Re: Question about customizing apache policy.

Daniel J Walsh wrote:
> There was a question yesterday in one of the fedora list, from a person
> who would like to run a special httpd script that would manage his
> passwd file, now whether or not this is a good idea, it caused me to try
> an experiment.
> Currently we have a macro apache_domain. I thought it would be cool if
> I could start writing policy for this passwd app by adding a file to
> domains/misc/apachepasswd.te. Then having one line
> apache_domain(passwd)
>
> Which in theory would create httpd_passwd_script_exec_t,
> httpd_passwd_script_t, httpd_passwd_script_rw_t. I could then go ahead
> and label my cgi httpd_passwd_script_exec_t and start adding the
> additional allow rules to allow this to happen. Needless to say, we
> have added a lot of cruft to the apache_domain() macro. So I did some
> cleanup of apache.te and apache_macro.te, see attach.
> Could people review these to make sure there is no mistakes.
> But this exercise also brought up the idea that this would be an
> excellent example of how we would want to use loadable modules. I think
> that this might be a fairly common problem. People want to run a
> specialized apache cgi script that slightly extends httpd_sys_script_t.
>
> It would be cool if they could do this without having to have policy
> installed, but a simple boiler plate for adding a new type of httpd
> script type.
>
> Ideas?
>
> Dan

This is a great idea that I've been using for some time now :) I needed it for all kind of cgi-type applications and the policy can be as clean as apache_domain(awstats) and a few webapp-related rules.

bye,
peter

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: OpenPGP digital signature