SELinux and Cacti (and other webapps)

Stephen Smalley sds at
Tue Dec 20 13:34:19 UTC 2005

On Tue, 2005-12-20 at 11:28 +0100, Aurelien Bompard wrote:
> Tarek W. wrote:
> > A quick hack would be: 
> > chcon -R --reference=/var/www/html /var/lib/cacti
> But that would be lost on relabel, right ?
> What is the best way to integrate this into the distro ? Push /var/lib/cacti
> as http_sys_content_t in the official policy ? Can we add file-context bits
> into some kind of file-contexts.d directory ?

What is your target here?  FC4 or FC5?  In FC4, you'd have to push up
the change into the policy sources, possibly as a new .fc file (but I'm
not clear on whether you want /var/lib/cacti to be completely equivalent
to /var/www/html as above or if you want a new type here so that you can
still distinguish them for other purposes).  In FC5, you will be able
create a separate policy module package (via checkmodule and
semodule_package) with a pre-compiled policy module and your own
file_contexts info and ship it either as part of your package or as a
separate xxx-policy package on which your package depends, and have it
installed via semodule run from %post.  Keeping it as a separate
xxx-policy package is nice if you want to be able to update the policy
for it later separate from updating the base package itself.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list