1 |
blueness 11/07/25 23:06:58 |
2 |
|
3 |
Added: fix-services-nginx-r1.patch |
4 |
fix-services-nginx-r2.patch |
5 |
Log: |
6 |
Initial commit to tree |
7 |
|
8 |
(Portage version: 2.1.10.3/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: fix-services-nginx-r1.patch |
17 |
=================================================================== |
18 |
--- services/nginx.te 1970-01-01 01:00:00.000000000 +0100 |
19 |
+++ services/nginx.te 2011-07-17 20:07:44.094000909 +0200 |
20 |
@@ -0,0 +1,214 @@ |
21 |
+############################################################################### |
22 |
+# SELinux module for the NGINX Web Server |
23 |
+# |
24 |
+# Project Contact Information: |
25 |
+# Stuart Cianos |
26 |
+# Email: scianos@×××××××××.com |
27 |
+# |
28 |
+############################################################################### |
29 |
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
30 |
+# |
31 |
+# |
32 |
+# Stuart Cianos licenses this file to You under the GNU General Public License, |
33 |
+# Version 3.0 (the "License"); you may not use this file except in compliance |
34 |
+# with the License. You may obtain a copy of the License at |
35 |
+# |
36 |
+# http://www.gnu.org/licenses/gpl.txt |
37 |
+# |
38 |
+# or in the COPYING file included in the original archive. |
39 |
+# |
40 |
+# Disclaimer of Warranty. |
41 |
+# |
42 |
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
43 |
+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
44 |
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
45 |
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
46 |
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
47 |
+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
48 |
+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
49 |
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
50 |
+# |
51 |
+# Limitation of Liability. |
52 |
+# |
53 |
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
54 |
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
55 |
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
56 |
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
57 |
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
58 |
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
59 |
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
60 |
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
61 |
+# SUCH DAMAGES. |
62 |
+############################################################################### |
63 |
+policy_module(nginx,1.0.10) |
64 |
+ |
65 |
+######################################## |
66 |
+# |
67 |
+# Declarations |
68 |
+# |
69 |
+ |
70 |
+## <desc> |
71 |
+## <p> |
72 |
+## Allow nginx to serve HTTP content (act as an http server) |
73 |
+## </p> |
74 |
+## </desc> |
75 |
+gen_tunable(gentoo_nginx_enable_http_server, false) |
76 |
+ |
77 |
+## <desc> |
78 |
+## <p> |
79 |
+## Allow nginx to act as an imap proxy server) |
80 |
+## </p> |
81 |
+## </desc> |
82 |
+gen_tunable(gentoo_nginx_enable_imap_server, false) |
83 |
+ |
84 |
+## <desc> |
85 |
+## <p> |
86 |
+## Allow nginx to act as a pop3 server) |
87 |
+## </p> |
88 |
+## </desc> |
89 |
+gen_tunable(gentoo_nginx_enable_pop3_server, false) |
90 |
+ |
91 |
+## <desc> |
92 |
+## <p> |
93 |
+## Allow nginx to act as an smtp server) |
94 |
+## </p> |
95 |
+## </desc> |
96 |
+gen_tunable(gentoo_nginx_enable_smtp_server, false) |
97 |
+ |
98 |
+## <desc> |
99 |
+## <p> |
100 |
+## Allow nginx to connect to remote HTTP servers |
101 |
+## </p> |
102 |
+## </desc> |
103 |
+gen_tunable(gentoo_nginx_can_network_connect_http, false) |
104 |
+ |
105 |
+## <desc> |
106 |
+## <p> |
107 |
+## Allow nginx to connect to remote servers (regardless of protocol) |
108 |
+## </p> |
109 |
+## </desc> |
110 |
+gen_tunable(gentoo_nginx_can_network_connect, false) |
111 |
+ |
112 |
+type nginx_t; |
113 |
+type nginx_exec_t; |
114 |
+init_daemon_domain(nginx_t, nginx_exec_t) |
115 |
+ |
116 |
+type nginx_initrc_exec_t; |
117 |
+init_script_file(nginx_initrc_exec_t) |
118 |
+ |
119 |
+# conf files |
120 |
+type nginx_conf_t; |
121 |
+files_type(nginx_conf_t) |
122 |
+ |
123 |
+# var/lib files |
124 |
+type nginx_var_lib_t; |
125 |
+files_type(nginx_var_lib_t) |
126 |
+ |
127 |
+# log files |
128 |
+type nginx_log_t; |
129 |
+logging_log_file(nginx_log_t) |
130 |
+ |
131 |
+# pid files |
132 |
+type nginx_var_run_t; |
133 |
+files_pid_file(nginx_var_run_t) |
134 |
+ |
