t,s0)
>>>
>>> to test (temporary label)
>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>
>>> to make it permanent locally
>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>
>>>> /var/run/nginx.pid            gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>
>>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>
>>>> /var/log/nginx(/.*)?          gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>
>>> to test (temporary label)
>>>
>>> chcon -R -t httpd_log_t /var/log/nginx
>>>
>>> to make permanent locally
>>>
>>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>
>>>> /var/lib/nginx(/.*)?          gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>
>>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>>
>>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>
>>>> /etc/nginx(/.*)?                      gen_context(system_u:object_r:nginx_conf_t,s0)
>>>
>>> chcon -R -t httpd_config_t /etc/nginx
>>>
>>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>
>>> use existing apache locations/types:
>>>
>>> default system webroot:
>>>
>>> /var/www
>>>
>>>
>>> you can also just add the above fc specs to a .fc file (you may need to
>>> require the types used in the fc file in your te file)
>>>
>>> Instead i would just use chcon or semanage fcontext plus restorecon.
>>> Once you confirmed that it works, you can suggest your changes upstream
>>> so that Fedora /refpolicy can make the changes to the apache module.
> 
> 
> Hi Dominick,
> 
> What you suggested seems to work. Thanks again for your help.
> How can i suggest this changes upstream ?
> 

I have submitted a patch upstream here:

http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2DPIAACgkQMlxVo39jgT+Z0wCgyE9auWDqgdHG1EUDBxVBhJ2S
zfcAn1tSLN9DP/U2n16Bje5p88u/1ZpK
=IQ3y
-----END PGP SIGNATURE-----

[refpolicy] nginx policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2011 08:07 PM, Kurian Thayil wrote:
> Hi Dominick,
> 
> How can we say that confining nginx with Apache Module policy works? Both

It was tested by Mossburg and he confirmed that httpd policy works for
nginx.

> are http server. But they both work in different ways, libraries, functions
> they look up are different.

libraries are labelled with generic types (lib_t, shlib_t), and so these
can be used by any domain. These libraries do not have module specific
types. This is a design property of refpolicy.

 So shouldn't we need to write a new policy for
> nginx (eventhough its quite hectic and too too complex)? Just a thought.

No, not if httpd_t domain works fine for it. Currently lighttpd also
runs in the httpd_t domain.

> 
> Regards,
> --Kurian.
> 
> On Fri, Mar 18, 2011 at 4:35 PM, Dominick Grift <domg472@gmail.com> wrote:
> 
> On 03/18/2011 11:41 AM, Mossburg wrote:
>>>> On Mon, Mar 14, 2011 at 11:58 AM, Mossburg <mossburg79@gmail.com> wrote:
>>>>>>>> On 03/14/2011 10:07 AM, Mossburg wrote:
>>>>>>>>> I'm currently trying to write a policy for the nginx webserver.
>>>>>>>>
>>>>>>>> It is probably better to make this webserver run in the httpd_t
> domain.
>>>>>>>
>>>>>>> It was my first idea but i didn't if it was a good idea to use an
>>>>>>> existing policy, written for a specific process.
>>>>>>>
>>>>>>>> That means that you would have to add file context specifications for
>>>>>>>> some files included with the nginx package:
>>>>>>>>
>>>>>>>> its executable file, configuration file, pid file, log, lib and init
>>>>>>>> script file.
>>>>>>>
>>>>>>> To make it permanent i would have to write a policy only with a .fc
> file ?
>>>>>>>
>>>>>>>> You did not include your nginx.fc file and so i cannot suggest these
>>>>>>>> changes.
>>>>>>>
>>>>>>> # nginx executable will have:
>>>>>>> # label: system_u:object_r:nginx_exec_t
>>>>>>> # MLS sensitivity: s0
>>>>>>> # MCS categories: <none>
>>>>>>>
>>>>>>> /usr/sbin/nginx               --
>  gen_context(system_u:object_r:nginx_exec_t,s0)
>>>>>>
>>>>>> to test (temporary label)
>>>>>> chcon -t httpd_exec_t /usr/sbin/nginx
>>>>>>
>>>>>> to make it permanent locally
>>>>>> semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx
>>>>>>
>>>>>>> /var/run/nginx.pid
>  gen_context(system_u:object_r:nginx_var_run_t,s0)
>>>>>>
>>>>>> semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid
>>>>>>
>>>>>>> /var/log/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_var_log_t,s0)
>>>>>>
>>>>>> to test (temporary label)
>>>>>>
>>>>>> chcon -R -t httpd_log_t /var/log/nginx
>>>>>>
>>>>>> to make permanent locally
>>>>>>
>>>>>> semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"
>>>>>>
>>>>>>> /var/lib/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_var_lib_t,s0)
>>>>>>
>>>>>> chcon -R -t httpd_var_lib_t /var/lib/nginx
>>>>>>
>>>>>> semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?"
>>>>>>
>>>>>>> /etc/nginx(/.*)?
>  gen_context(system_u:object_r:nginx_conf_t,s0)
>>>>>>
>>>>>> chcon -R -t httpd_config_t /etc/nginx
>>>>>>
>>>>>> semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?"
>>>>>>
>>>>>> use existing apache locations/types:
>>>>>>
>>>>>> default system webroot:
>>>>>>
>>>>>> /var/www
>>>>>>
>>>>>>
>>>>>> you can also just add the above fc specs to a .fc file (you may need to
>>>>>> require the types used in the fc file in your te file)
>>>>>>
>>>>>> Instead i would just use chcon or semanage fcontext plus restorecon.
>>>>>> Once you confirmed that it works, you can suggest your changes upstream
>>>>>> so that Fedora /refpolicy can make the changes to the apache module.
>>>>
>>>>
>>>> Hi Dominick,
>>>>
>>>> What you suggested seems to work. Thanks again for your help.
>>>> How can i suggest this changes upstream ?
>>>>
> 
> I have submitted a patch upstream here:
> 
> http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html
> 
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2DryEACgkQMlxVo39jgT82YwCgloM7hFIi2kARAbx+2DW1bvr7
onEAn03vBz2r9GU4n3DzNU1dT/lD5hQX
=LOqr
-----END PGP SIGNATURE-----