-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2011 11:14 AM, Mossburg wrote: > On Mon, Mar 14, 2011 at 10:26 AM, Dominick Grift <domg472@xxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/14/2011 10:07 AM, Mossburg wrote: >>> I'm currently trying to write a policy for the nginx webserver. >> >> It is probably better to make this webserver run in the httpd_t domain. > > It was my first idea but i didn't if it was a good idea to use an > existing policy, written for a specific process. > >> That means that you would have to add file context specifications for >> some files included with the nginx package: >> >> its executable file, configuration file, pid file, log, lib and init >> script file. > > To make it permanent i would have to write a policy only with a .fc file ? > >> You did not include your nginx.fc file and so i cannot suggest these >> changes. > > # nginx executable will have: > # label: system_u:object_r:nginx_exec_t > # MLS sensitivity: s0 > # MCS categories: <none> > > /usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) to test (temporary label) chcon -t httpd_exec_t /usr/sbin/nginx to make it permanent locally semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx > /var/run/nginx.pid gen_context(system_u:object_r:nginx_var_run_t,s0) semanage fcontext -a -t httpd_var_run_t /var/run/nginx.pid > /var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_var_log_t,s0) to test (temporary label) chcon -R -t httpd_log_t /var/log/nginx to make permanent locally semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?" > /var/lib/nginx(/.*)? gen_context(system_u:object_r:nginx_var_lib_t,s0) chcon -R -t httpd_var_lib_t /var/lib/nginx semanage fcontext -a -t httpd_var_lib_t "/var/lib/nginx(/.*)?" > /etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) chcon -R -t httpd_config_t /etc/nginx semanage fcontext -a -t httpd_config_t "/etc/nginx(/.*)?" use existing apache locations/types: default system webroot: /var/www you can also just add the above fc specs to a .fc file (you may need to require the types used in the fc file in your te file) Instead i would just use chcon or semanage fcontext plus restorecon. Once you confirmed that it works, you can suggest your changes upstream so that Fedora /refpolicy can make the changes to the apache module. Then it should work by default for you on a future update of selinux-policy. > > >> Of course you can also do it your way and write policy from scratch but >> doing this for a web server is probably not the best idea. webservers >> can be pretty complex and can be configured in many ways. >> >> So again, i would suggest trying to run nginx in the existing httpd_t >> domain instead so that httpd's proven policy applies to nginx, Saves >> work/time. > > I totally agree. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk197boACgkQMlxVo39jgT//VwCeIUEoJtN1SXUKm4EFTeXw4wQG 6HEAn0nWI3J3YWvhW93PqiRi6NZDH2jk =ycnB -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
