I am using CentOS 6.3, 2.6.32-279.19.1.el6.x86_64 with Apache httpd
(2.2.15) as a host for my Mayan installation. Since I did not want to
disable SELinux for my Apache server, I started to write an SELinux module
for Mayan. I used the policy for a short time without troubles, but maybe
there are some directives missing.
module mayan 1.3;
require {
type ptmx_t;
type initrc_tmp_t;
type fonts_cache_t;
type httpd_tmp_t;
type httpd_t;
type httpd_tmpfs_t;
class file execute;
class dir getattr;
class dir setattr;
class chr_file getattr;
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file execute;
allow httpd_t httpd_tmpfs_t:file execute;
allow httpd_t initrc_tmp_t:dir getattr;
allow httpd_t ptmx_t:chr_file getattr;
allow httpd_t fonts_cache_t:dir setattr;
Information about compiling and installing the policy can be found in man
semanage(8). Basically you just need to put it in a file called mayan.te
and execute "make -f /usr/share/selinux/devel/Makefile". Then install it
via "semodule -i mayan.pp".
Also the sebool "httpd_tmp_exec" needs to be set (setsebool
-P httpd_tmp_exec 1). If you connect to a remote database, you also need to
set "httpd_can_network_connect_db". This is not required if you connect to
the db through a UNIX pipe.
Additionally you need to mark the directories document_storage and
image_cache (if you did not change the default storage paths) as writable
for httpd_t by executing the following commands:
# semanage fcontext -a -t httpd_sys_rw_content_t
'/var/www/mayan/mayan/document_storage(/.*)?'
# semanage fcontext -a -t httpd_sys_rw_content_t
'/var/www/mayan/mayan/image_cache(/.*)?'
# restorecon -r /var/www/mayan
If your Mayan is outside /var/www you might need an additional rule for
your system like eg:
# semanage fcontext -a -t httpd_sys_content_t '/usr/share/mayan(/.*)?'
Hope this helps someone.
Regards,
Manuel
--
