Daniel J Walsh wrote: > There was a question yesterday in one of the fedora list, from a person > who would like to run a special httpd script that would manage his > passwd file, now whether or not this is a good idea, it caused me to try > an experiment. > Currently we have a macro apache_domain. I thought it would be cool if > I could start writing policy for this passwd app by adding a file to > domains/misc/apachepasswd.te. Then having one line > apache_domain(passwd) > > Which in theory would create httpd_passwd_script_exec_t, > httpd_passwd_script_t, httpd_passwd_script_rw_t. I could then go ahead > and label my cgi httpd_passwd_script_exec_t and start adding the > additional allow rules to allow this to happen. Needless to say, we > have added a lot of cruft to the apache_domain() macro. So I did some > cleanup of apache.te and apache_macro.te, see attach. > Could people review these to make sure there is no mistakes. > But this exercise also brought up the idea that this would be an > excellent example of how we would want to use loadable modules. I think > that this might be a fairly common problem. People want to run a > specialized apache cgi script that slightly extends httpd_sys_script_t. > > It would be cool if they could do this without having to have policy > installed, but a simple boiler plate for adding a new type of httpd > script type. > > Ideas? > > Dan This is a great idea that I've been using for some time now :) I needed it for all kind of cgi-type applications and the policy can be as clean as apache_domain(awstats) and a few webapp-related rules. bye, peter
Attachment:
signature.asc
Description: OpenPGP digital signature