[RFC] /var versus /srv

Daniel J Walsh dwalsh at redhat.com
Thu Sep 27 13:27:33 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew Miller wrote:
> On Wed, Sep 26, 2007 at 09:28:58PM -0400, Jesse Keating wrote:
>>> AFAIK, selinux only knows about a couple servers, like apache, having
>>> data in /srv. If SE Linux is going to protect the data, a standard
>>> mapping between /srv and /var for everything should be worked out so
>>> that policy can be adapted.
>> Therein lies the problem.  /srv/ is open ground for sysadmins to use,
>> we can't prepopulate it with anything, and we can't assume what the
>> local admin will use for a scheme.  /srv/<site>/{web,ftp,backup}
>> or /srv/{web,ftp,backup}/<site> or some other combo.
> 
> Can we make it easy for the SE Linux tools to let the admin choose their
> local /srv policy?
> 
We can do it, using semanage commands, but not necessarily easy.

Currently regex match the default location of files stored on disk.


/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?  system_u:object_r:httpd_sys_content_t:s0
/var/www/[^/]*/cgi-bin(/.*)?    system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/perl(/.*)?     system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/icons(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?
system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/calamaris(/.*)?        system_u:object_r:calamaris_www_t:s0
/var/www/apcupsd/multimon.cgi   --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsimage.cgi   --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsstats.cgi   --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsfstats.cgi  --
system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/cgi-bin/cgi    --
system_u:object_r:httpd_mycgi_script_exec_t:s0


We could start to build tools that would allow you to change this location.


semanage fcontext -a -t httpd_sys_script_exec_t /srv/web/cgi-bin(/.*)?

Would add a context to this path.

system-config-selinux has graphical tools to do this, but it still
involves users choosing contexts and file paths.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG+6/FrlYvE4MpobMRAh/QAKC4Tm7B/kuxe/AFcncavaIe6vZnXQCbBpKI
jcIYqF8EgcrXGHL89a18Uxs=
=g8xn
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list