Initial commit to tree

(Portage version: 2.1.10.3/cvs/Linux x86_64)

6 files changed, 609 insertions, 0 deletions

diff --git a/sec-policy/selinux-nginx/ChangeLog b/sec-policy/selinux-nginx/ChangeLog
new file mode 100644
index 000000000000..d425452887c4
--- /dev/null
+++ b/sec-policy/selinux-nginx/ChangeLog
@@ -0,0 +1,22 @@
+# ChangeLog for sec-policy/selinux-nginx
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-nginx/ChangeLog,v 1.1 2011/07/25 23:06:58 blueness Exp $
+
+  25 Jul 2011; Anthony G. Basile <blueness@gentoo.org>
+  +files/fix-services-nginx-r1.patch, +files/fix-services-nginx-r2.patch,
+  +selinux-nginx-2.20101213-r1.ebuild, +selinux-nginx-2.20101213-r2.ebuild,
+  +metadata.xml:
+  Initial commit to tree
+
+*selinux-nginx-2.20101213-r2 (21 Jul 2011)
+
+  21 Jul 2011; <swift@gentoo.org> +files/fix-services-nginx-r2.patch,
+  +selinux-nginx-2.20101213-r2.ebuild:
+  Improve nginx policy and make it compliant with upstream rules
+
+*selinux-nginx-2.20101213-r1 (17 Jul 2011)
+
+  17 Jul 2011; <swift@gentoo.org> +files/fix-services-nginx-r1.patch,
+  +selinux-nginx-2.20101213-r1.ebuild, +metadata.xml:
+  Add initial support for nginx
+
diff --git a/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch b/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch
new file mode 100644
index 000000000000..16a2709e43cb
--- /dev/null
+++ b/sec-policy/selinux-nginx/files/fix-services-nginx-r1.patch
@@ -0,0 +1,282 @@
+--- services/nginx.te	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.te	2011-07-17 20:07:44.094000909 +0200
+@@ -0,0 +1,214 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++policy_module(nginx,1.0.10)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow nginx to serve HTTP content (act as an http server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_http_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an imap proxy server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_imap_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as a pop3 server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_pop3_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an smtp server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_smtp_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote HTTP servers
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect_http, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote servers (regardless of protocol)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect, false)
++
++type nginx_t;
++type nginx_exec_t;
++init_daemon_domain(nginx_t, nginx_exec_t)
++
++type nginx_initrc_exec_t;
++init_script_file(nginx_initrc_exec_t)
++
++# conf files
++type nginx_conf_t;
++files_type(nginx_conf_t)
++
++# var/lib files
++type nginx_var_lib_t;
++files_type(nginx_var_lib_t)
++
++# log files
++type nginx_log_t;
++logging_log_file(nginx_log_t)
++
++# pid files
++type nginx_var_run_t;
++files_pid_file(nginx_var_run_t)
++
++# tmp files
++type nginx_tmp_t;
++files_tmp_file(nginx_tmp_t)
++
++########################################
++#
++# nginx local policy
++#
++
++## Self rules
++allow nginx_t self:fifo_file { read write };
++allow nginx_t self:unix_stream_socket create_stream_socket_perms;
++allow nginx_t self:tcp_socket { listen accept };
++allow nginx_t self:capability { setuid net_bind_service setgid chown };
++
++## Policy-owned type management rules
++# log files
++manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
++#manage_sock_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
++logging_log_filetrans(nginx_t, nginx_log_t, { file dir })
++#logging_log_filetrans(nginx_t, nginx_log_t, { sock_file })
++
++# pid file
++#allow nginx_t nginx_var_run_t:sock_file manage_file_perms;
++manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++files_pid_filetrans(nginx_t, nginx_var_run_t, file)
++#files_pid_filetrans(nginx_t, nginx_var_run_t, { file sock_file })
++
++# conf files
++read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
++
++# tmp files
++manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
++
++# various
++allow nginx_t nginx_var_lib_t:file create_file_perms;
++allow nginx_t nginx_var_lib_t:sock_file create_file_perms;
++allow nginx_t nginx_var_lib_t:dir create_dir_perms;
++files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
++
++## Kernel layer modules
++kernel_read_kernel_sysctls(nginx_t)
++corenet_tcp_bind_generic_node(nginx_t)
++corenet_tcp_sendrecv_generic_if(nginx_t)
++corenet_tcp_sendrecv_generic_node(nginx_t)
++#corenet_tcp_sendrecv_all_ports(nginx_t)
++#corenet_non_ipsec_sendrecv(nginx_t)
++domain_use_interactive_fds(nginx_t)
++files_read_etc_files(nginx_t)
++
++## Perhaps as a policy tunable?
