[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: packaging web applications, SELinux



On 06/16/2009 11:34 AM, Chuck Anderson wrote:
Is there any pointer to best practices for packing a web application
that provides static content, cgi scripts, integrates with Apache
configuration, and works with SELinux?  How should I package the
SELinux policy needed to make this work?

The Packaging Guidelines mention Web Applications, but not how to make
them work with SELinux:

https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications

Thanks.

Good question. I would suggest we start writing this and if we could come up with standard locations for content we could make it make it work without the packages having to worry about it.

I would suggest that we store static content in a directory like

/usr/share/MYAPP/html/...

Cgi scripts in

/usr/share/MYAPP/cgi-bin/...

Writable directories from the Web in a directory named

/var/lib/MYAPP or some subdir of this.

If your web app is a cgi, I would prefer that we write policy for it to confine it differently then the default. Writing policy for cgi scripts is supprisingly easy and I would be willing to help.

If we went with a standard I could setup the labeling for

/usr/share/[^/]*/html(/.*)? to be httpd_sys_content_t

And

/usr/share/[^/]*/cgi-bin(/.*)? to be httpd_sys_script_exec_t

Labeling /var/lib/MYAPP would be more difficult unless we came up with a standard subdir.

/var/lib/MYAPP/htmldata ????

Then if an app writes it own policy for handling we can override these default labels.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]