[Mayan EDMS: 476] Re: SELinux Policy

Thu, 17 Jan 2013 15:14:04 -0800 

Awesome! Thanks!  SELinux modules are a mystical thing for me and the few 
times I've installed Mayan on distributions with SELinux, I just end up 
disabling it.  Thanks a lot for this, will add it to the contrib folder and 
to the FAQs section of the docs!

--Roberto

On Wednesday, January 16, 2013 9:15:32 AM UTC-4, Manuel Faux wrote:
>
> I am using CentOS 6.3, 2.6.32-279.19.1.el6.x86_64 with Apache httpd 
> (2.2.15) as a host for my Mayan installation. Since I did not want to 
> disable SELinux for my Apache server, I started to write an SELinux module 
> for Mayan. I used the policy for a short time without troubles, but maybe 
> there are some directives missing.
>
> module mayan 1.3;
>
> require {
>         type ptmx_t;
>         type initrc_tmp_t;
>         type fonts_cache_t;
>         type httpd_tmp_t;
>         type httpd_t;
>         type httpd_tmpfs_t;
>         class file execute;
>         class dir getattr;
>         class dir setattr;
>         class chr_file getattr;
> }
>
> #============= httpd_t ==============
>
> allow httpd_t httpd_tmp_t:file execute;
> allow httpd_t httpd_tmpfs_t:file execute;
> allow httpd_t initrc_tmp_t:dir getattr;
> allow httpd_t ptmx_t:chr_file getattr;
> allow httpd_t fonts_cache_t:dir setattr;
>
> Information about compiling and installing the policy can be found in man 
> semanage(8). Basically you just need to put it in a file called mayan.te 
> and execute "make -f /usr/share/selinux/devel/Makefile". Then install it 
> via "semodule -i mayan.pp".
>
> Also the sebool "httpd_tmp_exec" needs to be set (setsebool 
> -P httpd_tmp_exec 1). If you connect to a remote database, you also need 
> to set "httpd_can_network_connect_db". This is not required if you connect 
> to the db through a UNIX pipe.
>
> Additionally you need to mark the directories document_storage and 
> image_cache (if you did not change the default storage paths) as writable 
> for httpd_t by executing the following commands:
>
> # semanage fcontext -a -t httpd_sys_rw_content_t 
> '/var/www/mayan/mayan/document_storage(/.*)?'
> # semanage fcontext -a -t httpd_sys_rw_content_t 
> '/var/www/mayan/mayan/image_cache(/.*)?'
> # restorecon -r /var/www/mayan
>
> If your Mayan is outside /var/www you might need an additional rule for 
> your system like eg:
>
> # semanage fcontext -a -t httpd_sys_content_t '/usr/share/mayan(/.*)?'
>
> Hope this helps someone.
>
> Regards,
> Manuel
>

--

Reply via email to