diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2021-11-11 20:24:50 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <me@concord.sh> | 2022-06-06 11:13:05 -0400 |
| commit | 7c566c428891f598517ef92a5feda42d5bced030 (patch) | |
| tree | 4f69b22a83fbee5a6768c64e5392ec75a5eadf86 | |
| parent | apache: add gentoo-specific interface to map httpd sys content (diff) | |
| download | hardened-refpolicy-7c566c42.tar.gz hardened-refpolicy-7c566c42.tar.bz2 hardened-refpolicy-7c566c42.zip | |
nginx: various fixes
Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
| -rw-r--r-- | policy/modules/contrib/nginx.te | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te index 57e8ceb9..0c935bb6 100644 --- a/policy/modules/contrib/nginx.te +++ b/policy/modules/contrib/nginx.te @@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t) files_read_etc_files(nginx_t) +auth_use_nsswitch(nginx_t) +logging_send_syslog_msg(nginx_t) + +miscfiles_read_generic_certs(nginx_t) miscfiles_read_localization(nginx_t) + sysnet_dns_name_resolve(nginx_t) optional_policy(` @@ -129,10 +134,16 @@ optional_policy(` apache_manage_log(nginx_t) ') +tunable_policy(`httpd_read_user_content',` + userdom_list_user_home_content(nginx_t) + userdom_read_user_home_content_files(nginx_t) +') + tunable_policy(`nginx_enable_http_server',` corenet_tcp_bind_http_port(nginx_t) apache_read_all_content(nginx_t) apache_manage_all_rw_content(nginx_t) + apache_list_sys_content(nginx_t) ') # We enable both binding and connecting, since nginx acts here as a reverse proxy @@ -160,6 +171,10 @@ tunable_policy(`nginx_can_network_connect',` ') optional_policy(` + certbot_read_lib(nginx_t) +') + +optional_policy(` phpfpm_stream_connect(nginx_t) ') |