[gentoo-commits] gentoo-x86 commit in sec-policy/selinux-nginx/files: fix-services-nginx-r1.patch fix-services-nginx-r2.patch - gentoo-commits

From:	"Anthony G. Basile (blueness)" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in sec-policy/selinux-nginx/files: fix-services-nginx-r1.patch fix-services-nginx-r2.patch
Date:	Mon, 25 Jul 2011 23:07:18
Message-Id:	`20110725230658.4CA752004B@flycatcher.gentoo.org`

1

blueness    11/07/25 23:06:58

2

3

  Added:                fix-services-nginx-r1.patch

4

                        fix-services-nginx-r2.patch

5

  Log:

6

  Initial commit to tree

7

8

  (Portage version: 2.1.10.3/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.1                  sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch

12

13

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch?rev=1.1&view=markup

14

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch?rev=1.1&content-type=text/plain

15

16

Index: fix-services-nginx-r1.patch

17

===================================================================

18

--- services/nginx.te	1970-01-01 01:00:00.000000000 +0100

19

+++ services/nginx.te	2011-07-17 20:07:44.094000909 +0200

20

@@ -0,0 +1,214 @@

21

+###############################################################################

22

+# SELinux module for the NGINX Web Server

23

+#

24

+# Project Contact Information:

25

+#   Stuart Cianos

26

+#   Email: scianos@×××××××××.com

27

+#

28

+###############################################################################

29

+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.

30

+#

31

+#

32

+# Stuart Cianos licenses this file to You under the GNU General Public License,

33

+# Version 3.0 (the "License"); you may not use this file except in compliance

34

+# with the License.  You may obtain a copy of the License at

35

+#

36

+#     http://www.gnu.org/licenses/gpl.txt

37

+#

38

+# or in the COPYING file included in the original archive.

39

+#

40

+# Disclaimer of Warranty.

41

+#

42

+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY

43

+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT

44

+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY

45

+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,

46

+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

47

+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM

48

+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF

49

+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

50

+#

51

+# Limitation of Liability.

52

+#

53

+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING

54

+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS

55

+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY

56

+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE

57

+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF

58

+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD

59

+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),

60

+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF

61

+# SUCH DAMAGES.

62

+###############################################################################

63

+policy_module(nginx,1.0.10)

64

+

65

+########################################

66

+#

67

+# Declarations

68

+#

69

+

70

+## <desc>

71

+## <p>

72

+## Allow nginx to serve HTTP content (act as an http server)

73

+## </p>

74

+## </desc>

75

+gen_tunable(gentoo_nginx_enable_http_server, false)

76

+

77

+## <desc>

78

+## <p>

79

+## Allow nginx to act as an imap proxy server)

80

+## </p>

81

+## </desc>

82

+gen_tunable(gentoo_nginx_enable_imap_server, false)

83

+

84

+## <desc>

85

+## <p>

86

+## Allow nginx to act as a pop3 server)

87

+## </p>

88

+## </desc>

89

+gen_tunable(gentoo_nginx_enable_pop3_server, false)

90

+

91

+## <desc>

92

+## <p>

93

+## Allow nginx to act as an smtp server)

94

+## </p>

95

+## </desc>

96

+gen_tunable(gentoo_nginx_enable_smtp_server, false)

97

+

98

+## <desc>

99

+## <p>

100

+## Allow nginx to connect to remote HTTP servers

101

+## </p>

102

+## </desc>

103

+gen_tunable(gentoo_nginx_can_network_connect_http, false)

104

+

105

+## <desc>

106

+## <p>

107

+## Allow nginx to connect to remote servers (regardless of protocol)

108

+## </p>

109

+## </desc>

110

+gen_tunable(gentoo_nginx_can_network_connect, false)

111

+

112

+type nginx_t;

113

+type nginx_exec_t;

114

+init_daemon_domain(nginx_t, nginx_exec_t)

115

+

116

+type nginx_initrc_exec_t;

