CentOS 6.6, SELinux breaks Nginx 1.6.0

bdwyertech nginx-forum at nginx.us
Fri Oct 31 17:48:29 UTC 2014


As a follow up, if you are using NginX as a proxy, you might need a few more
things.  Here is a preliminary template of a type enforcement I've created
for NginX to alleviate these issues.  You can use this Type Enforcement file
to generate an SELinux module, package it up, and load it.

module nginx 1.0;

require {
	type httpd_t;
	type http_cache_port_t;
	type port_t;
	class process setrlimit;
	class tcp_socket name_connect;
	class capability sys_resource;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_relay, httpd_can_network_connect
allow httpd_t http_cache_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'httpd_setrlimit'
allow httpd_t self:process setrlimit;

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_run_stickshift, httpd_setrlimit
allow httpd_t self:capability sys_resource;

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254496#msg-254496



More information about the nginx mailing list