On 06/16/2009 11:34 AM, Chuck Anderson wrote:
Is there any pointer to best practices for packing a web application
that provides static content, cgi scripts, integrates with Apache
configuration, and works with SELinux? How should I package the
SELinux policy needed to make this work?
The Packaging Guidelines mention Web Applications, but not how to make
them work with SELinux:
https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications
Thanks.
Good question. I would suggest we start writing this and if we could
come up with standard locations for content we could make it make it
work without the packages having to worry about it.
I would suggest that we store static content in a directory like
/usr/share/MYAPP/html/...
Cgi scripts in
/usr/share/MYAPP/cgi-bin/...
Writable directories from the Web in a directory named
/var/lib/MYAPP or some subdir of this.
If your web app is a cgi, I would prefer that we write policy for it to
confine it differently then the default. Writing policy for cgi scripts
is supprisingly easy and I would be willing to help.
If we went with a standard I could setup the labeling for
/usr/share/[^/]*/html(/.*)? to be httpd_sys_content_t
And
/usr/share/[^/]*/cgi-bin(/.*)? to be httpd_sys_script_exec_t
Labeling /var/lib/MYAPP would be more difficult unless we came up with a
standard subdir.
/var/lib/MYAPP/htmldata ????
Then if an app writes it own policy for handling we can override these
default labels.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
