RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

apache: add nginx to policy 

This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.

See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/

Signed-off-by: bauen1 <j2468h@gmail.com>
This commit is contained in:
bauen1 2020-05-05 09:48:54 +02:00
parent a7a327a921
commit 6b90780fdd
No known key found for this signature in database
GPG Key ID: FF0AAF5E0812BA9C
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
policy/modules/services/apache.fc
View File

@ -7,6 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@ -78,6 +79,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
@ -97,6 +99,9 @@ ifdef(`distro_suse',`
/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/nginx/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/share/nginx/modules-available(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@ -135,6 +140,7 @@ ifdef(`distro_suse',`
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -159,6 +165,7 @@ ifdef(`distro_suse',`
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)