From 6b90780fdd5640ea11e7c5c6aee476b691d9f169 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Tue, 5 May 2020 09:48:54 +0200 Subject: [PATCH] apache: add nginx to policy This is better than the current status quo of running nginx under initrc_t, a lot of other webservers are already under the apache policy (e.g. lighttpd) and this requires no additional permissions. See also the discussion from March 2013 on the selinux-refpolicy mailing list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/ Signed-off-by: bauen1 --- policy/modules/services/apache.fc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 2e359f648..edaa34cd9 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -7,6 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -78,6 +79,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje /usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -97,6 +99,9 @@ ifdef(`distro_suse',` /usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/nginx/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/nginx/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/share/nginx/modules-available(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -135,6 +140,7 @@ ifdef(`distro_suse',` /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -159,6 +165,7 @@ ifdef(`distro_suse',` /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)