Re: packaging web applications, SELinux

[Adam Williamson <awilliam redhat com>]

On Tue, 2009-06-16 at 11:58 -0400, Chuck Anderson wrote:
> On Tue, Jun 16, 2009 at 04:46:00PM +0100, Paul Howarth wrote:
> > On 16/06/09 16:34, Chuck Anderson wrote:
> >> Is there any pointer to best practices for packing a web application
> >> that provides static content, cgi scripts, integrates with Apache
> >> configuration, and works with SELinux?  How should I package the
> >> SELinux policy needed to make this work?

> No policy yet.  I think I just need file_contexts to go along with the 
> standard ones:
> 
> /srv/([^/]*/)?www(/.*)?	system_u:object_r:httpd_sys_content_t:s0
> /var/www(/.*)?	system_u:object_r:httpd_sys_content_t:s0
> /var/www(/.*)?/logs(/.*)?	system_u:object_r:httpd_log_t:s0
> /var/www/[^/]*/cgi-bin(/.*)?	system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/perl(/.*)?	system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/icons(/.*)?	system_u:object_r:httpd_sys_content_t:s0
> /var/www/html/[^/]*/cgi-bin(/.*)?	system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin(/.*)?	system_u:object_r:httpd_sys_script_exec_t:s0
> 
> I found that Debian has pretty well-defined (draft) guidelines for web 
> applications:
> 
> http://webapps-common.alioth.debian.org/draft/html/

Mandriva (which is obviously closer to Fedora than Debian in filesystem
layout philosophy...) has one too:

http://wiki.mandriva.com/en/Policies/Web_Applications

it's well-followed within MDV packages, and I found it quite sensible
when I was packaging a few web apps (mainly roundcubemail).

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net