Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434916 - app-admin/webapp-config, SELinux support: set 'server-owned' file as rw content
Summary: app-admin/webapp-config, SELinux support: set 'server-owned' file as rw content
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo Web Application Packages Maintainers
URL:
Whiteboard:
Keywords: PATCH
Depends on: 434914 434892
Blocks:
  Show dependency tree
 
Reported: 2012-09-13 16:19 UTC by Vincent Brillault
Modified: 2023-01-28 20:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Proposed patch to implement the enhancement (webapp-config-1.20.19-add-SELinux-support.patch,10.09 KB, patch)
2012-09-13 16:19 UTC, Vincent Brillault 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-09-13 16:19:02 UTC 
Created attachment 323682 [details, diff]
Proposed patch to implement the enhancement

The basic httpd policy contain a special rw content type, httpd_sys_rw_content_t. Other policies, like phpfpm, directly have the right to modify such content.

This patch allow webapp-config to create/remove a new SELinux policy per installed web app, allowing the user to set the correct labels by simply relabeling the installed app (it also makes these labels survive any global relabeling)

It's not a full SELinux support:
- The server-owned files are not created with the right context (but can be relabeled easily)
- The files which are hardlinked don't have with the right context (but can also be relabeled easily)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-21 18:37:35 UTC 
This might not be the best approach.

If the file contexts are all that need to be set, then either have it defined directly in the policy (if the location, give or take a regular expression here and there, is known), or through a "semanage fcontext" call so it gets registered as a local file context (and thus survives restorecon calls).

However, if we could create separate types for each web application through this (i.e. first check if no such module exists, like with AWStats -> apache_content_template(awstats) in the awstats.pp module, and if not create one) that might be an idea.

Otoh, we could then just as well create the modules immediately.
Comment 2 Anthony Basile gentoo-dev 2013-08-03 15:39:18 UTC 
(In reply to Sven Vermeulen from comment #1)
> This might not be the best approach.
> 
> If the file contexts are all that need to be set, then either have it
> defined directly in the policy (if the location, give or take a regular
> expression here and there, is known), or through a "semanage fcontext" call
> so it gets registered as a local file context (and thus survives restorecon
> calls).
> 
> However, if we could create separate types for each web application through
> this (i.e. first check if no such module exists, like with AWStats ->
> apache_content_template(awstats) in the awstats.pp module, and if not create
> one) that might be an idea.
> 
> Otoh, we could then just as well create the modules immediately.

Swift anything to be done here for webapp-config?