Bug 836503
Summary: | RFE: add policy for php-fpm and alternative webservers | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Vcelak <jvcelak> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, tsmetana |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-29 10:02:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Vcelak
2012-06-29 09:58:28 UTC
Submitted twice by mistake (due to bugzilla proxy error). *** This bug has been marked as a duplicate of bug 836502 *** I have suggested we run nginx in httpd_t just like lightttp, apache as well as cherokee a while ago. However selinux policy upstream maintainer rejected it: http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html I still believe this is the way to go. You can apply these changes manually by using semanage fcontext to tell selinux how the various nginx locations should be labeled and apply these specs with restorecon -R -v ... There is also a policy submitted upstream for php-fpm here: http://oss.tresys.com/pipermail/refpolicy/2012-June/005176.html I personally have my reservations about this policy however i do not have enough information and knowledge of php-fpm to make a good and solid argument against it. My suggestion is to also run php-fpm in httpd_t since i *suspect* that php-fpm needs much of the same access that webservers do. I might be wrong. |