packaging web applications, SELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 16 15:49:51 UTC 2009
On 06/16/2009 11:34 AM, Chuck Anderson wrote:
> Is there any pointer to best practices for packing a web application
> that provides static content, cgi scripts, integrates with Apache
> configuration, and works with SELinux? How should I package the
> SELinux policy needed to make this work?
>
> The Packaging Guidelines mention Web Applications, but not how to make
> them work with SELinux:
>
> https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications
>
> Thanks.
>
Good question. I would suggest we start writing this and if we could
come up with standard locations for content we could make it make it
work without the packages having to worry about it.
I would suggest that we store static content in a directory like
/usr/share/MYAPP/html/...
Cgi scripts in
/usr/share/MYAPP/cgi-bin/...
Writable directories from the Web in a directory named
/var/lib/MYAPP or some subdir of this.
If your web app is a cgi, I would prefer that we write policy for it to
confine it differently then the default. Writing policy for cgi scripts
is supprisingly easy and I would be willing to help.
If we went with a standard I could setup the labeling for
/usr/share/[^/]*/html(/.*)? to be httpd_sys_content_t
And
/usr/share/[^/]*/cgi-bin(/.*)? to be httpd_sys_script_exec_t
Labeling /var/lib/MYAPP would be more difficult unless we came up with a
standard subdir.
/var/lib/MYAPP/htmldata ????
Then if an app writes it own policy for handling we can override these
default labels.
More information about the fedora-devel-list
mailing list