Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 279773 Details for
Bug 368795
sec-policy/selinux-nginx New ebuild request
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
nginx.te file
nginx.te (text/plain), 5.97 KB, created by
Sven Vermeulen
on 2011-07-11 13:26:40 UTC
(
hide
)
Description:
nginx.te file
Filename:
MIME Type:
Creator:
Sven Vermeulen
Created:
2011-07-11 13:26:40 UTC
Size:
5.97 KB
patch
obsolete
>############################################################################### ># SELinux module for the NGINX Web Server ># ># Project Contact Information: ># Stuart Cianos ># Email: scianos@alphavida.com ># >############################################################################### ># (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. ># ># ># Stuart Cianos licenses this file to You under the GNU General Public License, ># Version 3.0 (the "License"); you may not use this file except in compliance ># with the License. You may obtain a copy of the License at ># ># http://www.gnu.org/licenses/gpl.txt ># ># or in the COPYING file included in the original archive. ># ># Disclaimer of Warranty. ># ># THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY ># APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT ># HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY ># OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ># THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ># PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM ># IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ># ALL NECESSARY SERVICING, REPAIR OR CORRECTION. ># ># Limitation of Liability. ># ># IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ># WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS ># THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY ># GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE ># USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF ># DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD ># PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), ># EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF ># SUCH DAMAGES. >############################################################################### >policy_module(nginx,1.0.10) > >######################################## ># ># Declarations ># > >## <desc> >## <p> >## Allow nginx to serve HTTP content (act as an http server) >## </p> >## </desc> >gen_tunable(nginx_enable_http_server, false) > >## <desc> >## <p> >## Allow nginx to act as an imap proxy server) >## </p> >## </desc> >gen_tunable(nginx_enable_imap_server, false) > >## <desc> >## <p> >## Allow nginx to act as a pop3 server) >## </p> >## </desc> >gen_tunable(nginx_enable_pop3_server, false) > >## <desc> >## <p> >## Allow nginx to act as an smtp server) >## </p> >## </desc> >gen_tunable(nginx_enable_smtp_server, false) > >## <desc> >## <p> >## Allow nginx to connect to remote HTTP servers >## </p> >## </desc> >gen_tunable(nginx_can_network_connect_http, false) > >## <desc> >## <p> >## Allow nginx to connect to remote servers (regardless of protocol) >## </p> >## </desc> >gen_tunable(nginx_can_network_connect, false) > >type nginx_t; >type nginx_exec_t; >init_daemon_domain(nginx_t, nginx_exec_t) > >type nginx_initrc_exec_t; >init_script_file(nginx_initrc_exec_t) > ># conf files >type nginx_conf_t; >files_type(nginx_conf_t) > ># var/lib files >type nginx_var_lib_t; >files_type(nginx_var_lib_t) > ># log files >type nginx_log_t; >logging_log_file(nginx_log_t) > ># pid files >type nginx_var_run_t; >files_pid_file(nginx_var_run_t) > ># tmp files >type nginx_tmp_t; >files_tmp_file(nginx_tmp_t) > >######################################## ># ># nginx local policy ># > >## Self rules >allow nginx_t self:fifo_file { read write }; >allow nginx_t self:unix_stream_socket create_stream_socket_perms; >allow nginx_t self:tcp_socket { listen accept }; >allow nginx_t self:capability { setuid net_bind_service setgid chown }; > >## Policy-owned type management rules ># log files >manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) >#manage_sock_files_pattern(nginx_t, nginx_log_t, nginx_log_t) >logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) >#logging_log_filetrans(nginx_t, nginx_log_t, { sock_file }) > ># pid file >#allow nginx_t nginx_var_run_t:sock_file manage_file_perms; >manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) >manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) >files_pid_filetrans(nginx_t, nginx_var_run_t, file) >#files_pid_filetrans(nginx_t, nginx_var_run_t, { file sock_file }) > ># conf files >read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) > ># tmp files >manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) >manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) >files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) > ># various >allow nginx_t nginx_var_lib_t:file create_file_perms; >allow nginx_t nginx_var_lib_t:sock_file create_file_perms; >allow nginx_t nginx_var_lib_t:dir create_dir_perms; >files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) > >## Kernel layer modules >kernel_read_kernel_sysctls(nginx_t) >corenet_tcp_bind_generic_node(nginx_t) >corenet_tcp_sendrecv_generic_if(nginx_t) >corenet_tcp_sendrecv_generic_node(nginx_t) >#corenet_tcp_sendrecv_all_ports(nginx_t) >#corenet_non_ipsec_sendrecv(nginx_t) >domain_use_interactive_fds(nginx_t) >files_read_etc_files(nginx_t) > >## Perhaps as a policy tunable? >#corenet_tcp_bind_all_ports(nginx_t) >#corenet_tcp_bind_all_nodes(nginx_t) > >## System layer modules >miscfiles_read_localization(nginx_t) >sysnet_dns_name_resolve(nginx_t) > >## Other modules > >#init_use_fds(nginx_t) >#init_use_script_ptys(nginx_t) >#libs_use_ld_so(nginx_t) >#libs_use_shared_libs(nginx_t) > >#allow nginx_t fs_t:filesystem associate; >#allow nginx_t home_root_t:dir search; >#allow nginx_t user_home_dir_t:dir search; > >tunable_policy(`nginx_enable_http_server',` > corenet_tcp_bind_http_port(nginx_t) > apache_read_sys_content(nginx_t) >') > >tunable_policy(`nginx_enable_imap_server',` > corenet_tcp_bind_pop_port(nginx_t) >') > >tunable_policy(`nginx_enable_pop3_server',` > corenet_tcp_bind_pop_port(nginx_t) >') > >tunable_policy(`nginx_enable_smtp_server',` > corenet_tcp_bind_smtp_port(nginx_t) >') > >tunable_policy(`nginx_can_network_connect_http',` > corenet_tcp_connect_http_port(nginx_t) >') > >tunable_policy(`nginx_can_network_connect',` > corenet_tcp_connect_all_ports(nginx_t) >')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=279773">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 368795
: 279773 |
279775