117

+init_script_file(nginx_initrc_exec_t)

118

+

119

+# conf files

120

+type nginx_conf_t;

121

+files_type(nginx_conf_t)

122

+

123

+# var/lib files

124

+type nginx_var_lib_t;

125

+files_type(nginx_var_lib_t)

126

+

127

+# log files

128

+type nginx_log_t;

129

+logging_log_file(nginx_log_t)

130

+

131

+# pid files

132

+type nginx_var_run_t;

133

+files_pid_file(nginx_var_run_t)

134

+

135

+# tmp files

136

+type nginx_tmp_t;

137

+files_tmp_file(nginx_tmp_t)

138

+

139

+########################################

140

+#

141

+# nginx local policy

142

+#

143

+

144

+## Self rules

145

+allow nginx_t self:fifo_file { read write };

146

+allow nginx_t self:unix_stream_socket create_stream_socket_perms;

147

+allow nginx_t self:tcp_socket { listen accept };

148

+allow nginx_t self:capability { setuid net_bind_service setgid chown };

149

+

150

+## Policy-owned type management rules

151

+# log files

152

+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)

153

+#manage_sock_files_pattern(nginx_t, nginx_log_t, nginx_log_t)

154

+logging_log_filetrans(nginx_t, nginx_log_t, { file dir })

155

+#logging_log_filetrans(nginx_t, nginx_log_t, { sock_file })

156

+

157

+# pid file

158

+#allow nginx_t nginx_var_run_t:sock_file manage_file_perms;

159

+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)

160

+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)

161

+files_pid_filetrans(nginx_t, nginx_var_run_t, file)

162

+#files_pid_filetrans(nginx_t, nginx_var_run_t, { file sock_file })

163

+

164

+# conf files

165

+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)

166

+

167

+# tmp files

168

+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)

169

+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)

170

+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)

171

+

172

+# various

173

+allow nginx_t nginx_var_lib_t:file create_file_perms;

174

+allow nginx_t nginx_var_lib_t:sock_file create_file_perms;

175

+allow nginx_t nginx_var_lib_t:dir create_dir_perms;

176

+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })

177

+

178

+## Kernel layer modules

179

+kernel_read_kernel_sysctls(nginx_t)

180

+corenet_tcp_bind_generic_node(nginx_t)

181

+corenet_tcp_sendrecv_generic_if(nginx_t)

182

+corenet_tcp_sendrecv_generic_node(nginx_t)

183

+#corenet_tcp_sendrecv_all_ports(nginx_t)

184

+#corenet_non_ipsec_sendrecv(nginx_t)

185

+domain_use_interactive_fds(nginx_t)

186

+files_read_etc_files(nginx_t)

187

+

188

+## Perhaps as a policy tunable?

189

+#corenet_tcp_bind_all_ports(nginx_t)

190

+#corenet_tcp_bind_all_nodes(nginx_t)

191

+

192

+## System layer modules

193

+miscfiles_read_localization(nginx_t)

194

+sysnet_dns_name_resolve(nginx_t)

195

+

196

+## Other modules

197

+

198

+#init_use_fds(nginx_t)

199

+#init_use_script_ptys(nginx_t)

200

+#libs_use_ld_so(nginx_t)

201

+#libs_use_shared_libs(nginx_t)

202

+

203

+#allow nginx_t fs_t:filesystem associate;

204

+#allow nginx_t home_root_t:dir search;

205

+#allow nginx_t user_home_dir_t:dir search;

206

+

207

+tunable_policy(`gentoo_nginx_enable_http_server',`

208

+	corenet_tcp_bind_http_port(nginx_t)

209

+	apache_read_sys_content(nginx_t)

210

+')

211

+

212

+# We enable both binding and connecting, since nginx acts here as a reverse proxy

213

+tunable_policy(`gentoo_nginx_enable_imap_server',`

214

+	corenet_tcp_bind_pop_port(nginx_t)

215

+	corenet_tcp_connect_pop_port(nginx_t)

216

+')

