[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[Dominick Grift]

http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 9e39aa5... 6d60ffb... M	policy/modules/services/apache.fc
 policy/modules/services/apache.fc |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..6d60ffb 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
 /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
 /etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nginx	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
 /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 
@@ -77,6 +80,7 @@ ifdef(`distro_suse', `
 /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 
@@ -86,6 +90,7 @@ ifdef(`distro_suse', `
 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 
 ifdef(`distro_debian', `
@@ -97,6 +102,7 @@ ifdef(`distro_debian', `
 /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 
 /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-- 
1.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110318/b8c876e0/attachment.bin 

[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[Christopher J. PeBenito]

On 03/18/11 07:03, Dominick Grift wrote:
> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html

I don't agree with nginx running in httpd_t.  Its more than a web server
(reverse proxy server and mail proxy server too).  If someone uses these
other features and they require more rules, we don't want them added to
httpd_t.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 9e39aa5... 6d60ffb... M	policy/modules/services/apache.fc
>  policy/modules/services/apache.fc |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
> index 9e39aa5..6d60ffb 100644
> --- a/policy/modules/services/apache.fc
> +++ b/policy/modules/services/apache.fc
> @@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
>  /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
>  /etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/nginx(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/nginx	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>  
>  /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
>  /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
>  /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/nginx		--	gen_context(system_u:object_r:httpd_exec_t,s0)
>  /usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
>  /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
>  
> @@ -77,6 +80,7 @@ ifdef(`distro_suse', `
>  /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/nginx(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
>  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
>  
> @@ -86,6 +90,7 @@ ifdef(`distro_suse', `
>  /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/nginx(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
>  
>  ifdef(`distro_debian', `
> @@ -97,6 +102,7 @@ ifdef(`distro_debian', `
>  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/run/nginx.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
>  /var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
>  
>  /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[Russell Coker]

On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On 03/18/11 07:03, Dominick Grift wrote:
> > http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
> 
> I don't agree with nginx running in httpd_t.  Its more than a web server
> (reverse proxy server and mail proxy server too).  If someone uses these
> other features and they require more rules, we don't want them added to
> httpd_t.

http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

Apache also supports running as a forward or reverse HTTP proxy server and as 
a FTP proxy server.

It seems to me that the only case where a different policy for Nginx and 
Apache is a benefit is if Nginx and Apache are running on the same system but 
doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.  
This is probably a sufficient reason for having a different domain.

Now if we have different domains for multiple web servers will we have 
different type for content files that they server?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/23/2011 02:53 PM, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t.  Its more than a web server
>> (reverse proxy server and mail proxy server too).  If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
> 
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
> 
> Apache also supports running as a forward or reverse HTTP proxy server and as 
> a FTP proxy server.
> 
> It seems to me that the only case where a different policy for Nginx and 
> Apache is a benefit is if Nginx and Apache are running on the same system but 
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.  
> This is probably a sufficient reason for having a different domain.

The same would apply for lighttpd vs apache. Yes they also both run in
the httpd_t domain.

> 
> Now if we have different domains for multiple web servers will we have 
> different type for content files that they server?
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2KAc0ACgkQMlxVo39jgT+ZUwCcCoypllwmxQOLv+GYxjFR5nJD
GbkAn1AtxblzqtNNTp9q5jDnOlWZthcJ
=/1Cq
-----END PGP SIGNATURE-----

[refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.

[Christopher J. PeBenito]

On 03/23/11 09:53, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t.  Its more than a web server
>> (reverse proxy server and mail proxy server too).  If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
> 
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
> 
> Apache also supports running as a forward or reverse HTTP proxy server and as 
> a FTP proxy server.

I forgot about that.

> It seems to me that the only case where a different policy for Nginx and 
> Apache is a benefit is if Nginx and Apache are running on the same system but 
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.  
> This is probably a sufficient reason for having a different domain.

I think that its an uncommon case.  If its necessary, a simple copy with
some find/replace can fix most of it (save some .fc mangling).  The
future CIL-based policy copying will make it even easier.

> Now if we have different domains for multiple web servers will we have 
> different type for content files that they server?
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com