[Freeipa-devel] Writing to /var/cache/ipa/assets/

[Adam Young]

On 06/18/2010 05:53 PM, Simo Sorce wrote:
> On Fri, 18 Jun 2010 17:28:19 -0400
> Adam Young<ayoung at redhat.com>  wrote:
>
>    
>> On 06/18/2010 04:51 PM, Rob Crittenden wrote:
>>      
>>> Adam Young wrote:
>>>        
>>>> Pavel's current code base tries to write
>>>> to  /var/cache/ipa/assets/ from within httpd, which is forbidden
>>>> by SELinux.  I suspect the code in the mainline might be doing
>>>> this as well.  The work around is:
>>>>
>>>> chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets
>>>> semanage fcontext -a -t httpd_sys_content_rw_t 'assets'
>>>>
>>>> If we are going to do this kind of code generation, we might want
>>>> to do it at install time, or as part of something like
>>>> /etc/init.d/ipa-server start
>>>>
>>>>          
>>> I'd think this rule would cover it in ipa_httpd.fc:
>>>
>>> /var/cache/ipa/assets(/.*)?
>>> gen_context(system_u:object_r:httpd_sys_content_t,s0)
>>>
>>> rob
>>>        
>> Before I open a bug I want to review with Pavel.  I wasn't seeing
>> this before I merged in his changes, and it wasn't for code in the
>> main git repo, so no bug yet.
>>      
> As a general rule I don't like that apache gets to write to the file
> system, esp if that means changing code that different users use at
> the same time. It's a too big risk.
>
> Simo.
>
>    


Simo, I agree.  I'm thinking that anything doing one time code 
generation should be done outside the apache process.  I'm not sure we 
are even going to take this approach long term.  The code doing the 
generatrion is, I think left over from Jason's last effort.

This is a possibility that we will want to script code based on the meta 
data of the plugins.  We have three points we could do this:  at plugin 
deploiy time, inside the server at http fetch , or in the broswer (via 
javascript).  I suspect that the code that is currently writing to 
/var.... should be done at plugin deploy time instead, or should be done 
completely dynamically.