217

+

218

+tunable_policy(`gentoo_nginx_enable_pop3_server',`

219

+	corenet_tcp_bind_pop_port(nginx_t)

220

+	corenet_tcp_connect_pop_port(nginx_t)

221

+')

222

+

223

+tunable_policy(`gentoo_nginx_enable_smtp_server',`

224

+	corenet_tcp_bind_smtp_port(nginx_t)

225

+	corenet_tcp_connect_smtp_port(nginx_t)

226

+')

227

+

228

+tunable_policy(`gentoo_nginx_can_network_connect_http',`

229

+	corenet_tcp_connect_http_port(nginx_t)

230

+')

231

+

232

+tunable_policy(`gentoo_nginx_can_network_connect',`

233

+	corenet_tcp_connect_all_ports(nginx_t)

234

+')

235

--- services/nginx.fc	1970-01-01 01:00:00.000000000 +0100

236

+++ services/nginx.fc	2011-06-13 22:16:54.428001426 +0200

237

@@ -0,0 +1,62 @@

238

+###############################################################################

239

+# SELinux module for the NGINX Web Server

240

+#

241

+# Project Contact Information:

242

+#   Stuart Cianos

243

+#   Email: scianos@×××××××××.com

244

+#

245

+###############################################################################

246

+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.

247

+#

248

+#

249

+# Stuart Cianos licenses this file to You under the GNU General Public License,

250

+# Version 3.0 (the "License"); you may not use this file except in compliance

251

+# with the License.  You may obtain a copy of the License at

252

+#

253

+#     http://www.gnu.org/licenses/gpl.txt

254

+#

255

+# or in the COPYING file included in the original archive.

256

+#

257

+# Disclaimer of Warranty.

258

+#

259

+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY

260

+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT

261

+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY

262

+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,

263

+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

264

+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM

265

+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF

266

+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

267

+#

268

+# Limitation of Liability.

269

+#

270

+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING

271

+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS

272

+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY

273

+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE

274

+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF

275

+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD

276

+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),

277

+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF

278

+# SUCH DAMAGES.

279

+###############################################################################

280

+# nginx executable will have:

281

+# label: system_u:object_r:nginx_exec_t

282

+# MLS sensitivity: s0

283

+# MCS categories: <none>

284

+

285

+/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)

286

+/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)

287

+/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)

288

+/etc/rc\.d/init\.d/nginx		--	gen_context(system_u:object_r:nginx_initrc_exec_t,s0)

289

+/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)

290

+

291

+

292

+#/usr/local/nginx/sbin/nginx		--	gen_context(system_u:object_r:nginx_exec_t,s0)

293

+#/usr/local/nginx/logs/nginx.pid			gen_context(system_u:object_r:nginx_var_run_t,s0)

294

+#/usr/local/nginx/logs(/.*)?			gen_context(system_u:object_r:nginx_var_log_t,s0)

295

+#/usr/local/nginx/proxy_temp(/.*)?			gen_context(system_u:object_r:nginx_var_lib_t,s0)

296

+#/usr/local/nginx/fastcgi_temp(/.*)?                   gen_context(system_u:object_r:nginx_var_lib_t,s0)

297

+#/usr/local/nginx/client_body_temp(/.*)?               gen_context(system_u:object_r:nginx_var_lib_t,s0)

298

+#/usr/local/nginx/html(/.*)?               gen_context(user_u:object_r:httpd_sys_content_t,s0)

299

+#/usr/local/nginx/conf(/.*)?		    gen_context(system_u:object_r:etc_t,s0)

1.1                  sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch

304

305

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch?rev=1.1&view=markup

306

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch?rev=1.1&content-type=text/plain

307

308

Index: fix-services-nginx-r2.patch

309

===================================================================

310

--- services/nginx.te	1970-01-01 01:00:00.000000000 +0100

311

+++ services/nginx.te	2011-07-21 14:12:37.817000675 +0200

312

@@ -0,0 +1,194 @@

313

+###############################################################################

314

+# SELinux module for the NGINX Web Server

315

+#

316

+# Project Contact Information:

317

+#   Stuart Cianos

318

+#   Email: scianos@×××××××××.com

319

+#

320

+###############################################################################

321

+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.

