packaging web applications, SELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 16 16:02:25 UTC 2009
On 06/16/2009 11:58 AM, Chuck Anderson wrote:
> On Tue, Jun 16, 2009 at 04:46:00PM +0100, Paul Howarth wrote:
>> On 16/06/09 16:34, Chuck Anderson wrote:
>>> Is there any pointer to best practices for packing a web application
>>> that provides static content, cgi scripts, integrates with Apache
>>> configuration, and works with SELinux? How should I package the
>>> SELinux policy needed to make this work?
>>>
>>> The Packaging Guidelines mention Web Applications, but not how to make
>>> them work with SELinux:
>>>
>>> https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications
>>
>> Do you already have the policy for your webapp written?
>>
>> If so, you can proceed according to
>> https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
>> but better still would be to post your policy on fedora-selinux-list for
>> comment and get it merged into the main Fedora policy and upstream.
>
> No policy yet. I think I just need file_contexts to go along with the
> standard ones:
>
> /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /var/www(/.*)?/logs(/.*)? system_u:object_r:httpd_log_t:s0
> /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
>
> I found that Debian has pretty well-defined (draft) guidelines for web
> applications:
>
> http://webapps-common.alioth.debian.org/draft/html/
>
> that standardizes on /usr/share/PACKAGE/www for static content and
> /usr/lib/cgi-bin/PACKAGE for arch-dependent dynamically executed
> content.
>
> If we could come up with a similiar standard, then we could add
> standard SELinux file_contexts to deal with it, such as:
>
> /usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
> /usr//lib(64)?/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
>
That sounds good to me.
More information about the fedora-devel-list
mailing list