SELinux and Cacti (and other webapps)
Stephen Smalley
sds at tycho.nsa.gov
Tue Dec 20 13:34:19 UTC 2005
On Tue, 2005-12-20 at 11:28 +0100, Aurelien Bompard wrote:
> Tarek W. wrote:
> > A quick hack would be:
> > chcon -R --reference=/var/www/html /var/lib/cacti
>
> But that would be lost on relabel, right ?
> What is the best way to integrate this into the distro ? Push /var/lib/cacti
> as http_sys_content_t in the official policy ? Can we add file-context bits
> into some kind of file-contexts.d directory ?
What is your target here? FC4 or FC5? In FC4, you'd have to push up
the change into the policy sources, possibly as a new .fc file (but I'm
not clear on whether you want /var/lib/cacti to be completely equivalent
to /var/www/html as above or if you want a new type here so that you can
still distinguish them for other purposes). In FC5, you will be able
create a separate policy module package (via checkmodule and
semodule_package) with a pre-compiled policy module and your own
file_contexts info and ship it either as part of your package or as a
separate xxx-policy package on which your package depends, and have it
installed via semodule run from %post. Keeping it as a separate
xxx-policy package is nice if you want to be able to update the policy
for it later separate from updating the base package itself.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list