commit: 10b3a91a0e7f0729cefb70ee4aa87eb862833b4a
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:50 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:30 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10b3a91a
nginx: various fixes
Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/contrib/nginx.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 57e8ceb9..0c935bb6 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t)
files_read_etc_files(nginx_t)
+auth_use_nsswitch(nginx_t)
+logging_send_syslog_msg(nginx_t)
+
+miscfiles_read_generic_certs(nginx_t)
miscfiles_read_localization(nginx_t)
+
sysnet_dns_name_resolve(nginx_t)
optional_policy(`
@@ -129,10 +134,16 @@ optional_policy(`
apache_manage_log(nginx_t)
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_list_user_home_content(nginx_t)
+ userdom_read_user_home_content_files(nginx_t)
+')
+
tunable_policy(`nginx_enable_http_server',`
corenet_tcp_bind_http_port(nginx_t)
apache_read_all_content(nginx_t)
apache_manage_all_rw_content(nginx_t)
+ apache_list_sys_content(nginx_t)
')
# We enable both binding and connecting, since nginx acts here as a reverse
proxy
@@ -159,6 +170,10 @@ tunable_policy(`nginx_can_network_connect',`
corenet_tcp_connect_all_ports(nginx_t)
')
+optional_policy(`
+ certbot_read_lib(nginx_t)
+')
+
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
