Hi folks, As per bug #368795 [1] we have an open request to include a SELinux policy module for the nginx webserver. However, while working on this, I remembered a small discussion that upstream had about the same matter [2]. It boils down to the question: do we support nginx within the existing domains (the apache SELinux module is generic enough to include support for other webservers as shown by its current support for lighttpd) or do we use a new module for this?
[1] https://bugs.gentoo.org/show_bug.cgi?id=368795 [2] http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html The thread upstream didn't give a clear signal in my opinion here. On the one hand was there a mail that said "we should have a specific nginx module", but the reasoning behind it was countered. Yet the patch itself (to include nginx support in apache module) isn't pushed to the repository. Our current "policy" [3] here (what's in a name) has no clear answer on it. We do say we want to track upstream as closely as possible (and make sure that our customizations do not interfere with it) but that doesn't give a signal in either direction. [3] http://goo.gl/2U0Zr My /personal/ vision here is that we eventually would need a capability-based module ("webserver") with specific implementations that use the interfaces/templates from the generic one for their specific implementations ("nginx", "apache", ...) but _that_ does not work with the current upstream implementation (or way of working). So... ideas? Do we want to "keep it simple" and update the apache policy to support nginx? Or do we want to stay "least privilege" and have dedicated rules for applications? Or do we see if we can deviate from upstream here and start our own path (in my opinion, we can't as long as we do not have a critical developer mass - in numbers, not in kilogram). Wkr, Sven Vermeulen
