Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 434892

Summary: sec-policy/selinux-nginx-2.20120725-r5: no access to httpd_sys_rw_content_t
Product: Gentoo Linux Reporter: Vincent Brillault <gentoo>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r6
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 434916    

Description Vincent Brillault 2012-09-13 12:12:51 UTC
The current tunable policy that enables the nginx http server is:
'''
tunable_policy(`gentoo_nginx_enable_http_server',`
        corenet_tcp_bind_http_port(nginx_t)
        apache_read_sys_content(nginx_t)
')
'''

This tunable policy doesn't give access to any content with the context 'httpd_sys_rw_content_t'. An additionnal 'apache_read_all_rw_content(nginx_t)' would partialy fixe the problem.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-28 18:08:43 UTC
It's probably ok to use "apache_manage_all_rw_content(nginx_t)".

The rw-content is content defined to be writeable by webservers, so...
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-29 18:23:31 UTC
Will be part of -r6 release. Is committed to repository so live ebuilds should already provide it.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-03 17:35:18 UTC
In hardened-dev, r6 release
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:27:46 UTC
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:12:36 UTC
r8 is now stable