[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux support in awstats RPM



On Sun, 2006-04-09 at 15:55 +0200, Aurelien Bompard wrote:
> Hi you SELinux gurus :)
> 
> I'm trying to add SELinux support to my rpm of awstats in Extras.
> Awstats is a perl CGI script which analyses the webserver's logs (and other
> logs). It stores its (text-based) databases in /var/lib/awstats, and the
> cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an
> alias in an httpd conf file to make it visible from /awstats/ from the web.
> 
> For the FC5 package, I've added two semanage calls in %pre to set the
> correct types on the cgi and the databases dir.
> Before committing and requesting a build, I'd like to make sure with you
> that I'm not doing something dangerous, since I'm rather new to SELinux.
> Here's the diff :
> --- awstats.spec        23 Feb 2006 10:17:11 -0000      1.10
> +++ awstats.spec        9 Apr 2006 13:50:38 -0000
> @@ -13,6 +13,7 @@
>  Requires:   perl
>  Requires(post): perl
>  Requires(postun): /sbin/service
> +Requires(pre):  policycoreutils
> 
>  %description
>  Advanced Web Statistics is a powerful and featureful tool that generates
> @@ -112,6 +113,14 @@
>  %clean
>  rm -rf $RPM_BUILD_ROOT
> 
> +
> +%pre
> +# Set SELinux types
> +semanage fcontext -a -t httpd_sys_script_exec_t \
> +    '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
> +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
> 2>/dev/null || :
> +
> +
>  %post
>  if [ $1 -eq 1 ]; then
>    if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
> 
> 
> Does it look correct to you ? If I run semanage in %pre, I should not need
> to run restorecon on /var/lib/awstats and
> on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ?
> 
> Is there a better/cleaner way to do it ?
> This is a rather common case IMHO, so if we all agree I think it would be
> worth having as an example on the Fedora wiki.

There was some discussion on local policy tweaks in packages last month
(OK, I made a post and Stephen replied...):

http://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00052.html

The suggestion there was for a separate -policy subpackage but I think
handling context changes in %pre should be OK.

Shouldn't you remove the local policy customisation in %postun though?

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]