At $url i see the policy for nginx. Assigning at selinux herd by blueness agree
Currently we're pulling all our policies from oss.tresys.com --- see selinux-policy-2.eclass. I'm not sure how to pull in a policy from sourceforge. We'd have to write the entire ebuild to pull it down and install.
I'd suggest to put it up for inclusion to the reference policy. If it gets accepted there, then we easily pull it back in. However, there's no need to write an entire ebuild - cfr our selinux-mutt ebuilds.
(In reply to comment #2) > I'd suggest to put it up for inclusion to the reference policy. If it gets > accepted there, then we easily pull it back in. > > However, there's no need to write an entire ebuild - cfr our selinux-mutt > ebuilds. yes, i speak with blueness about it on irc. For me is more simply suggest this policy to reference ( so the policy can also be edit or improve). Anyone can take care of this?
It'll need a lot of cleaning up (cfr. styleguide on http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide). License-wise there's a minor difference (refpolicy is GPL-2, this is GPL-3)
Greetings - I am the developer of the policy, and would be honored to have the policy used as a base for your reference policy! I am aware of the need to relicense from GPL3->GPL2; this is not a problem as the only contributions on this particular module are from me. I will re-issue a new version under a GPL2 license to help ease this burden... as well as provide any other assistance needed to help with inclusion. Additionally, I have an SELinux module available which protects git-daemon in the event there is interest in bringing this into the Gentoo sec-policy project as well. - Stu
Upstream is a bit unclear on what is the best way forward: - either update the webserver (apache) module to support nginx (it already supports other webservers like lighttpd), or - include an nginx module See http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html for the start of the thread (handful of messages). No clear result though (upstream didn't add the patch, but didn't say it wants an nginx module at the end). I'll check with gentoo-hardened to see what our vision would be on such matters. We strive for "keep it simple", "least privilege" and "track upstream".
Okay, we're going to go forward with the nginx module. I'll put in a first try-out to update the original files to be more upstream-compliant. However, from the looks of it, we might need to test out nginx a bit more (the various features it has) and also see how/which tunables we want to introduce.
Created attachment 279773 [details] nginx.te file Updated nginx.te file, using the interfaces rather than raw allow statements. Also includes the following booleans which you'll definitely want to read up on: - nginx_enable_http_server - nginx_enable_imap_server - nginx_enable_pop3_server - nginx_enable_smtp_server These booleans allow the nginx policy to open up the necessary rules for nginx to act as one of those servers. so, if you run nginx as a webserver, enable nginx_enable_http_server. - nginx_can_network_connect_http Allow nginx to connect to http server(s). Needed if you want to use authentication against HTTP servers like the demonstrations show. - nginx_can_network_connect Allow nginx to connect to any server.
Created attachment 279775 [details] nginx.fc file Updated .fc file to correspond with the binaries and files as installed by the package manager.
Ebuild is in hardened-dev.git overlay.