nginx.te: Allow access to dac_override.

[jpds]

No description provided.

[github-actions]

This PR has not had any recent activity. It will be closed in 7 days if it makes no further progress.

[github-actions]

Closing stale PR.

[0xC0ncord]

I think we might want to see an AVC for this. I run nginx in production on 2 different boxes and have never needed to add this access in a local policy.

[jpds]

@0xC0ncord You mentioned a while back that you have nginx log to syslog, I don't. This is also already in upstream as they put apache and nginx into one: https://github.com/SELinuxProject/refpolicy/blob/2d371fcee25e27fbe86bf0246f2728d57c079766/policy/modules/services/apache.te#L366

[0xC0ncord]

@0xC0ncord You mentioned a while back that you have nginx log to syslog, I don't. This is also already in upstream as they put apache and nginx into one: SELinuxProject/refpolicy@2d371fc/policy/modules/services/apache.te#L366

Hmm. OK. It just didn't seem right at first. Normally when I see dac_override I try to find a way to allow the access without it, as some programs may use the dac_override capability as a last resort. Sometimes just fixing the DAC permissions themselves suffices.

[jpds]

So this finally happened again yesterday - VM freshly installed, nginx worked fine on initial install and then rebooted a few weeks later and:

-rw-r--r--. 1 nginx root system_u:object_r:nginx_log_t 375 Dec  4 15:41 nginx/error_log

Dec  4 15:46:47 vanilla kernel: audit: type=1400 audit(1638632808.188:1375): avc:  denied  { dac_override } for  pid=2218 comm="nginx" capability=1  scontext=system_u:system_r:nginx_t tcontext=system_u:system_r:nginx_t tclass=capability permissive=0
Dec  4 15:46:48 vanilla /etc/init.d/nginx[2217]: start-stop-daemon: failed to start `/usr/sbin/nginx'

I'm guessing logrotate did something to the permissions(?). I haven't tweaked anything in the nginx config since the install.