Summary: | app-admin/webapp-config, SELinux support: set 'server-owned' file as rw content | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
Component: | Current packages | Assignee: | Gentoo Web Application Packages Maintainers <web-apps> |
Status: | UNCONFIRMED --- | ||
Severity: | enhancement | CC: | web-apps |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 434914, 434892 | ||
Bug Blocks: | |||
Attachments: | Proposed patch to implement the enhancement |
This might not be the best approach. If the file contexts are all that need to be set, then either have it defined directly in the policy (if the location, give or take a regular expression here and there, is known), or through a "semanage fcontext" call so it gets registered as a local file context (and thus survives restorecon calls). However, if we could create separate types for each web application through this (i.e. first check if no such module exists, like with AWStats -> apache_content_template(awstats) in the awstats.pp module, and if not create one) that might be an idea. Otoh, we could then just as well create the modules immediately. (In reply to Sven Vermeulen from comment #1) > This might not be the best approach. > > If the file contexts are all that need to be set, then either have it > defined directly in the policy (if the location, give or take a regular > expression here and there, is known), or through a "semanage fcontext" call > so it gets registered as a local file context (and thus survives restorecon > calls). > > However, if we could create separate types for each web application through > this (i.e. first check if no such module exists, like with AWStats -> > apache_content_template(awstats) in the awstats.pp module, and if not create > one) that might be an idea. > > Otoh, we could then just as well create the modules immediately. Swift anything to be done here for webapp-config? |
Created attachment 323682 [details, diff] Proposed patch to implement the enhancement The basic httpd policy contain a special rw content type, httpd_sys_rw_content_t. Other policies, like phpfpm, directly have the right to modify such content. This patch allow webapp-config to create/remove a new SELinux policy per installed web app, allowing the user to set the correct labels by simply relabeling the installed app (it also makes these labels survive any global relabeling) It's not a full SELinux support: - The server-owned files are not created with the right context (but can be relabeled easily) - The files which are hardlinked don't have with the right context (but can also be relabeled easily)