Add SELinux basic rules #32

Closed
wants to merge 1 commit into
from
Jump to file or symbol
Failed to load files and symbols.
+55 −0
Split
View
@@ -0,0 +1,16 @@
+
+module httpdbase 1.0;
+
+require {
+ type file_t;
+ type httpd_t;
+ type httpd_sys_content_t;
+ type logrotate_t;
+ class dir { read search getattr };
+}
+
+#============= httpd_t ==============
+allow httpd_t file_t:dir { search getattr };
@mfournier

mfournier Feb 29, 2012

Contributor

This allows httpd to read any directory on the system: not a good idea. It's the whole reason of using selinux...

+
+#============= logrotate_t ==============
+allow logrotate_t httpd_sys_content_t:dir read;
@mfournier

mfournier Feb 29, 2012

Contributor

Why not chcon the logfiles to httpd_log_t instead ?

View
@@ -19,4 +19,9 @@
RedHat,CentOS: { include apache::redhat}
default: { fail "Unsupported operatingsystem ${operatingsystem}" }
}
+
+ if $selinux == "true" {
+ include apache::selinux
+ }
+
}
View
@@ -0,0 +1,34 @@
+class apache::selinux {
+
+ case $operatingsystem {
+
+ RedHat,CentOS: {
+ case $lsbmajdistrelease {
+
+ "4","5": { }
+
+ default: {
+
+ # Basic SELinux rules to:
+ # -read vhost configuration files
+ # -logrotate
@mfournier

mfournier Feb 29, 2012

Contributor

I think I'm really missing the point here... If apache config files are httpd_config_t and logfiles are httpd_log_t, everything should work out of the box, no need for a home-brew selinux module.

Could you please clarify, maybe with a more detailed comment in the code about the reason of doing things this way ? Thanks !

+ selinux::module { "httpdbase":
+ source => "puppet:///apache/selinux/httpdbase.te",
+ notify => Selmodule[ "httpdbase" ],
+ }
+
+ selmodule { "httpdbase":
+ ensure => present,
+ syncversion => true,
+ require => Exec[ "build selinux policy package httpdbase" ],
+ }
+
+ }
+ }
+ }
+
+ default: { }
+
+ }
+
+}