From noloader at gmail.com  Mon Nov 18 21:34:12 2024
From: noloader at gmail.com (Jeffrey Walton)
Date: Mon, 18 Nov 2024 16:34:12 -0500
Subject: Nginx on Fedora with SELinux
Message-ID: <CAH8yC8kL_e52NG1izAg4sO9uQdUAHAsr+tt8P2otd4-A8t172A@mail.gmail.com>

Hi Everyone,

I'm trying to install Nginx on Fedora 41 with SELinux in enforcing
mode. In my case, the document root is /var/www/html (for historic
reasons). I added /etc/nginx/conf.d/webserver.conf, and specified my
document root. I chown'd -R /var/www to root:nginx. I also chmod'd -R
o-rwx /var/www. Visiting the web server resulted in a 403 [due to
SELinux].

According to /etc/nginx/nginx.conf, the Ngnix document root is
/usr/share/nginx/html. So I `ls -Z /usr/share/nginx/html` and found
the SELinux context of system_u:object_r:httpd_sys_content_t:s0. I
chcon'd -R system_u:object_r:httpd_sys_content_t:s0 /var/www. Visiting
the web server succeeded.

So I am not at the point where I need to make it permanent. But I am
also at the limits of my SELinux knowledge.

Does anyone know how to make the change survive a restorecon or reboot
(and not break things, like the default Nginx install or SELinux
rules)?

Thanks in advance.

Jeff

From 201904-nginx at planhack.com  Mon Nov 18 22:50:56 2024
From: 201904-nginx at planhack.com (201904-nginx at planhack.com)
Date: Mon, 18 Nov 2024 17:50:56 -0500
Subject: Nginx on Fedora with SELinux
In-Reply-To: <CAH8yC8kL_e52NG1izAg4sO9uQdUAHAsr+tt8P2otd4-A8t172A@mail.gmail.com>
Message-ID: <13ca9912-28df-4349-941c-c01191745906@planhack.com>

https://www.mankier.com/8/semanage-fcontext

From pluknet at nginx.com  Tue Nov 26 17:15:33 2024
From: pluknet at nginx.com (Sergey Kandaurov)
Date: Tue, 26 Nov 2024 21:15:33 +0400
Subject: nginx-1.27.3
Message-ID: <CB7C5C2B-2C14-4DB8-9DCF-6437D25EC9DF@nginx.com>

Changes with nginx 1.27.3                                        26 Nov 2024

    *) Feature: the "server" directive in the "upstream" block supports the
       "resolve" parameter.

    *) Feature: the "resolver" and "resolver_timeout" directives in the
       "upstream" block.

    *) Feature: SmarterMail specific mode support for IMAP LOGIN with
       untagged CAPABILITY response in the mail proxy module.

    *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.

    *) Change: an IPv6 address in square brackets and no port can be
       specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
       "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
       client address in ngx_http_realip_module.

    *) Bugfix: in the ngx_http_mp4_module.
       Thanks to Nils Bars.

    *) Bugfix: the "so_keepalive" parameter of the "listen" directive might
       be handled incorrectly on DragonFly BSD.

    *) Bugfix: in the "proxy_store" directive.


-- 
Sergey Kandaurov