135 |
+# tmp files |
136 |
+type nginx_tmp_t; |
137 |
+files_tmp_file(nginx_tmp_t) |
138 |
+ |
139 |
+######################################## |
140 |
+# |
141 |
+# nginx local policy |
142 |
+# |
143 |
+ |
144 |
+## Self rules |
145 |
+allow nginx_t self:fifo_file { read write }; |
146 |
+allow nginx_t self:unix_stream_socket create_stream_socket_perms; |
147 |
+allow nginx_t self:tcp_socket { listen accept }; |
148 |
+allow nginx_t self:capability { setuid net_bind_service setgid chown }; |
149 |
+ |
150 |
+## Policy-owned type management rules |
151 |
+# log files |
152 |
+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) |
153 |
+#manage_sock_files_pattern(nginx_t, nginx_log_t, nginx_log_t) |
154 |
+logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) |
155 |
+#logging_log_filetrans(nginx_t, nginx_log_t, { sock_file }) |
156 |
+ |
157 |
+# pid file |
158 |
+#allow nginx_t nginx_var_run_t:sock_file manage_file_perms; |
159 |
+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
160 |
+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
161 |
+files_pid_filetrans(nginx_t, nginx_var_run_t, file) |
162 |
+#files_pid_filetrans(nginx_t, nginx_var_run_t, { file sock_file }) |
163 |
+ |
164 |
+# conf files |
165 |
+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) |
166 |
+ |
167 |
+# tmp files |
168 |
+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) |
169 |
+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) |
170 |
+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) |
171 |
+ |
172 |
+# various |
173 |
+allow nginx_t nginx_var_lib_t:file create_file_perms; |
174 |
+allow nginx_t nginx_var_lib_t:sock_file create_file_perms; |
175 |
+allow nginx_t nginx_var_lib_t:dir create_dir_perms; |
176 |
+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) |
177 |
+ |
178 |
+## Kernel layer modules |
179 |
+kernel_read_kernel_sysctls(nginx_t) |
180 |
+corenet_tcp_bind_generic_node(nginx_t) |
181 |
+corenet_tcp_sendrecv_generic_if(nginx_t) |
182 |
+corenet_tcp_sendrecv_generic_node(nginx_t) |
183 |
+#corenet_tcp_sendrecv_all_ports(nginx_t) |
184 |
+#corenet_non_ipsec_sendrecv(nginx_t) |
185 |
+domain_use_interactive_fds(nginx_t) |
186 |
+files_read_etc_files(nginx_t) |
187 |
+ |
188 |
+## Perhaps as a policy tunable? |
189 |
+#corenet_tcp_bind_all_ports(nginx_t) |
190 |
+#corenet_tcp_bind_all_nodes(nginx_t) |
191 |
+ |
192 |
+## System layer modules |
193 |
+miscfiles_read_localization(nginx_t) |
194 |
+sysnet_dns_name_resolve(nginx_t) |
195 |
+ |
196 |
+## Other modules |
197 |
+ |
198 |
+#init_use_fds(nginx_t) |
199 |
+#init_use_script_ptys(nginx_t) |
200 |
+#libs_use_ld_so(nginx_t) |
201 |
+#libs_use_shared_libs(nginx_t) |
202 |
+ |
203 |
+#allow nginx_t fs_t:filesystem associate; |
204 |
+#allow nginx_t home_root_t:dir search; |
205 |
+#allow nginx_t user_home_dir_t:dir search; |
206 |
+ |
207 |
+tunable_policy(`gentoo_nginx_enable_http_server',` |
208 |
+ corenet_tcp_bind_http_port(nginx_t) |
209 |
+ apache_read_sys_content(nginx_t) |
210 |
+') |
211 |
+ |
212 |
+# We enable both binding and connecting, since nginx acts here as a reverse proxy |
213 |
+tunable_policy(`gentoo_nginx_enable_imap_server',` |
214 |
+ corenet_tcp_bind_pop_port(nginx_t) |
215 |
+ corenet_tcp_connect_pop_port(nginx_t) |
216 |
+') |
217 |
+ |
218 |
+tunable_policy(`gentoo_nginx_enable_pop3_server',` |
219 |
+ corenet_tcp_bind_pop_port(nginx_t) |
220 |
+ corenet_tcp_connect_pop_port(nginx_t) |
221 |
+') |
222 |
+ |
223 |
+tunable_policy(`gentoo_nginx_enable_smtp_server',` |
224 |
+ corenet_tcp_bind_smtp_port(nginx_t) |
225 |
+ corenet_tcp_connect_smtp_port(nginx_t) |
226 |
+') |
227 |
+ |
228 |
+tunable_policy(`gentoo_nginx_can_network_connect_http',` |
229 |
+ corenet_tcp_connect_http_port(nginx_t) |
230 |
+') |
231 |
+ |
232 |
+tunable_policy(`gentoo_nginx_can_network_connect',` |
233 |
+ corenet_tcp_connect_all_ports(nginx_t) |
234 |
+') |
235 |
--- services/nginx.fc 1970-01-01 01:00:00.000000000 +0100 |
236 |
+++ services/nginx.fc 2011-06-13 22:16:54.428001426 +0200 |
237 |
@@ -0,0 +1,62 @@ |
238 |
+############################################################################### |
239 |
+# SELinux module for the NGINX Web Server |
240 |
+# |
241 |
+# Project Contact Information: |
242 |
+# Stuart Cianos |
243 |
+# Email: scianos@×××××××××.com |
244 |
+# |
245 |
+############################################################################### |
