Hi you SELinux gurus :)
I'm trying to add SELinux support to my rpm of awstats in Extras.
Awstats is a perl CGI script which analyses the webserver's logs (and other
logs). It stores its (text-based) databases in /var/lib/awstats, and the
cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an
alias in an httpd conf file to make it visible from /awstats/ from the web.
For the FC5 package, I've added two semanage calls in %pre to set the
correct types on the cgi and the databases dir.
Before committing and requesting a build, I'd like to make sure with you
that I'm not doing something dangerous, since I'm rather new to SELinux.
Here's the diff :
--- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10
+++ awstats.spec 9 Apr 2006 13:50:38 -0000
@@ -13,6 +13,7 @@
Requires: perl
Requires(post): perl
Requires(postun): /sbin/service
+Requires(pre): policycoreutils
%description
Advanced Web Statistics is a powerful and featureful tool that generates
@@ -112,6 +113,14 @@
%clean
rm -rf $RPM_BUILD_ROOT
+
+%pre
+# Set SELinux types
+semanage fcontext -a -t httpd_sys_script_exec_t \
+ '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
+semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
2>/dev/null || :
+
+
%post
if [ $1 -eq 1 ]; then
if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
Does it look correct to you ? If I run semanage in %pre, I should not need
to run restorecon on /var/lib/awstats and
on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ?
Is there a better/cleaner way to do it ?
This is a rather common case IMHO, so if we all agree I think it would be
worth having as an example on the Fedora wiki.
Thanks.
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard@xxxxxxxxx
"You do not really understand something unless you can
explain it to your grandmother." -- Albert Einstein
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
