[RFC] /var versus /srv
Daniel J Walsh
dwalsh at redhat.com
Thu Sep 27 13:27:33 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthew Miller wrote:
> On Wed, Sep 26, 2007 at 09:28:58PM -0400, Jesse Keating wrote:
>>> AFAIK, selinux only knows about a couple servers, like apache, having
>>> data in /srv. If SE Linux is going to protect the data, a standard
>>> mapping between /srv and /var for everything should be worked out so
>>> that policy can be adapted.
>> Therein lies the problem. /srv/ is open ground for sysadmins to use,
>> we can't prepopulate it with anything, and we can't assume what the
>> local admin will use for a scheme. /srv/<site>/{web,ftp,backup}
>> or /srv/{web,ftp,backup}/<site> or some other combo.
>
> Can we make it easy for the SE Linux tools to let the admin choose their
> local /srv policy?
>
We can do it, using semanage commands, but not necessarily easy.
Currently regex match the default location of files stored on disk.
/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?
system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t:s0
/var/www/apcupsd/multimon.cgi --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsimage.cgi --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsstats.cgi --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsfstats.cgi --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/cgi-bin/cgi --
system_u:object_r:httpd_mycgi_script_exec_t:s0
We could start to build tools that would allow you to change this location.
semanage fcontext -a -t httpd_sys_script_exec_t /srv/web/cgi-bin(/.*)?
Would add a context to this path.
system-config-selinux has graphical tools to do this, but it still
involves users choosing contexts and file paths.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG+6/FrlYvE4MpobMRAh/QAKC4Tm7B/kuxe/AFcncavaIe6vZnXQCbBpKI
jcIYqF8EgcrXGHL89a18Uxs=
=g8xn
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list