Re: Question about customizing apache policy.

[petre rodan <kaiowas@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1626 bytes --]

Daniel J Walsh wrote:
> There was a question yesterday in one of the fedora list, from a person
> who would like to run a special httpd script that would manage his
> passwd file, now whether or not this is a good idea, it caused me to try
> an experiment.
> Currently we have a  macro apache_domain.  I thought it would be cool if
> I could start writing policy for this passwd app by adding a file to
> domains/misc/apachepasswd.te.  Then having one line
> apache_domain(passwd)
> 
> Which in theory would create httpd_passwd_script_exec_t,
> httpd_passwd_script_t, httpd_passwd_script_rw_t.  I could then go ahead
> and label my cgi httpd_passwd_script_exec_t and start adding the
> additional allow rules to allow this to happen.  Needless to say, we
> have added a lot of cruft to the apache_domain() macro.  So I did some
> cleanup of apache.te and apache_macro.te, see attach.
> Could people review these to make sure there is no mistakes.
> But this exercise also brought up the idea that this would be an
> excellent example of how we would want to use loadable modules. I think
> that this might be a fairly common problem.  People want to run a
> specialized apache cgi script that slightly extends httpd_sys_script_t.
> 
> It would be cool if they could do this without having to have policy
> installed, but a simple boiler plate for adding a new type of httpd
> script type.
> 
> Ideas?
> 
> Dan

This is a great idea that I've been using for some time now :)
I needed it for all kind of cgi-type applications and the policy can be as clean as apache_domain(awstats) and a few webapp-related rules.

bye,
peter


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 265 bytes --]