246 |
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
247 |
+# |
248 |
+# |
249 |
+# Stuart Cianos licenses this file to You under the GNU General Public License, |
250 |
+# Version 3.0 (the "License"); you may not use this file except in compliance |
251 |
+# with the License. You may obtain a copy of the License at |
252 |
+# |
253 |
+# http://www.gnu.org/licenses/gpl.txt |
254 |
+# |
255 |
+# or in the COPYING file included in the original archive. |
256 |
+# |
257 |
+# Disclaimer of Warranty. |
258 |
+# |
259 |
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
260 |
+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
261 |
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
262 |
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
263 |
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
264 |
+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
265 |
+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
266 |
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
267 |
+# |
268 |
+# Limitation of Liability. |
269 |
+# |
270 |
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
271 |
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
272 |
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
273 |
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
274 |
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
275 |
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
276 |
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
277 |
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
278 |
+# SUCH DAMAGES. |
279 |
+############################################################################### |
280 |
+# nginx executable will have: |
281 |
+# label: system_u:object_r:nginx_exec_t |
282 |
+# MLS sensitivity: s0 |
283 |
+# MCS categories: <none> |
284 |
+ |
285 |
+/usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) |
286 |
+/etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) |
287 |
+/etc/ssl/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) |
288 |
+/etc/rc\.d/init\.d/nginx -- gen_context(system_u:object_r:nginx_initrc_exec_t,s0) |
289 |
+/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) |
290 |
+ |
291 |
+ |
292 |
+#/usr/local/nginx/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) |
293 |
+#/usr/local/nginx/logs/nginx.pid gen_context(system_u:object_r:nginx_var_run_t,s0) |
294 |
+#/usr/local/nginx/logs(/.*)? gen_context(system_u:object_r:nginx_var_log_t,s0) |
295 |
+#/usr/local/nginx/proxy_temp(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0) |
296 |
+#/usr/local/nginx/fastcgi_temp(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0) |
297 |
+#/usr/local/nginx/client_body_temp(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0) |
298 |
+#/usr/local/nginx/html(/.*)? gen_context(user_u:object_r:httpd_sys_content_t,s0) |
299 |
+#/usr/local/nginx/conf(/.*)? gen_context(system_u:object_r:etc_t,s0) |
300 |
|
301 |
|
302 |
|
303 |
1.1 sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch |
304 |
|
305 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch?rev=1.1&view=markup |
306 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch?rev=1.1&content-type=text/plain |
307 |
|
308 |
Index: fix-services-nginx-r2.patch |
309 |
=================================================================== |
310 |
--- services/nginx.te 1970-01-01 01:00:00.000000000 +0100 |
311 |
+++ services/nginx.te 2011-07-21 14:12:37.817000675 +0200 |
312 |
@@ -0,0 +1,194 @@ |
313 |
+############################################################################### |
314 |
+# SELinux module for the NGINX Web Server |
315 |
+# |
316 |
+# Project Contact Information: |
317 |
+# Stuart Cianos |
318 |
+# Email: scianos@×××××××××.com |
319 |
+# |
320 |
+############################################################################### |
321 |
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
322 |
+# |
323 |
+# |
324 |
+# Stuart Cianos licenses this file to You under the GNU General Public License, |
325 |
+# Version 3.0 (the "License"); you may not use this file except in compliance |
326 |
+# with the License. You may obtain a copy of the License at |
327 |
+# |
328 |
+# http://www.gnu.org/licenses/gpl.txt |
329 |
+# |
330 |
+# or in the COPYING file included in the original archive. |
331 |
+# |
332 |
+# Disclaimer of Warranty. |
333 |
+# |
334 |
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
335 |
+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
336 |
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
337 |
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
338 |
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
339 |
+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
340 |
+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
341 |
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
342 |
+# |
343 |
+# Limitation of Liability. |
344 |
+# |
345 |
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
346 |
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
347 |
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
348 |
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
349 |
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
350 |
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
351 |
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
352 |
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
353 |
+# SUCH DAMAGES. |
354 |
+############################################################################### |
355 |
+policy_module(nginx,1.0.10) |
356 |
+ |
357 |
+######################################## |
358 |
+# |
359 |
+# Declarations |
360 |
+# |
361 |
+ |
362 |
+## <desc> |
363 |
+## <p> |
364 |
+## Allow nginx to serve HTTP content (act as an http server) |
365 |
+## </p> |
366 |
+## </desc> |
367 |
+gen_tunable(gentoo_nginx_enable_http_server, false) |
368 |
+ |
369 |
+## <desc> |
370 |
+## <p> |
371 |
+## Allow nginx to act as an imap proxy server) |
372 |
+## </p> |
373 |
+## </desc> |
374 |
+gen_tunable(gentoo_nginx_enable_imap_server, false) |
375 |
+ |
376 |
+## <desc> |
377 |
+## <p> |
378 |
+## Allow nginx to act as a pop3 server) |
379 |
+## </p> |
380 |
+## </desc> |
381 |
+gen_tunable(gentoo_nginx_enable_pop3_server, false) |
382 |
+ |
383 |
+## <desc> |
384 |
+## <p> |
385 |
+## Allow nginx to act as an smtp server) |
386 |
+## </p> |
387 |
+## </desc> |
388 |
+gen_tunable(gentoo_nginx_enable_smtp_server, false) |
389 |
+ |
390 |
+## <desc> |
391 |
+## <p> |
392 |
+## Allow nginx to connect to remote HTTP servers |
393 |
+## </p> |
394 |
+## </desc> |
395 |
+gen_tunable(gentoo_nginx_can_network_connect_http, false) |
396 |
+ |
397 |
+## <desc> |
398 |
+## <p> |
399 |
+## Allow nginx to connect to remote servers (regardless of protocol) |
400 |
+## </p> |
401 |
+## </desc> |
402 |
+gen_tunable(gentoo_nginx_can_network_connect, false) |
403 |
+ |
404 |
+type nginx_t; |
405 |
+type nginx_exec_t; |
406 |
+init_daemon_domain(nginx_t, nginx_exec_t) |
407 |
+ |
408 |
+# conf files |
409 |
+type nginx_conf_t; |
410 |
+files_type(nginx_conf_t) |
411 |
+ |
412 |
+# log files |
413 |
+type nginx_log_t; |
414 |
+logging_log_file(nginx_log_t) |
415 |
+ |
416 |
+# tmp files |
417 |
+type nginx_tmp_t; |
418 |
+files_tmp_file(nginx_tmp_t) |
419 |
+ |
420 |
+# var/lib files |
421 |
+type nginx_var_lib_t; |
422 |
+files_type(nginx_var_lib_t) |
423 |
+ |
424 |
+# pid files |
425 |
+type nginx_var_run_t; |
426 |
+files_pid_file(nginx_var_run_t) |
427 |
+ |
428 |
+######################################## |
429 |
+# |
430 |
+# nginx local policy |
431 |
+# |
432 |
+ |
433 |
+## Self rules |
434 |
+allow nginx_t self:fifo_file { read write }; |
435 |
+allow nginx_t self:unix_stream_socket create_stream_socket_perms; |
436 |
+allow nginx_t self:tcp_socket { listen accept }; |
437 |
+allow nginx_t self:capability { setuid net_bind_service setgid chown }; |
438 |
+ |
439 |
+## Policy-owned type management rules |
440 |
+ |
441 |
+# conf files |
442 |
+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) |
443 |
+ |
444 |
+# log files |
445 |
+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) |
446 |
+logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) |
447 |
+ |
448 |
+ |
449 |
+# pid file |
450 |
+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
451 |
+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
452 |
+files_pid_filetrans(nginx_t, nginx_var_run_t, file) |
453 |
+ |
454 |
+# tmp files |
455 |
+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) |
456 |
+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) |
457 |
+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) |
458 |
+ |
459 |
+# var/lib files |
460 |
+create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) |
461 |
+create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) |
462 |
