[gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-nginx/files/, sec-policy/selinux-nginx/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     e17526766cf0aa3cd04e670919aca82ebd309ad3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 21 19:19:30 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 21 19:19:30 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e1752676

Make nginx policy more compliant to upstream policy

---
 sec-policy/selinux-nginx/ChangeLog                 |    6 +
 .../files/fix-services-nginx-r2.patch              |  263 ++++++++++++++++++++
 .../selinux-nginx-2.20101213-r2.ebuild             |   18 ++
 3 files changed, 287 insertions(+), 0 deletions(-)

diff --git a/sec-policy/selinux-nginx/ChangeLog b/sec-policy/selinux-nginx/ChangeLog
index e8aacd7..a6f2c6d 100644
--- a/sec-policy/selinux-nginx/ChangeLog
+++ b/sec-policy/selinux-nginx/ChangeLog
@@ -2,6 +2,12 @@
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
 # $Header: $
 
+*selinux-nginx-2.20101213-r2 (21 Jul 2011)
+
+  21 Jul 2011; <swift@gentoo.org> +files/fix-services-nginx-r2.patch,
+  +selinux-nginx-2.20101213-r2.ebuild:
+  Improve nginx policy and make it compliant with upstream rules
+
 *selinux-nginx-2.20101213-r1 (17 Jul 2011)
 
   17 Jul 2011; <swift@gentoo.org> +files/fix-services-nginx-r1.patch,

diff --git a/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch b/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch
new file mode 100644
index 0000000..8f337ed
--- /dev/null
+++ b/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch
@@ -0,0 +1,263 @@
+--- services/nginx.te	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.te	2011-07-21 14:12:37.817000675 +0200
+@@ -0,0 +1,194 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++policy_module(nginx,1.0.10)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow nginx to serve HTTP content (act as an http server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_http_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an imap proxy server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_imap_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as a pop3 server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_pop3_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an smtp server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_smtp_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote HTTP servers
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect_http, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote servers (regardless of protocol)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect, false)
++
++type nginx_t;
++type nginx_exec_t;
++init_daemon_domain(nginx_t, nginx_exec_t)
++
++# conf files
++type nginx_conf_t;
++files_type(nginx_conf_t)
++
++# log files
++type nginx_log_t;
++logging_log_file(nginx_log_t)
++
++# tmp files
++type nginx_tmp_t;
++files_tmp_file(nginx_tmp_t)
++
++# var/lib files
++type nginx_var_lib_t;
++files_type(nginx_var_lib_t)
++
++# pid files
++type nginx_var_run_t;
++files_pid_file(nginx_var_run_t)
++
++########################################
++#
++# nginx local policy
++#
++
++## Self rules
++allow nginx_t self:fifo_file { read write };
++allow nginx_t self:unix_stream_socket create_stream_socket_perms;
++allow nginx_t self:tcp_socket { listen accept };
++allow nginx_t self:capability { setuid net_bind_service setgid chown };
++
++## Policy-owned type management rules
++
++# conf files
++read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
++
++# log files
++manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
++logging_log_filetrans(nginx_t, nginx_log_t, { file dir })
++
++
++# pid file
++manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++files_pid_filetrans(nginx_t, nginx_var_run_t, file)
++
++# tmp files
++manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
++
++# var/lib files
++create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
++create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
++files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
++
++## Kernel layer modules
++#
++kernel_read_kernel_sysctls(nginx_t)
++corenet_tcp_bind_generic_node(nginx_t)
++corenet_tcp_sendrecv_generic_if(nginx_t)
++corenet_tcp_sendrecv_generic_node(nginx_t)
++domain_use_interactive_fds(nginx_t)
++files_read_etc_files(nginx_t)
++
++## System layer modules
++miscfiles_read_localization(nginx_t)
++sysnet_dns_name_resolve(nginx_t)
++
++## Other modules
++
++tunable_policy(`gentoo_nginx_enable_http_server',`
++	corenet_tcp_bind_http_port(nginx_t)
++	apache_read_sys_content(nginx_t)
++')
++
++# We enable both binding and connecting, since nginx acts here as a reverse proxy
++tunable_policy(`gentoo_nginx_enable_imap_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_pop3_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_smtp_server',`
++	corenet_tcp_bind_smtp_port(nginx_t)
++	corenet_tcp_connect_smtp_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect_http',`
++	corenet_tcp_connect_http_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect',`
++	corenet_tcp_connect_all_ports(nginx_t)
++')
+--- services/nginx.fc	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.fc	2011-07-21 14:21:43.956000690 +0200
+@@ -0,0 +1,63 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++# nginx executable will have:
++# label: system_u:object_r:nginx_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++#
++# /etc
++#
++/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++
++#
++# /usr
++#
++/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
++
++#
++# /var
++#
++/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)
++/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)

diff --git a/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild
new file mode 100644
index 0000000..d1d0fe8
--- /dev/null
+++ b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213.ebuild,v 1.2 2011/06/02 13:12:38 blueness Exp $
+
+IUSE=""
+
+MODS="nginx"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for nginx web server application"
+
+KEYWORDS="~amd64 ~x86"
+DEPEND="sec-policy/selinux-base-policy
+		sec-policy/selinux-apache"
+RDEPEND="${DEPEND}"
+
+POLICY_PATCH="${FILESDIR}/fix-services-nginx-r2.patch"