* [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
@ 2011-03-18 11:03 Dominick Grift
2011-03-23 13:05 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2011-03-18 11:03 UTC (permalink / raw)
To: refpolicy
http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 9e39aa5... 6d60ffb... M policy/modules/services/apache.fc
policy/modules/services/apache.fc | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..6d60ffb 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -77,6 +80,7 @@ ifdef(`distro_suse', `
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
@@ -86,6 +90,7 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
@@ -97,6 +102,7 @@ ifdef(`distro_debian', `
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
--
1.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110318/b8c876e0/attachment.bin
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
2011-03-18 11:03 [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain Dominick Grift
@ 2011-03-23 13:05 ` Christopher J. PeBenito
2011-03-23 13:53 ` Russell Coker
0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-03-23 13:05 UTC (permalink / raw)
To: refpolicy
On 03/18/11 07:03, Dominick Grift wrote:
> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
I don't agree with nginx running in httpd_t. Its more than a web server
(reverse proxy server and mail proxy server too). If someone uses these
other features and they require more rules, we don't want them added to
httpd_t.
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 9e39aa5... 6d60ffb... M policy/modules/services/apache.fc
> policy/modules/services/apache.fc | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
> index 9e39aa5..6d60ffb 100644
> --- a/policy/modules/services/apache.fc
> +++ b/policy/modules/services/apache.fc
> @@ -10,8 +10,10 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
> /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
> /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
>
> /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
> /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> @@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
> /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
>
> @@ -77,6 +80,7 @@ ifdef(`distro_suse', `
> /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> +/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
>
> @@ -86,6 +90,7 @@ ifdef(`distro_suse', `
> /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
>
> ifdef(`distro_debian', `
> @@ -97,6 +102,7 @@ ifdef(`distro_debian', `
> /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> +/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
> /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
>
> /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
2011-03-23 13:05 ` Christopher J. PeBenito
@ 2011-03-23 13:53 ` Russell Coker
2011-03-23 14:21 ` Dominick Grift
2011-03-23 15:21 ` Christopher J. PeBenito
0 siblings, 2 replies; 5+ messages in thread
From: Russell Coker @ 2011-03-23 13:53 UTC (permalink / raw)
To: refpolicy
On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On 03/18/11 07:03, Dominick Grift wrote:
> > http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>
> I don't agree with nginx running in httpd_t. Its more than a web server
> (reverse proxy server and mail proxy server too). If someone uses these
> other features and they require more rules, we don't want them added to
> httpd_t.
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
Apache also supports running as a forward or reverse HTTP proxy server and as
a FTP proxy server.
It seems to me that the only case where a different policy for Nginx and
Apache is a benefit is if Nginx and Apache are running on the same system but
doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
This is probably a sufficient reason for having a different domain.
Now if we have different domains for multiple web servers will we have
different type for content files that they server?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
2011-03-23 13:53 ` Russell Coker
@ 2011-03-23 14:21 ` Dominick Grift
2011-03-23 15:21 ` Christopher J. PeBenito
1 sibling, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2011-03-23 14:21 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/23/2011 02:53 PM, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t. Its more than a web server
>> (reverse proxy server and mail proxy server too). If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
>
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
>
> Apache also supports running as a forward or reverse HTTP proxy server and as
> a FTP proxy server.
>
> It seems to me that the only case where a different policy for Nginx and
> Apache is a benefit is if Nginx and Apache are running on the same system but
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
> This is probably a sufficient reason for having a different domain.
The same would apply for lighttpd vs apache. Yes they also both run in
the httpd_t domain.
>
> Now if we have different domains for multiple web servers will we have
> different type for content files that they server?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2KAc0ACgkQMlxVo39jgT+ZUwCcCoypllwmxQOLv+GYxjFR5nJD
GbkAn1AtxblzqtNNTp9q5jDnOlWZthcJ
=/1Cq
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain.
2011-03-23 13:53 ` Russell Coker
2011-03-23 14:21 ` Dominick Grift
@ 2011-03-23 15:21 ` Christopher J. PeBenito
1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-03-23 15:21 UTC (permalink / raw)
To: refpolicy
On 03/23/11 09:53, Russell Coker wrote:
> On Thu, 24 Mar 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>> On 03/18/11 07:03, Dominick Grift wrote:
>>> http://lists.fedoraproject.org/pipermail/selinux/2011-March/013583.html
>>
>> I don't agree with nginx running in httpd_t. Its more than a web server
>> (reverse proxy server and mail proxy server too). If someone uses these
>> other features and they require more rules, we don't want them added to
>> httpd_t.
>
> http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
>
> Apache also supports running as a forward or reverse HTTP proxy server and as
> a FTP proxy server.
I forgot about that.
> It seems to me that the only case where a different policy for Nginx and
> Apache is a benefit is if Nginx and Apache are running on the same system but
> doing different tasks - EG Nginx as a mail proxy and Apache as a HTTP server.
> This is probably a sufficient reason for having a different domain.
I think that its an uncommon case. If its necessary, a simple copy with
some find/replace can fix most of it (save some .fc mangling). The
future CIL-based policy copying will make it even easier.
> Now if we have different domains for multiple web servers will we have
> different type for content files that they server?
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-03-23 15:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-18 11:03 [refpolicy] [ apache patch 1/1] Run nginx in the httpd_t domain Dominick Grift
2011-03-23 13:05 ` Christopher J. PeBenito
2011-03-23 13:53 ` Russell Coker
2011-03-23 14:21 ` Dominick Grift
2011-03-23 15:21 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.