SELinux support in awstats RPM

Wed Apr 12 07:20:45 UTC 2006

On Tue, 2006-04-11 at 17:43 -0400, Daniel J Walsh wrote:
> Aurelien Bompard wrote:
> > Hi you SELinux gurus :)
> >
> > I'm trying to add SELinux support to my rpm of awstats in Extras.
> > Awstats is a perl CGI script which analyses the webserver's logs (and other
> > logs). It stores its (text-based) databases in /var/lib/awstats, and the
> > cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an
> > alias in an httpd conf file to make it visible from /awstats/ from the web.
> >
> > For the FC5 package, I've added two semanage calls in %pre to set the
> > correct types on the cgi and the databases dir.
> > Before committing and requesting a build, I'd like to make sure with you
> > that I'm not doing something dangerous, since I'm rather new to SELinux.
> > Here's the diff :
> > --- awstats.spec        23 Feb 2006 10:17:11 -0000      1.10
> > +++ awstats.spec        9 Apr 2006 13:50:38 -0000
> > @@ -13,6 +13,7 @@
> >  Requires:   perl
> >  Requires(post): perl
> >  Requires(postun): /sbin/service
> > +Requires(pre):  policycoreutils
> >
> >  %description
> >  Advanced Web Statistics is a powerful and featureful tool that generates
> > @@ -112,6 +113,14 @@
> >  %clean
> >  rm -rf $RPM_BUILD_ROOT
> >
> > +
> > +%pre
> > +# Set SELinux types
> > +semanage fcontext -a -t httpd_sys_script_exec_t \
> > +    '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
> > +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
> > 2>/dev/null || :
> > +
> > +
> >  %post
> >  if [ $1 -eq 1 ]; then
> >    if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
> >
> >
> > Does it look correct to you ? If I run semanage in %pre, I should not need
> > to run restorecon on /var/lib/awstats and
> > on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ?
> >
> > Is there a better/cleaner way to do it ?
> > This is a rather common case IMHO, so if we all agree I think it would be
> > worth having as an example on the Fedora wiki.
> >
> > Thanks.
> >
> > Aurélien
> >   
> 
> In your
> 
> %post
> chcon --R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin
> chcon -R -t httpd_sys_script_rw_t /var/lib/awstats
> 
> Should be enough.  These should not get relabeled in a restorecon since 
> they are customizable types. 

Supposing that the package needed non-customizable types, as will
probably be the case for other packages that come along before long.
Would the right thing to do be the semanage to protect against
relabelling plus the chcon in %post to get the right context straight
after package installation?

Any thoughts on why semanage in %pre doesn't work?

Paul.