apache: allow nginx -t

nginx needs to be executable by system administrators to be able to run
various actions, including the critical test option -t.

This provides appropriate execution authority to do so.

Signed-off-by: Antonio Enrico Russo <[email protected]>

Author: aerusso

policy/modules/services/apache.if

@@ -134,6 +134,7 @@ template(`apache_role',`
 		type httpd_user_content_t, httpd_user_htaccess_t;
 		type httpd_user_script_t, httpd_user_script_exec_t;
 		type httpd_user_ra_content_t, httpd_user_rw_content_t;
+		attribute_role httpd_helper_roles;
 	')
 
 	role $4 types httpd_user_script_t;
@@ -156,6 +157,10 @@ template(`apache_role',`
 	allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
 	allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 
+	# for nginx -t
+	apache_domtrans($3)
+	roleattribute $4 httpd_helper_roles;
+
 	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
 	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
 	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")

policy/modules/services/apache.te

@@ -282,7 +282,7 @@ files_config_file(httpd_config_t)
 type httpd_helper_t;
 type httpd_helper_exec_t;
 application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+role httpd_helper_roles types { httpd_helper_t httpd_t };
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)