On Tue, Jun 16, 2009 at 04:46:00PM +0100, Paul Howarth wrote: > On 16/06/09 16:34, Chuck Anderson wrote: >> Is there any pointer to best practices for packing a web application >> that provides static content, cgi scripts, integrates with Apache >> configuration, and works with SELinux? How should I package the >> SELinux policy needed to make this work? >> >> The Packaging Guidelines mention Web Applications, but not how to make >> them work with SELinux: >> >> https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications > > Do you already have the policy for your webapp written? > > If so, you can proceed according to > https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft > but better still would be to post your policy on fedora-selinux-list for > comment and get it merged into the main Fedora policy and upstream. No policy yet. I think I just need file_contexts to go along with the standard ones: /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)?/logs(/.*)? system_u:object_r:httpd_log_t:s0 /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0 /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 I found that Debian has pretty well-defined (draft) guidelines for web applications: http://webapps-common.alioth.debian.org/draft/html/ that standardizes on /usr/share/PACKAGE/www for static content and /usr/lib/cgi-bin/PACKAGE for arch-dependent dynamically executed content. If we could come up with a similiar standard, then we could add standard SELinux file_contexts to deal with it, such as: /usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr//lib(64)?/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
