| 1 |
commit: 16d748c5274912f194a6a22fdc08d89530b3ea4a |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Sat Sep 29 18:18:51 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Sat Sep 29 18:18:51 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=16d748c5 |
| 7 |
|
| 8 |
Nginx can read all web content and manage writeable web content |
| 9 |
|
| 10 |
As nginx works as a full web server, allow it to read all web content |
| 11 |
(httpdcontent attribute) and manage (read/write) all read-write content |
| 12 |
(httpd_rw_content attribute). |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/nginx.te | 42 +------------------------------------- |
| 16 |
1 files changed, 2 insertions(+), 40 deletions(-) |
| 17 |
|
| 18 |
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te |
| 19 |
index 8b21d76..4af208d 100644 |
| 20 |
--- a/policy/modules/contrib/nginx.te |
| 21 |
+++ b/policy/modules/contrib/nginx.te |
| 22 |
@@ -1,43 +1,4 @@ |
| 23 |
# SELinux module for the NGINX Web Server |
| 24 |
-# |
| 25 |
-# Project Contact Information: |
| 26 |
-# Stuart Cianos |
| 27 |
-# Email: scianos@×××××××××.com |
| 28 |
-# |
| 29 |
-# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. |
| 30 |
-# |
| 31 |
-# |
| 32 |
-# Stuart Cianos licenses this file to You under the GNU General Public License, |
| 33 |
-# Version 3.0 (the "License"); you may not use this file except in compliance |
| 34 |
-# with the License. You may obtain a copy of the License at |
| 35 |
-# |
| 36 |
-# http://www.gnu.org/licenses/gpl.txt |
| 37 |
-# |
| 38 |
-# or in the COPYING file included in the original archive. |
| 39 |
-# |
| 40 |
-# Disclaimer of Warranty. |
| 41 |
-# |
| 42 |
-# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY |
| 43 |
-# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT |
| 44 |
-# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY |
| 45 |
-# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, |
| 46 |
-# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 47 |
-# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM |
| 48 |
-# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF |
| 49 |
-# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. |
| 50 |
-# |
| 51 |
-# Limitation of Liability. |
| 52 |
-# |
| 53 |
-# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
| 54 |
-# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS |
| 55 |
-# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY |
| 56 |
-# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE |
| 57 |
-# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF |
| 58 |
-# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD |
| 59 |
-# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), |
| 60 |
-# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF |
| 61 |
-# SUCH DAMAGES. |
| 62 |
-############################################################################### |
| 63 |
policy_module(nginx,1.0.10) |
| 64 |
|
| 65 |
######################################## |
| 66 |
@@ -165,7 +126,8 @@ sysnet_dns_name_resolve(nginx_t) |
| 67 |
|
| 68 |
tunable_policy(`gentoo_nginx_enable_http_server',` |
| 69 |
corenet_tcp_bind_http_port(nginx_t) |
| 70 |
- apache_read_sys_content(nginx_t) |
| 71 |
+ apache_read_all_content(nginx_t) |
| 72 |
+ apache_manage_all_rw_content(nginx_t) |
| 73 |
') |
| 74 |
|
| 75 |
# We enable both binding and connecting, since nginx acts here as a reverse proxy |
Archives