diff options
author | Kenton Groombridge <concord@gentoo.org> | 2021-11-11 20:24:50 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2022-09-03 16:04:30 -0400 |
commit | 10b3a91a0e7f0729cefb70ee4aa87eb862833b4a (patch) | |
tree | 44247d284e0401a7becb43a027ab5e0eecc04364 | |
parent | apache: add gentoo-specific interface to map httpd sys content (diff) | |
download | hardened-refpolicy-10b3a91a0e7f0729cefb70ee4aa87eb862833b4a.tar.gz hardened-refpolicy-10b3a91a0e7f0729cefb70ee4aa87eb862833b4a.tar.bz2 hardened-refpolicy-10b3a91a0e7f0729cefb70ee4aa87eb862833b4a.zip |
nginx: various fixes
Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/contrib/nginx.te | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te index 57e8ceb9..0c935bb6 100644 --- a/policy/modules/contrib/nginx.te +++ b/policy/modules/contrib/nginx.te @@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t) files_read_etc_files(nginx_t) +auth_use_nsswitch(nginx_t) +logging_send_syslog_msg(nginx_t) + +miscfiles_read_generic_certs(nginx_t) miscfiles_read_localization(nginx_t) + sysnet_dns_name_resolve(nginx_t) optional_policy(` @@ -129,10 +134,16 @@ optional_policy(` apache_manage_log(nginx_t) ') +tunable_policy(`httpd_read_user_content',` + userdom_list_user_home_content(nginx_t) + userdom_read_user_home_content_files(nginx_t) +') + tunable_policy(`nginx_enable_http_server',` corenet_tcp_bind_http_port(nginx_t) apache_read_all_content(nginx_t) apache_manage_all_rw_content(nginx_t) + apache_list_sys_content(nginx_t) ') # We enable both binding and connecting, since nginx acts here as a reverse proxy @@ -160,6 +171,10 @@ tunable_policy(`nginx_can_network_connect',` ') optional_policy(` + certbot_read_lib(nginx_t) +') + +optional_policy(` phpfpm_stream_connect(nginx_t) ') |