434892 – sec-policy/selinux-nginx-2.20120725-r5: no access to httpd_sys_rw_content_t

Bug 434892 - sec-policy/selinux-nginx-2.20120725-r5: no access to httpd_sys_rw_content_t

Summary: sec-policy/selinux-nginx-2.20120725-r5: no access to httpd_sys_rw_content_t

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r6
Keywords:

Depends on:
Blocks:	434916
	Show dependency tree

Reported:	2012-09-13 12:12 UTC by Vincent Brillault
Modified:	2012-12-13 10:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2012-09-13 12:12:51 UTC

The current tunable policy that enables the nginx http server is:
'''
tunable_policy(`gentoo_nginx_enable_http_server',`
        corenet_tcp_bind_http_port(nginx_t)
        apache_read_sys_content(nginx_t)
')
'''

This tunable policy doesn't give access to any content with the context 'httpd_sys_rw_content_t'. An additionnal 'apache_read_all_rw_content(nginx_t)' would partialy fixe the problem.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-09-28 18:08:43 UTC

It's probably ok to use "apache_manage_all_rw_content(nginx_t)".

The rw-content is content defined to be writeable by webservers, so...

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-09-29 18:23:31 UTC

Will be part of -r6 release. Is committed to repository so live ebuilds should already provide it.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-03 17:35:18 UTC

In hardened-dev, r6 release

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-18 15:27:46 UTC

In main tree, ~arch'ed

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-13 10:12:36 UTC

r8 is now stable