diff options
Diffstat (limited to 'sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch')
-rw-r--r-- | sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch | 263 |
1 files changed, 0 insertions, 263 deletions
diff --git a/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch b/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch deleted file mode 100644 index 8f337edb9dd9..000000000000 --- a/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch +++ /dev/null @@ -1,263 +0,0 @@ ---- services/nginx.te 1970-01-01 01:00:00.000000000 +0100 -+++ services/nginx.te 2011-07-21 14:12:37.817000675 +0200 -@@ -0,0 +1,194 @@ -+############################################################################### -+# SELinux module for the NGINX Web Server -+# -+# Project Contact Information: -+# Stuart Cianos -+# Email: scianos@alphavida.com -+# -+############################################################################### -+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. -+# -+# -+# Stuart Cianos licenses this file to You under the GNU General Public License, -+# Version 3.0 (the "License"); you may not use this file except in compliance -+# with the License. You may obtain a copy of the License at -+# -+# http://www.gnu.org/licenses/gpl.txt -+# -+# or in the COPYING file included in the original archive. -+# -+# Disclaimer of Warranty. -+# -+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -+# -+# Limitation of Liability. -+# -+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -+# SUCH DAMAGES. -+############################################################################### -+policy_module(nginx,1.0.10) -+ -+######################################## -+# -+# Declarations -+# -+ -+## <desc> -+## <p> -+## Allow nginx to serve HTTP content (act as an http server) -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_enable_http_server, false) -+ -+## <desc> -+## <p> -+## Allow nginx to act as an imap proxy server) -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_enable_imap_server, false) -+ -+## <desc> -+## <p> -+## Allow nginx to act as a pop3 server) -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_enable_pop3_server, false) -+ -+## <desc> -+## <p> -+## Allow nginx to act as an smtp server) -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_enable_smtp_server, false) -+ -+## <desc> -+## <p> -+## Allow nginx to connect to remote HTTP servers -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_can_network_connect_http, false) -+ -+## <desc> -+## <p> -+## Allow nginx to connect to remote servers (regardless of protocol) -+## </p> -+## </desc> -+gen_tunable(gentoo_nginx_can_network_connect, false) -+ -+type nginx_t; -+type nginx_exec_t; -+init_daemon_domain(nginx_t, nginx_exec_t) -+ -+# conf files -+type nginx_conf_t; -+files_type(nginx_conf_t) -+ -+# log files -+type nginx_log_t; -+logging_log_file(nginx_log_t) -+ -+# tmp files -+type nginx_tmp_t; -+files_tmp_file(nginx_tmp_t) -+ -+# var/lib files -+type nginx_var_lib_t; -+files_type(nginx_var_lib_t) -+ -+# pid files -+type nginx_var_run_t; -+files_pid_file(nginx_var_run_t) -+ -+######################################## -+# -+# nginx local policy -+# -+ -+## Self rules -+allow nginx_t self:fifo_file { read write }; -+allow nginx_t self:unix_stream_socket create_stream_socket_perms; -+allow nginx_t self:tcp_socket { listen accept }; -+allow nginx_t self:capability { setuid net_bind_service setgid chown }; -+ -+## Policy-owned type management rules -+ -+# conf files -+read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) -+ -+# log files -+manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) -+logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) -+ -+ -+# pid file -+manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) -+manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) -+files_pid_filetrans(nginx_t, nginx_var_run_t, file) -+ -+# tmp files -+manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) -+manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) -+files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) -+ -+# var/lib files -+create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) -+create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) -+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) -+ -+## Kernel layer modules -+# -+kernel_read_kernel_sysctls(nginx_t) -+corenet_tcp_bind_generic_node(nginx_t) -+corenet_tcp_sendrecv_generic_if(nginx_t) -+corenet_tcp_sendrecv_generic_node(nginx_t) -+domain_use_interactive_fds(nginx_t) -+files_read_etc_files(nginx_t) -+ -+## System layer modules -+miscfiles_read_localization(nginx_t) -+sysnet_dns_name_resolve(nginx_t) -+ -+## Other modules -+ -+tunable_policy(`gentoo_nginx_enable_http_server',` -+ corenet_tcp_bind_http_port(nginx_t) -+ apache_read_sys_content(nginx_t) -+') -+ -+# We enable both binding and connecting, since nginx acts here as a reverse proxy -+tunable_policy(`gentoo_nginx_enable_imap_server',` -+ corenet_tcp_bind_pop_port(nginx_t) -+ corenet_tcp_connect_pop_port(nginx_t) -+') -+ -+tunable_policy(`gentoo_nginx_enable_pop3_server',` -+ corenet_tcp_bind_pop_port(nginx_t) -+ corenet_tcp_connect_pop_port(nginx_t) -+') -+ -+tunable_policy(`gentoo_nginx_enable_smtp_server',` -+ corenet_tcp_bind_smtp_port(nginx_t) -+ corenet_tcp_connect_smtp_port(nginx_t) -+') -+ -+tunable_policy(`gentoo_nginx_can_network_connect_http',` -+ corenet_tcp_connect_http_port(nginx_t) -+') -+ -+tunable_policy(`gentoo_nginx_can_network_connect',` -+ corenet_tcp_connect_all_ports(nginx_t) -+') ---- services/nginx.fc 1970-01-01 01:00:00.000000000 +0100 -+++ services/nginx.fc 2011-07-21 14:21:43.956000690 +0200 -@@ -0,0 +1,63 @@ -+############################################################################### -+# SELinux module for the NGINX Web Server -+# -+# Project Contact Information: -+# Stuart Cianos -+# Email: scianos@alphavida.com -+# -+############################################################################### -+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. -+# -+# -+# Stuart Cianos licenses this file to You under the GNU General Public License, -+# Version 3.0 (the "License"); you may not use this file except in compliance -+# with the License. You may obtain a copy of the License at -+# -+# http://www.gnu.org/licenses/gpl.txt -+# -+# or in the COPYING file included in the original archive. -+# -+# Disclaimer of Warranty. -+# -+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -+# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -+# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -+# -+# Limitation of Liability. -+# -+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -+# SUCH DAMAGES. -+############################################################################### -+# nginx executable will have: -+# label: system_u:object_r:nginx_exec_t -+# MLS sensitivity: s0 -+# MCS categories: <none> -+ -+# -+# /etc -+# -+/etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) -+/etc/ssl/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) -+ -+# -+# /usr -+# -+/usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) -+ -+# -+# /var -+# -+/var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0) -+/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) |