Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 434916

Summary: app-admin/webapp-config, SELinux support: set 'server-owned' file as rw content
Product: Gentoo Linux Reporter: Vincent Brillault <gentoo>
Component: Current packagesAssignee: Gentoo Web Application Packages Maintainers <web-apps>
Status: UNCONFIRMED ---    
Severity: enhancement CC: web-apps
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 434914, 434892    
Bug Blocks:    
Attachments: Proposed patch to implement the enhancement

Description Vincent Brillault 2012-09-13 16:19:02 UTC
Created attachment 323682 [details, diff]
Proposed patch to implement the enhancement

The basic httpd policy contain a special rw content type, httpd_sys_rw_content_t. Other policies, like phpfpm, directly have the right to modify such content.

This patch allow webapp-config to create/remove a new SELinux policy per installed web app, allowing the user to set the correct labels by simply relabeling the installed app (it also makes these labels survive any global relabeling)

It's not a full SELinux support:
- The server-owned files are not created with the right context (but can be relabeled easily)
- The files which are hardlinked don't have with the right context (but can also be relabeled easily)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-21 18:37:35 UTC
This might not be the best approach.

If the file contexts are all that need to be set, then either have it defined directly in the policy (if the location, give or take a regular expression here and there, is known), or through a "semanage fcontext" call so it gets registered as a local file context (and thus survives restorecon calls).

However, if we could create separate types for each web application through this (i.e. first check if no such module exists, like with AWStats -> apache_content_template(awstats) in the awstats.pp module, and if not create one) that might be an idea.

Otoh, we could then just as well create the modules immediately.
Comment 2 Anthony Basile gentoo-dev 2013-08-03 15:39:18 UTC
(In reply to Sven Vermeulen from comment #1)
> This might not be the best approach.
> 
> If the file contexts are all that need to be set, then either have it
> defined directly in the policy (if the location, give or take a regular
> expression here and there, is known), or through a "semanage fcontext" call
> so it gets registered as a local file context (and thus survives restorecon
> calls).
> 
> However, if we could create separate types for each web application through
> this (i.e. first check if no such module exists, like with AWStats ->
> apache_content_template(awstats) in the awstats.pp module, and if not create
> one) that might be an idea.
> 
> Otoh, we could then just as well create the modules immediately.

Swift anything to be done here for webapp-config?