ajout seLinux?

se-ngix_1_0_10/AUTHORS

@@ -0,0 +1,7 @@
+NGINX SELinux Targeted Support Reference Modules:
+
+ - Stuart Cianos <[email protected]>
+
+
+
+

se-ngix_1_0_10/CHANGELOG

@@ -0,0 +1,3 @@
+2009-10-15: RELEASE 1.0.10
+            ------------------------
+

se-ngix_1_0_10/INSTALL

@@ -0,0 +1,18 @@
+On RHEL v5.x and CENTOS v5.x:
+
+Prerequisites:
+
+The following packages must be installed for policy compilation:
+* selinux-policy-targeted
+* selinux-policy-devel
+
+To install the prerequisite packages, use RPM or YUM.
+Example: sudo yum install selinux-policy-devel
+
+Install Instructions:
+1. Unpack the archive (likely already completed if you are reading this)
+2. Change to the "nginx" directory in the archive contents
+3. Run "make"
+4. Install the resulting nginx.pp SELinux module 
+   (i.e. sudo /usr/sbin/semodule -i nginx.pp)
+

se-ngix_1_0_10/nginx/Makefile

@@ -0,0 +1,23 @@
+# installation paths
+SHAREDIR := /usr/share/selinux
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+	MLSENABLED := 1
+endif
+
+ifeq ($(MLSENABLED),1)
+	NTYPE = mcs
+endif
+
+ifeq ($(NAME),mls)
+	NTYPE = mls
+endif
+
+TYPE ?= $(NAME)-$(NTYPE)
+
+HEADERDIR := $(SHAREDIR)/devel/include
+include $(HEADERDIR)/Makefile

se-ngix_1_0_10/nginx/nginx.fc

@@ -0,0 +1,55 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: [email protected]
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+# nginx executable will have:
+# label: system_u:object_r:nginx_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/local/nginx/sbin/nginx		--	gen_context(system_u:object_r:nginx_exec_t,s0)
+/usr/local/nginx/logs/nginx.pid			gen_context(system_u:object_r:nginx_var_run_t,s0)
+/usr/local/nginx/logs(/.*)?			gen_context(system_u:object_r:nginx_var_log_t,s0)
+/usr/local/nginx/proxy_temp(/.*)?			gen_context(system_u:object_r:nginx_var_lib_t,s0)
+/usr/local/nginx/fastcgi_temp(/.*)?                   gen_context(system_u:object_r:nginx_var_lib_t,s0)
+/usr/local/nginx/client_body_temp(/.*)?               gen_context(system_u:object_r:nginx_var_lib_t,s0)
+/usr/local/nginx/html(/.*)?               gen_context(user_u:object_r:httpd_sys_content_t,s0)
+/usr/local/nginx/conf(/.*)?		    gen_context(system_u:object_r:etc_t,s0)

se-ngix_1_0_10/nginx/nginx.if

@@ -0,0 +1,65 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: [email protected]
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+## <summary>policy for nginx</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nginx.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nginx_domtrans',`
+	gen_require(`
+		type nginx_t, nginx_exec_t;
+	')
+
+	domain_auto_trans($1,nginx_exec_t,nginx_t)
+
+	allow nginx_t $1:fd use;
+	allow nginx_t $1:fifo_file rw_file_perms;
+	allow nginx_t $1:process sigchld;
+')

se-ngix_1_0_10/nginx/nginx.te

@@ -0,0 +1,130 @@
+###############################################################################
+# SELinux module for the NGINX Web Server
+#
+# Project Contact Information:
+#   Stuart Cianos
+#   Email: [email protected]
+#
+###############################################################################
+# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
+#
+#
+# Stuart Cianos licenses this file to You under the GNU General Public License,
+# Version 3.0 (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.gnu.org/licenses/gpl.txt
+#
+# or in the COPYING file included in the original archive.
+#
+# Disclaimer of Warranty.
+#
+# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+#
+# Limitation of Liability.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGES.
+###############################################################################
+policy_module(nginx,1.0.10)
+
+########################################
+#
+# Declarations
+#
+require {
+	type home_root_t;
+	type user_home_dir_t;
+	type httpd_sys_content_t;
+	type fs_t;
+	type node_t;
+	type sysctl_kernel_t;
+	class process { signal sigchld };
+	class unix_stream_socket { write connectto };
+	class capability { setuid kill setgid net_bind_service };
+	class tcp_socket { write name_bind name_connect create node_bind };
+	class dir { write search relabelto read remove_name getattr add_name };
+	class file { execute setattr read lock create execute_no_trans write getattr unlink append };
+	class filesystem { associate };
+}
+
+type nginx_t;
+type nginx_exec_t;
+domain_type(nginx_t)
+init_daemon_domain(nginx_t, nginx_exec_t)
+
+# conf files
+type nginx_conf_t;
+files_type(nginx_conf_t)
+
+# var/lib files
+type nginx_var_lib_t;
+files_type(nginx_var_lib_t)
+
+# log files
+type nginx_var_log_t;
+logging_log_file(nginx_var_log_t)
+
+# pid files
+type nginx_var_run_t;
+files_pid_file(nginx_var_run_t)
+
+########################################
+#
+# nginx local policy
+#
+
+files_read_etc_files(nginx_t)
+libs_use_ld_so(nginx_t)
+libs_use_shared_libs(nginx_t)
+miscfiles_read_localization(nginx_t)
+allow nginx_t self:fifo_file { read write };
+allow nginx_t self:unix_stream_socket create_stream_socket_perms;
+allow nginx_t nginx_var_lib_t:file create_file_perms;
+allow nginx_t nginx_var_lib_t:sock_file create_file_perms;
+allow nginx_t nginx_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
+allow nginx_t nginx_var_log_t:file create_file_perms;
+allow nginx_t nginx_var_log_t:sock_file create_file_perms;
+allow nginx_t nginx_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(nginx_t,nginx_var_log_t,{ sock_file file dir })
+allow nginx_t nginx_var_run_t:file manage_file_perms;
+allow nginx_t nginx_var_run_t:sock_file manage_file_perms;
+allow nginx_t nginx_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nginx_t,nginx_var_run_t, { file sock_file })
+sysnet_dns_name_resolve(nginx_t)
+corenet_tcp_sendrecv_all_if(nginx_t)
+corenet_tcp_sendrecv_all_nodes(nginx_t)
+corenet_tcp_sendrecv_all_ports(nginx_t)
+corenet_non_ipsec_sendrecv(nginx_t)
+corenet_tcp_connect_all_ports(nginx_t)
+corenet_tcp_bind_all_ports(nginx_t)
+corenet_tcp_bind_all_nodes(nginx_t)
+allow nginx_t self:tcp_socket { listen accept };
+init_use_fds(nginx_t)
+init_use_script_ptys(nginx_t)
+domain_use_interactive_fds(nginx_t)
+allow nginx_t fs_t:filesystem associate;
+allow nginx_t home_root_t:dir search;
+allow nginx_t user_home_dir_t:dir search;
+allow nginx_t httpd_sys_content_t:dir { read search getattr };
+allow nginx_t httpd_sys_content_t:file { read getattr };
+allow nginx_t node_t:tcp_socket node_bind;
+allow nginx_t self:capability { setuid net_bind_service setgid };
+allow nginx_t sysctl_kernel_t:dir search;
+allow nginx_t sysctl_kernel_t:file read;
+