35 lines
793 B
Nginx Configuration File
35 lines
793 B
Nginx Configuration File
#include <tunables/global>
|
|
|
|
/usr/sbin/nginx flags=(complain) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/openssl>
|
|
#include <abstractions/ssl_certs>
|
|
#include <abstractions/ssl_keys>
|
|
|
|
# privilege drop
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
# abstractions/apache2-common
|
|
@{PROC}/@{pid}/attr/current rw,
|
|
|
|
# nginx operational
|
|
/etc/letsencrypt/options-ssl-nginx.conf r,
|
|
/etc/letsencrypt/ssl-dhparams.pem r,
|
|
/etc/nginx/** r,
|
|
/run/nginx.pid rw,
|
|
/usr/lib/nginx/** r,
|
|
/usr/sbin/nginx mr,
|
|
/usr/share/nginx/** r,
|
|
/var/lib/nginx/** rw,
|
|
/var/log/nginx/error.log w,
|
|
/var/log/nginx/access.log w,
|
|
|
|
# data
|
|
/var/xyzzy/html/** r,
|
|
|
|
}
|