[Freeipa-devel] Writing to /var/cache/ipa/assets/
Pavel's current code base tries to write to /var/cache/ipa/assets/ from within httpd, which is forbidden by SELinux. I suspect the code in the mainline might be doing this as well. The work around is: chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets semanage fcontext -a -t httpd_sys_content_rw_t 'assets' If we are going to do this kind of code generation, we might want to do it at install time, or as part of something like /etc/init.d/ipa-server start ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Writing to /var/cache/ipa/assets/
On 06/18/2010 04:51 PM, Rob Crittenden wrote: Adam Young wrote: Pavel's current code base tries to write to /var/cache/ipa/assets/ from within httpd, which is forbidden by SELinux. I suspect the code in the mainline might be doing this as well. The work around is: chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets semanage fcontext -a -t httpd_sys_content_rw_t 'assets' If we are going to do this kind of code generation, we might want to do it at install time, or as part of something like /etc/init.d/ipa-server start I'd think this rule would cover it in ipa_httpd.fc: /var/cache/ipa/assets(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) rob Before I open a bug I want to review with Pavel. I wasn't seeing this before I merged in his changes, and it wasn't for code in the main git repo, so no bug yet. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Writing to /var/cache/ipa/assets/
On Fri, 18 Jun 2010 17:28:19 -0400 Adam Young ayo...@redhat.com wrote: On 06/18/2010 04:51 PM, Rob Crittenden wrote: Adam Young wrote: Pavel's current code base tries to write to /var/cache/ipa/assets/ from within httpd, which is forbidden by SELinux. I suspect the code in the mainline might be doing this as well. The work around is: chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets semanage fcontext -a -t httpd_sys_content_rw_t 'assets' If we are going to do this kind of code generation, we might want to do it at install time, or as part of something like /etc/init.d/ipa-server start I'd think this rule would cover it in ipa_httpd.fc: /var/cache/ipa/assets(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) rob Before I open a bug I want to review with Pavel. I wasn't seeing this before I merged in his changes, and it wasn't for code in the main git repo, so no bug yet. As a general rule I don't like that apache gets to write to the file system, esp if that means changing code that different users use at the same time. It's a too big risk. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Writing to /var/cache/ipa/assets/
On 06/18/2010 05:53 PM, Simo Sorce wrote: As a general rule I don't like that apache gets to write to the file system +1 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel