SELinux support in awstats RPM
Paul Howarth
paul at city-fan.org
Sun Apr 9 14:21:38 UTC 2006
On Sun, 2006-04-09 at 15:55 +0200, Aurelien Bompard wrote:
> Hi you SELinux gurus :)
>
> I'm trying to add SELinux support to my rpm of awstats in Extras.
> Awstats is a perl CGI script which analyses the webserver's logs (and other
> logs). It stores its (text-based) databases in /var/lib/awstats, and the
> cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an
> alias in an httpd conf file to make it visible from /awstats/ from the web.
>
> For the FC5 package, I've added two semanage calls in %pre to set the
> correct types on the cgi and the databases dir.
> Before committing and requesting a build, I'd like to make sure with you
> that I'm not doing something dangerous, since I'm rather new to SELinux.
> Here's the diff :
> --- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10
> +++ awstats.spec 9 Apr 2006 13:50:38 -0000
> @@ -13,6 +13,7 @@
> Requires: perl
> Requires(post): perl
> Requires(postun): /sbin/service
> +Requires(pre): policycoreutils
>
> %description
> Advanced Web Statistics is a powerful and featureful tool that generates
> @@ -112,6 +113,14 @@
> %clean
> rm -rf $RPM_BUILD_ROOT
>
> +
> +%pre
> +# Set SELinux types
> +semanage fcontext -a -t httpd_sys_script_exec_t \
> + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
> +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
> 2>/dev/null || :
> +
> +
> %post
> if [ $1 -eq 1 ]; then
> if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
>
>
> Does it look correct to you ? If I run semanage in %pre, I should not need
> to run restorecon on /var/lib/awstats and
> on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ?
>
> Is there a better/cleaner way to do it ?
> This is a rather common case IMHO, so if we all agree I think it would be
> worth having as an example on the Fedora wiki.
There was some discussion on local policy tweaks in packages last month
(OK, I made a post and Stephen replied...):
http://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00052.html
The suggestion there was for a separate -policy subpackage but I think
handling context changes in %pre should be OK.
Shouldn't you remove the local policy customisation in %postun though?
Paul.
More information about the fedora-selinux-list
mailing list