Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368795 - sec-policy/selinux-nginx New ebuild request
Summary: sec-policy/selinux-nginx New ebuild request
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: SE Linux Bugs
Depends on:
Reported: 2011-05-26 15:25 UTC by Agostino Sarubbo
Modified: 2011-10-23 13:18 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

nginx.te file (nginx.te,5.97 KB, text/plain)
2011-07-11 13:26 UTC, Sven Vermeulen
nginx.fc file (nginx.fc,3.14 KB, text/plain)
2011-07-11 13:27 UTC, Sven Vermeulen

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-05-26 15:25:29 UTC
At $url i see the policy for nginx.

Assigning at selinux herd by blueness agree
Comment 1 Anthony Basile gentoo-dev 2011-05-28 06:37:12 UTC
Currently we're pulling all our policies from --- see selinux-policy-2.eclass.  I'm not sure how to pull in a policy from sourceforge.  We'd have to write the entire ebuild to pull it down and install.
Comment 2 Sven Vermeulen 2011-05-31 19:23:11 UTC
I'd suggest to put it up for inclusion to the reference policy. If it gets accepted there, then we easily pull it back in.

However, there's no need to write an entire ebuild - cfr our selinux-mutt ebuilds.
Comment 3 Agostino Sarubbo gentoo-dev 2011-05-31 19:48:09 UTC
(In reply to comment #2)
> I'd suggest to put it up for inclusion to the reference policy. If it gets
> accepted there, then we easily pull it back in.
> However, there's no need to write an entire ebuild - cfr our selinux-mutt
> ebuilds.

yes, i speak with blueness about it on irc. For me is more simply suggest this policy to reference ( so the policy can also be edit or improve). Anyone can take care of this?
Comment 4 Sven Vermeulen 2011-06-02 17:58:02 UTC
It'll need a lot of cleaning up (cfr. styleguide on License-wise there's a minor difference (refpolicy is GPL-2, this is GPL-3)
Comment 5 Stuart Cianos 2011-06-13 18:45:22 UTC
Greetings -

I am the developer of the policy, and would be honored to have the policy used as a base for your reference policy!

I am aware of the need to relicense from GPL3->GPL2; this is not a problem as the only contributions on this particular module are from me. I will re-issue a new version under a GPL2 license to help ease this burden... as well as provide any other assistance needed to help with inclusion.

Additionally, I have an SELinux module available which protects git-daemon in the event there is interest in bringing this into the Gentoo sec-policy project as well.

- Stu
Comment 6 Sven Vermeulen 2011-06-15 17:32:41 UTC
Upstream is a bit unclear on what is the best way forward:
- either update the webserver (apache) module to support nginx (it already supports other webservers like lighttpd), or
- include an nginx module

See for the start of the thread (handful of messages). No clear result though (upstream didn't add the patch, but didn't say it wants an nginx module at the end).

I'll check with gentoo-hardened to see what our vision would be on such matters. We strive for "keep it simple", "least privilege" and "track upstream".
Comment 7 Sven Vermeulen 2011-06-21 19:23:49 UTC
Okay, we're going to go forward with the nginx module. I'll put in a first try-out to update the original files to be more upstream-compliant. However, from the looks of it, we might need to test out nginx a bit more (the various features it has) and also see how/which tunables we want to introduce.
Comment 8 Sven Vermeulen 2011-07-11 13:26:40 UTC
Created attachment 279773 [details]
nginx.te file

Updated nginx.te file, using the interfaces rather than raw allow statements.
Also includes the following booleans which you'll definitely want to read up on:

- nginx_enable_http_server 
- nginx_enable_imap_server
- nginx_enable_pop3_server
- nginx_enable_smtp_server

These booleans allow the nginx policy to open up the necessary rules for nginx to act as one of those servers. so, if you run nginx as a webserver, enable nginx_enable_http_server.

- nginx_can_network_connect_http

Allow nginx to connect to http server(s). Needed if you want to use authentication against HTTP servers like the demonstrations show.

- nginx_can_network_connect

Allow nginx to connect to any server.
Comment 9 Sven Vermeulen 2011-07-11 13:27:15 UTC
Created attachment 279775 [details]
nginx.fc file

Updated .fc file to correspond with the binaries and files as installed by the package manager.
Comment 10 Sven Vermeulen 2011-07-21 08:56:20 UTC
Ebuild is in hardened-dev.git overlay.