Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Kenton Groombridge <concord@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/contrib/
Date: Mon, 06 Jun 2022 15:13:53
Message-Id: 1654528385.7c566c428891f598517ef92a5feda42d5bced030.concord@gentoo
1 commit: 7c566c428891f598517ef92a5feda42d5bced030
2 Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
3 AuthorDate: Fri Nov 12 01:24:50 2021 +0000
4 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
5 CommitDate: Mon Jun 6 15:13:05 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c566c42
7
8 nginx: various fixes
9
10 Various fixes for nginx, and also allow nginx to list and read user home
11 content given that the httpd_read_user_content boolean is enabled.
12
13 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
14
15 policy/modules/contrib/nginx.te | 15 +++++++++++++++
16 1 file changed, 15 insertions(+)
17
18 diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
19 index 57e8ceb9..0c935bb6 100644
20 --- a/policy/modules/contrib/nginx.te
21 +++ b/policy/modules/contrib/nginx.te
22 @@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t)
23
24 files_read_etc_files(nginx_t)
25
26 +auth_use_nsswitch(nginx_t)
27
28 +logging_send_syslog_msg(nginx_t)
29 +
30 +miscfiles_read_generic_certs(nginx_t)
31 miscfiles_read_localization(nginx_t)
32 +
33 sysnet_dns_name_resolve(nginx_t)
34
35 optional_policy(`
36 @@ -129,10 +134,16 @@ optional_policy(`
37 apache_manage_log(nginx_t)
38 ')
39
40 +tunable_policy(`httpd_read_user_content',`
41 + userdom_list_user_home_content(nginx_t)
42 + userdom_read_user_home_content_files(nginx_t)
43 +')
44 +
45 tunable_policy(`nginx_enable_http_server',`
46 corenet_tcp_bind_http_port(nginx_t)
47 apache_read_all_content(nginx_t)
48 apache_manage_all_rw_content(nginx_t)
49 + apache_list_sys_content(nginx_t)
50 ')
51
52 # We enable both binding and connecting, since nginx acts here as a reverse proxy
53 @@ -159,6 +170,10 @@ tunable_policy(`nginx_can_network_connect',`
54 corenet_tcp_connect_all_ports(nginx_t)
55 ')
56
57 +optional_policy(`
58 + certbot_read_lib(nginx_t)
59 +')
60 +
61 optional_policy(`
62 phpfpm_stream_connect(nginx_t)
63 ')
Report Message
Find on MARC Find on Google Groups