apache configtest
Colin Walters
walters at redhat.com
Wed Oct 27 15:27:15 UTC 2004
On Wed, 2004-10-27 at 16:14 +0100, Joe Orton wrote:
> This makes sense, thanks to you and Colin for explaining this through.
> It was just the fact that I thought Colin wanted to split up the code
> which confused me :)
No, although getting upstream to put the config test in a separate
binary would be useful. It would be the same source base of course.
They could preserve the functionality in httpd -t for now too.
> Using 2>&1 | cat does change the behaviour though which is what I think
> we should be trying to avoid: it loses the exit value and it loses
> stdout/stderr separation.
True.
> I like the idea of using runcon to do this. It looks like:
>
> if selinuxenabled; then
> runcon -- `id -Z` $HTTPD -t
> else
> $HTTPD -t
> fi
This is possible, but then the workaround for this bug is some code in
our init scripts; I'd prefer to get this more "upstream". For example,
for now we could cp /usr/sbin/httpd /usr/sbin/httpd-configtest in our
.spec file, and change our init script to just run
/usr/sbin/httpd-configtest. At the same time, we suggest to upstream
that they make this change. It would be useful not only for SELinux,
but also for other security systems, e.g. presumably TrustedBSD. Once
they have made the change, then we remove the cp from the spec file.
Having Fedora-specific code ultimately increases our support burden.
More information about the fedora-test-list
mailing list