1 |
commit: 150da78676fdc6ef33e63076759b696f790ab1ab |
2 |
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 12 01:24:50 2021 +0000 |
4 |
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 6 15:15:08 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=150da786 |
7 |
|
8 |
nginx: various fixes |
9 |
|
10 |
Various fixes for nginx, and also allow nginx to list and read user home |
11 |
content given that the httpd_read_user_content boolean is enabled. |
12 |
|
13 |
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> |
14 |
|
15 |
policy/modules/contrib/nginx.te | 15 +++++++++++++++ |
16 |
1 file changed, 15 insertions(+) |
17 |
|
18 |
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te |
19 |
index 57e8ceb9..0c935bb6 100644 |
20 |
--- a/policy/modules/contrib/nginx.te |
21 |
+++ b/policy/modules/contrib/nginx.te |
22 |
@@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t) |
23 |
|
24 |
files_read_etc_files(nginx_t) |
25 |
|
26 |
+auth_use_nsswitch(nginx_t) |
27 |
|
28 |
+logging_send_syslog_msg(nginx_t) |
29 |
+ |
30 |
+miscfiles_read_generic_certs(nginx_t) |
31 |
miscfiles_read_localization(nginx_t) |
32 |
+ |
33 |
sysnet_dns_name_resolve(nginx_t) |
34 |
|
35 |
optional_policy(` |
36 |
@@ -129,10 +134,16 @@ optional_policy(` |
37 |
apache_manage_log(nginx_t) |
38 |
') |
39 |
|
40 |
+tunable_policy(`httpd_read_user_content',` |
41 |
+ userdom_list_user_home_content(nginx_t) |
42 |
+ userdom_read_user_home_content_files(nginx_t) |
43 |
+') |
44 |
+ |
45 |
tunable_policy(`nginx_enable_http_server',` |
46 |
corenet_tcp_bind_http_port(nginx_t) |
47 |
apache_read_all_content(nginx_t) |
48 |
apache_manage_all_rw_content(nginx_t) |
49 |
+ apache_list_sys_content(nginx_t) |
50 |
') |
51 |
|
52 |
# We enable both binding and connecting, since nginx acts here as a reverse proxy |
53 |
@@ -159,6 +170,10 @@ tunable_policy(`nginx_can_network_connect',` |
54 |
corenet_tcp_connect_all_ports(nginx_t) |
55 |
') |
56 |
|
57 |
+optional_policy(` |
58 |
+ certbot_read_lib(nginx_t) |
59 |
+') |
60 |
+ |
61 |
optional_policy(` |
62 |
phpfpm_stream_connect(nginx_t) |
63 |
') |