++#corenet_tcp_bind_all_ports(nginx_t)
++#corenet_tcp_bind_all_nodes(nginx_t)
++
++## System layer modules
++miscfiles_read_localization(nginx_t)
++sysnet_dns_name_resolve(nginx_t)
++
++## Other modules
++
++#init_use_fds(nginx_t)
++#init_use_script_ptys(nginx_t)
++#libs_use_ld_so(nginx_t)
++#libs_use_shared_libs(nginx_t)
++
++#allow nginx_t fs_t:filesystem associate;
++#allow nginx_t home_root_t:dir search;
++#allow nginx_t user_home_dir_t:dir search;
++
++tunable_policy(`gentoo_nginx_enable_http_server',`
++	corenet_tcp_bind_http_port(nginx_t)
++	apache_read_sys_content(nginx_t)
++')
++
++# We enable both binding and connecting, since nginx acts here as a reverse proxy
++tunable_policy(`gentoo_nginx_enable_imap_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_pop3_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_smtp_server',`
++	corenet_tcp_bind_smtp_port(nginx_t)
++	corenet_tcp_connect_smtp_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect_http',`
++	corenet_tcp_connect_http_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect',`
++	corenet_tcp_connect_all_ports(nginx_t)
++')
+--- services/nginx.fc	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.fc	2011-06-13 22:16:54.428001426 +0200
+@@ -0,0 +1,62 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++# nginx executable will have:
++# label: system_u:object_r:nginx_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
++/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++/etc/rc\.d/init\.d/nginx		--	gen_context(system_u:object_r:nginx_initrc_exec_t,s0)
++/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)
++
++
++#/usr/local/nginx/sbin/nginx		--	gen_context(system_u:object_r:nginx_exec_t,s0)
++#/usr/local/nginx/logs/nginx.pid			gen_context(system_u:object_r:nginx_var_run_t,s0)
++#/usr/local/nginx/logs(/.*)?			gen_context(system_u:object_r:nginx_var_log_t,s0)
++#/usr/local/nginx/proxy_temp(/.*)?			gen_context(system_u:object_r:nginx_var_lib_t,s0)
++#/usr/local/nginx/fastcgi_temp(/.*)?                   gen_context(system_u:object_r:nginx_var_lib_t,s0)
++#/usr/local/nginx/client_body_temp(/.*)?               gen_context(system_u:object_r:nginx_var_lib_t,s0)
++#/usr/local/nginx/html(/.*)?               gen_context(user_u:object_r:httpd_sys_content_t,s0)
++#/usr/local/nginx/conf(/.*)?		    gen_context(system_u:object_r:etc_t,s0)
diff --git a/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch b/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch
new file mode 100644
index 000000000000..8f337edb9dd9
--- /dev/null
+++ b/sec-policy/selinux-nginx/files/fix-services-nginx-r2.patch
@@ -0,0 +1,263 @@
+--- services/nginx.te	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.te	2011-07-21 14:12:37.817000675 +0200
+@@ -0,0 +1,194 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++policy_module(nginx,1.0.10)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow nginx to serve HTTP content (act as an http server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_http_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an imap proxy server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_imap_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as a pop3 server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_pop3_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to act as an smtp server)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_enable_smtp_server, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote HTTP servers
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect_http, false)
++
++## <desc>
++## <p>
++## Allow nginx to connect to remote servers (regardless of protocol)
++## </p>
++## </desc>
++gen_tunable(gentoo_nginx_can_network_connect, false)
++
++type nginx_t;
++type nginx_exec_t;
++init_daemon_domain(nginx_t, nginx_exec_t)
++
++# conf files
++type nginx_conf_t;
++files_type(nginx_conf_t)
++
++# log files
++type nginx_log_t;
++logging_log_file(nginx_log_t)
++
++# tmp files
++type nginx_tmp_t;
++files_tmp_file(nginx_tmp_t)
++
++# var/lib files
++type nginx_var_lib_t;
++files_type(nginx_var_lib_t)
++
++# pid files
++type nginx_var_run_t;
++files_pid_file(nginx_var_run_t)
++
++########################################
++#
++# nginx local policy
++#
++
++## Self rules
++allow nginx_t self:fifo_file { read write };
++allow nginx_t self:unix_stream_socket create_stream_socket_perms;
++allow nginx_t self:tcp_socket { listen accept };
++allow nginx_t self:capability { setuid net_bind_service setgid chown };
++
++## Policy-owned type management rules
++
++# conf files
++read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t)
++
++# log files
++manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t)
++logging_log_filetrans(nginx_t, nginx_log_t, { file dir })
++
++
++# pid file
++manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t)
++files_pid_filetrans(nginx_t, nginx_var_run_t, file)