+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) |
463 |
+ |
464 |
+## Kernel layer modules |
465 |
+# |
466 |
+kernel_read_kernel_sysctls(nginx_t) |
467 |
+corenet_tcp_bind_generic_node(nginx_t) |
468 |
+corenet_tcp_sendrecv_generic_if(nginx_t) |
469 |
+corenet_tcp_sendrecv_generic_node(nginx_t) |
470 |
+domain_use_interactive_fds(nginx_t) |
471 |
+files_read_etc_files(nginx_t) |
472 |
+ |
473 |
+## System layer modules |
474 |
+miscfiles_read_localization(nginx_t) |
475 |
+sysnet_dns_name_resolve(nginx_t) |
476 |
+ |
477 |
+## Other modules |
478 |
+ |
479 |
+tunable_policy(`gentoo_nginx_enable_http_server',` |
480 |
+ corenet_tcp_bind_http_port(nginx_t) |
481 |
+ apache_read_sys_content(nginx_t) |
482 |
+') |
483 |
+ |
484 |
+# We enable both binding and connecting, since nginx acts here as a reverse proxy |
485 |
+tunable_policy(`gentoo_nginx_enable_imap_server',` |
486 |
+ corenet_tcp_bind_pop_port(nginx_t) |
487 |
+ corenet_tcp_connect_pop_port(nginx_t) |
488 |
+') |
489 |
+ |
490 |
+tunable_policy(`gentoo_nginx_enable_pop3_server',` |
491 |
+ corenet_tcp_bind_pop_port(nginx_t) |
492 |
+ corenet_tcp_connect_pop_port(nginx_t) |
493 |
+') |
494 |
+ |
495 |
+tunable_policy(`gentoo_nginx_enable_smtp_server',` |
496 |
+ corenet_tcp_bind_smtp_port(nginx_t) |
497 |
+ corenet_tcp_connect_smtp_port(nginx_t) |
498 |
+') |
499 |
+ |
500 |
+tunable_policy(`gentoo_nginx_can_network_connect_http',` |
501 |
+ corenet_tcp_connect_http_port(nginx_t) |
502 |
+') |
503 |
+ |
504 |
+tunable_policy(`gentoo_nginx_can_network_connect',` |
505 |
+ corenet_tcp_connect_all_ports(nginx_t) |
506 |
+') |
507 |
--- services/nginx.fc 1970-01-01 01:00:00.000000000 +0100 |
508 |
+++ services/nginx.fc 2011-07-21 14:21:43.956000690 +0200 |
509 |
@@ -0,0 +1,63 @@ |
510 |
+############################################################################### |
511 |
+# SELinux module for the NGINX Web Server |
512 |
+# |
513 |
+# Project Contact Information: |
514 |
+# Stuart Cianos |
515 |
+# Email: scianos@×××××××××.com |
516 |
+# |
517 |
+############################################################################### |
518 |
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
519 |
+# |
520 |
+# |
521 |
+# Stuart Cianos licenses this file to You under the GNU General Public License, |
522 |
+# Version 3.0 (the "License"); you may not use this file except in compliance |
523 |
+# with the License. You may obtain a copy of the License at |
524 |
+# |
525 |
+# http://www.gnu.org/licenses/gpl.txt |
526 |
+# |
527 |
+# or in the COPYING file included in the original archive. |
528 |
+# |
529 |
+# Disclaimer of Warranty. |
530 |
+# |
531 |
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
532 |
+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
533 |
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
534 |
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
535 |
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
536 |
+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
537 |
+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
538 |
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
539 |
+# |
540 |
+# Limitation of Liability. |
541 |
+# |
542 |
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
543 |
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
544 |
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
545 |
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
546 |
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
547 |
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
548 |
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
549 |
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
550 |
+# SUCH DAMAGES. |
551 |
+############################################################################### |
552 |
+# nginx executable will have: |
553 |
+# label: system_u:object_r:nginx_exec_t |
554 |
+# MLS sensitivity: s0 |
555 |
+# MCS categories: <none> |
556 |
+ |
557 |
+# |
558 |
+# /etc |
559 |
+# |
560 |
+/etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) |
561 |
+/etc/ssl/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) |
562 |
+ |
563 |
+# |
564 |
+# /usr |
565 |
+# |
566 |
+/usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) |
567 |
+ |
568 |
+# |
569 |
+# /var |
570 |
+# |
571 |
+/var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0) |
572 |
+/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) |