322

+#

323

+#

324

+# Stuart Cianos licenses this file to You under the GNU General Public License,

325

+# Version 3.0 (the "License"); you may not use this file except in compliance

326

+# with the License.  You may obtain a copy of the License at

327

+#

328

+#     http://www.gnu.org/licenses/gpl.txt

329

+#

330

+# or in the COPYING file included in the original archive.

331

+#

332

+# Disclaimer of Warranty.

333

+#

334

+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY

335

+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT

336

+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY

337

+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,

338

+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

339

+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM

340

+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF

341

+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

342

+#

343

+# Limitation of Liability.

344

+#

345

+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING

346

+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS

347

+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY

348

+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE

349

+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF

350

+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD

351

+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),

352

+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF

353

+# SUCH DAMAGES.

354

+###############################################################################

355

+policy_module(nginx,1.0.10)

356

+

357

+########################################

358

+#

359

+# Declarations

360

+#

361

+

362

+## <desc>

363

+## <p>

364

+## Allow nginx to serve HTTP content (act as an http server)

365

+## </p>

366

+## </desc>

367

+gen_tunable(gentoo_nginx_enable_http_server, false)

368

+

369

+## <desc>

370

+## <p>

371

+## Allow nginx to act as an imap proxy server)

372

+## </p>

373

+## </desc>

374

+gen_tunable(gentoo_nginx_enable_imap_server, false)

375

+

376

+## <desc>

377

+## <p>

378

+## Allow nginx to act as a pop3 server)

379

+## </p>

380

+## </desc>

381

+gen_tunable(gentoo_nginx_enable_pop3_server, false)

382

+

383

+## <desc>

384

+## <p>

385

+## Allow nginx to act as an smtp server)

386

+## </p>

387

+## </desc>

388

+gen_tunable(gentoo_nginx_enable_smtp_server, false)

389

+

390

+## <desc>

391

+## <p>

392

+## Allow nginx to connect to remote HTTP servers

393

+## </p>

394

+## </desc>

395

+gen_tunable(gentoo_nginx_can_network_connect_http, false)

396

+

397

+## <desc>

398

+## <p>

399

+## Allow nginx to connect to remote servers (regardless of protocol)

400

+## </p>

401

+## </desc>

402

+gen_tunable(gentoo_nginx_can_network_connect, false)

403

+

404

+type nginx_t;

405

+type nginx_exec_t;

406

+init_daemon_domain(nginx_t, nginx_exec_t)

407

+

408

+# conf files

409

+type nginx_conf_t;

410

+files_type(nginx_conf_t)

411

+

412

+# log files

413

+type nginx_log_t;

414

+logging_log_file(nginx_log_t)

415

+

416

+# tmp files

417

+type nginx_tmp_t;

418

+files_tmp_file(nginx_tmp_t)

419

+

420

+# var/lib files

421

+type nginx_var_lib_t;

422

+files_type(nginx_var_lib_t)

423

+

424

+# pid files

425

+type nginx_var_run_t;

426

+files_pid_file(nginx_var_run_t)

427

+

428

+########################################

429

+#

430

+# nginx local policy

431

+#

432

+

433

+## Self rules

434

+allow nginx_t self:fifo_file { read write };

435

+allow nginx_t self:unix_stream_socket create_stream_socket_perms;

436

+allow nginx_t self:tcp_socket { listen accept };

437

+allow nginx_t self:capability { setuid net_bind_service setgid chown };

438

+

439

+## Policy-owned type management rules

440

+

441

+# conf files

442

+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)

443

+

444

+# log files

445

+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)

446

+logging_log_filetrans(nginx_t, nginx_log_t, { file dir })

447

+

448

+

449

+# pid file

450

+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)