++
++# tmp files
++manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t)
++files_tmp_filetrans(nginx_t, nginx_tmp_t, dir)
++
++# var/lib files
++create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
++create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t)
++files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file })
++
++## Kernel layer modules
++#
++kernel_read_kernel_sysctls(nginx_t)
++corenet_tcp_bind_generic_node(nginx_t)
++corenet_tcp_sendrecv_generic_if(nginx_t)
++corenet_tcp_sendrecv_generic_node(nginx_t)
++domain_use_interactive_fds(nginx_t)
++files_read_etc_files(nginx_t)
++
++## System layer modules
++miscfiles_read_localization(nginx_t)
++sysnet_dns_name_resolve(nginx_t)
++
++## Other modules
++
++tunable_policy(`gentoo_nginx_enable_http_server',`
++	corenet_tcp_bind_http_port(nginx_t)
++	apache_read_sys_content(nginx_t)
++')
++
++# We enable both binding and connecting, since nginx acts here as a reverse proxy
++tunable_policy(`gentoo_nginx_enable_imap_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_pop3_server',`
++	corenet_tcp_bind_pop_port(nginx_t)
++	corenet_tcp_connect_pop_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_enable_smtp_server',`
++	corenet_tcp_bind_smtp_port(nginx_t)
++	corenet_tcp_connect_smtp_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect_http',`
++	corenet_tcp_connect_http_port(nginx_t)
++')
++
++tunable_policy(`gentoo_nginx_can_network_connect',`
++	corenet_tcp_connect_all_ports(nginx_t)
++')
+--- services/nginx.fc	1970-01-01 01:00:00.000000000 +0100
++++ services/nginx.fc	2011-07-21 14:21:43.956000690 +0200
+@@ -0,0 +1,63 @@
++###############################################################################
++# SELinux module for the NGINX Web Server
++#
++# Project Contact Information:
++#   Stuart Cianos
++#   Email: scianos@alphavida.com
++#
++###############################################################################
++# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved.
++#
++#
++# Stuart Cianos licenses this file to You under the GNU General Public License,
++# Version 3.0 (the "License"); you may not use this file except in compliance
++# with the License.  You may obtain a copy of the License at
++#
++#     http://www.gnu.org/licenses/gpl.txt
++#
++# or in the COPYING file included in the original archive.
++#
++# Disclaimer of Warranty.
++#
++# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++# APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++# PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++# IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++# ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++#
++# Limitation of Liability.
++#
++# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGES.
++###############################################################################
++# nginx executable will have:
++# label: system_u:object_r:nginx_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++#
++# /etc
++#
++/etc/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++/etc/ssl/nginx(/.*)?				gen_context(system_u:object_r:nginx_conf_t,s0)
++
++#
++# /usr
++#
++/usr/sbin/nginx				--	gen_context(system_u:object_r:nginx_exec_t,s0)
++
++#
++# /var
++#
++/var/log/nginx(/.*)?				gen_context(system_u:object_r:nginx_log_t,s0)
++/var/tmp/nginx(/.*)?				gen_context(system_u:object_r:nginx_tmp_t,s0)
diff --git a/sec-policy/selinux-nginx/metadata.xml b/sec-policy/selinux-nginx/metadata.xml
new file mode 100644
index 000000000000..a74b86c6ec6d
--- /dev/null
+++ b/sec-policy/selinux-nginx/metadata.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<herd>selinux</herd>
+	<longdescription>Gentoo SELinux policy for nginx</longdescription>
+</pkgmetadata>
diff --git a/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r1.ebuild b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r1.ebuild
new file mode 100644
index 000000000000..44102eee2b0c
--- /dev/null
+++ b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r1.ebuild,v 1.1 2011/07/25 23:06:58 blueness Exp $
+
+IUSE=""
+
+MODS="nginx"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for nginx web server application"
+
+KEYWORDS="~amd64 ~x86"
+DEPEND="sec-policy/selinux-base-policy
+		sec-policy/selinux-apache"
+RDEPEND="${DEPEND}"
+
+POLICY_PATCH="${FILESDIR}/fix-services-nginx-r1.patch"
diff --git a/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild
new file mode 100644
index 000000000000..33945e01bd3e
--- /dev/null
+++ b/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-nginx/selinux-nginx-2.20101213-r2.ebuild,v 1.1 2011/07/25 23:06:58 blueness Exp $
+
+IUSE=""
+
+MODS="nginx"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for nginx web server application"
+
+KEYWORDS="~amd64 ~x86"
+DEPEND="sec-policy/selinux-base-policy
+		sec-policy/selinux-apache"
+RDEPEND="${DEPEND}"
+
+POLICY_PATCH="${FILESDIR}/fix-services-nginx-r2.patch"