On 06/18/2010 05:53 PM, Simo Sorce wrote:
On Fri, 18 Jun 2010 17:28:19 -0400
Adam Young<[email protected]> wrote:
On 06/18/2010 04:51 PM, Rob Crittenden wrote:
Adam Young wrote:
Pavel's current code base tries to write
to /var/cache/ipa/assets/ from within httpd, which is forbidden
by SELinux. I suspect the code in the mainline might be doing
this as well. The work around is:
chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets
semanage fcontext -a -t httpd_sys_content_rw_t 'assets'
If we are going to do this kind of code generation, we might want
to do it at install time, or as part of something like
/etc/init.d/ipa-server start
I'd think this rule would cover it in ipa_httpd.fc:
/var/cache/ipa/assets(/.*)?
gen_context(system_u:object_r:httpd_sys_content_t,s0)
rob
Before I open a bug I want to review with Pavel. I wasn't seeing
this before I merged in his changes, and it wasn't for code in the
main git repo, so no bug yet.
As a general rule I don't like that apache gets to write to the file
system, esp if that means changing code that different users use at
the same time. It's a too big risk.
Simo.
Simo, I agree. I'm thinking that anything doing one time code
generation should be done outside the apache process. I'm not sure we
are even going to take this approach long term. The code doing the
generatrion is, I think left over from Jason's last effort.
This is a possibility that we will want to script code based on the meta
data of the plugins. We have three points we could do this: at plugin
deploiy time, inside the server at http fetch , or in the broswer (via
javascript). I suspect that the code that is currently writing to
/var.... should be done at plugin deploy time instead, or should be done
completely dynamically.
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