451

+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)

452

+files_pid_filetrans(nginx_t, nginx_var_run_t, file)

453

+

454

+# tmp files

455

+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)

456

+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)

457

+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)

458

+

459

+# var/lib files

460

+create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)

461

+create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)

462

+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })

463

+

464

+## Kernel layer modules

465

+#

466

+kernel_read_kernel_sysctls(nginx_t)

467

+corenet_tcp_bind_generic_node(nginx_t)

468

+corenet_tcp_sendrecv_generic_if(nginx_t)

469

+corenet_tcp_sendrecv_generic_node(nginx_t)

470

+domain_use_interactive_fds(nginx_t)

471

+files_read_etc_files(nginx_t)

472

+

473

+## System layer modules

474

+miscfiles_read_localization(nginx_t)

475

+sysnet_dns_name_resolve(nginx_t)

476

+

477

+## Other modules

478

+

479

+tunable_policy(`gentoo_nginx_enable_http_server',`

480

+	corenet_tcp_bind_http_port(nginx_t)

481

+	apache_read_sys_content(nginx_t)

482

+')

483

+

484

+# We enable both binding and connecting, since nginx acts here as a reverse proxy

485

+tunable_policy(`gentoo_nginx_enable_imap_server',`

486

+	corenet_tcp_bind_pop_port(nginx_t)

487

+	corenet_tcp_connect_pop_port(nginx_t)

488

+')

489

+

490

+tunable_policy(`gentoo_nginx_enable_pop3_server',`

491

+	corenet_tcp_bind_pop_port(nginx_t)

492

+	corenet_tcp_connect_pop_port(nginx_t)

493

+')

494

+

495

+tunable_policy(`gentoo_nginx_enable_smtp_server',`

496

+	corenet_tcp_bind_smtp_port(nginx_t)

497

+	corenet_tcp_connect_smtp_port(nginx_t)

498

+')

499

+

500

+tunable_policy(`gentoo_nginx_can_network_connect_http',`

501

+	corenet_tcp_connect_http_port(nginx_t)

502

+')

503

+

504

+tunable_policy(`gentoo_nginx_can_network_connect',`

505

+	corenet_tcp_connect_all_ports(nginx_t)

506

+')

507

--- services/nginx.fc	1970-01-01 01:00:00.000000000 +0100

508

+++ services/nginx.fc	2011-07-21 14:21:43.956000690 +0200

509

@@ -0,0 +1,63 @@

510

+###############################################################################

511

+# SELinux module for the NGINX Web Server

512

+#

513

+# Project Contact Information:

514

+#   Stuart Cianos

515

+#   Email: scianos@×××××××××.com

516

+#

517

+###############################################################################

518

+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.

519

+#

520

+#

521

+# Stuart Cianos licenses this file to You under the GNU General Public License,

522

+# Version 3.0 (the "License"); you may not use this file except in compliance

523

+# with the License.  You may obtain a copy of the License at

524

+#

525

+#     http://www.gnu.org/licenses/gpl.txt

526

+#

527

+# or in the COPYING file included in the original archive.

528

+#

529

+# Disclaimer of Warranty.

530

+#

531

+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY

532

+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT

533

+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY

534

+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,

535

+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

536

+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM

537

+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF

538

+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

539

+#

540

+# Limitation of Liability.

541

+#

542

+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING

543

+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS

544

+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY

545

+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE

546

+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF

547

+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD

548

+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),

549

+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF

550

+# SUCH DAMAGES.

551

+###############################################################################

552

+# nginx executable will have:

553

+# label: system_u:object_r:nginx_exec_t

554

+# MLS sensitivity: s0

555

+# MCS categories: <none>

556

+

557

+#

558

+# /etc

559

+#

560

+/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)

561

+/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)

562

+

563

+#

564

+# /usr

565

+#

566

+/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)

567

+

568

+#

569

+# /var

570

+#

571

+/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)

572

+/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)

Gentoo Archives: gentoo-commits