1 |
commit: 16d748c5274912f194a6a22fdc08d89530b3ea4a |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Sep 29 18:18:51 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sat Sep 29 18:18:51 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=16d748c5 |
7 |
|
8 |
Nginx can read all web content and manage writeable web content |
9 |
|
10 |
As nginx works as a full web server, allow it to read all web content |
11 |
(httpdcontent attribute) and manage (read/write) all read-write content |
12 |
(httpd_rw_content attribute). |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/nginx.te | 42 +------------------------------------- |
16 |
1 files changed, 2 insertions(+), 40 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te |
19 |
index 8b21d76..4af208d 100644 |
20 |
--- a/policy/modules/contrib/nginx.te |
21 |
+++ b/policy/modules/contrib/nginx.te |
22 |
@@ -1,43 +1,4 @@ |
23 |
# SELinux module for the NGINX Web Server |
24 |
-# |
25 |
-# Project Contact Information: |
26 |
-# Stuart Cianos |
27 |
-# Email: scianos@×××××××××.com |
28 |
-# |
29 |
-# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
30 |
-# |
31 |
-# |
32 |
-# Stuart Cianos licenses this file to You under the GNU General Public License, |
33 |
-# Version 3.0 (the "License"); you may not use this file except in compliance |
34 |
-# with the License. You may obtain a copy of the License at |
35 |
-# |
36 |
-# http://www.gnu.org/licenses/gpl.txt |
37 |
-# |
38 |
-# or in the COPYING file included in the original archive. |
39 |
-# |
40 |
-# Disclaimer of Warranty. |
41 |
-# |
42 |
-# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
43 |
-# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
44 |
-# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
45 |
-# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
46 |
-# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
47 |
-# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
48 |
-# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
49 |
-# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
50 |
-# |
51 |
-# Limitation of Liability. |
52 |
-# |
53 |
-# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
54 |
-# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
55 |
-# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
56 |
-# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
57 |
-# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
58 |
-# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
59 |
-# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
60 |
-# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
61 |
-# SUCH DAMAGES. |
62 |
-############################################################################### |
63 |
policy_module(nginx,1.0.10) |
64 |
|
65 |
######################################## |
66 |
@@ -165,7 +126,8 @@ sysnet_dns_name_resolve(nginx_t) |
67 |
|
68 |
tunable_policy(`gentoo_nginx_enable_http_server',` |
69 |
corenet_tcp_bind_http_port(nginx_t) |
70 |
- apache_read_sys_content(nginx_t) |
71 |
+ apache_read_all_content(nginx_t) |
72 |
+ apache_manage_all_rw_content(nginx_t) |
73 |
') |
74 |
|
75 |
# We enable both binding and connecting, since nginx acts here as a reverse proxy |