SELinux: httpd_sys_rw_content_t flag missing on docroot

bstopp / puppet-aem

Puppet module for managing AEM Installations.

https://forge.puppet.com/bstopp/aem

Apache License 2.0

30 stars 30 forks source link

SELinux: httpd_sys_rw_content_t flag missing on docroot #138

Closed henrykuijpers closed 4 years ago

henrykuijpers commented 4 years ago

Recently, SELinux support was added to the module, but it seems that the httpd_sys_rw_content_t flag was missed. This causes the Dispatcher module to not be able to create cache files / directories.

So I propose to add this to puppet-aem:

      File["/var/www/html"] {
        seltype => 'httpd_sys_rw_content_t',
      }

bstopp commented 4 years ago

Because the docroot is owned and managed in the Apache module. That is where this flag should be set.

henrykuijpers commented 4 years ago

@bstopp True, the docroot is not managed by the Puppet-AEM module. But, the normal use-case for the docroot is to not have the Apache-software be able to write to it, so it will never be added in that module.

Now, that leaves only 2 options:

Let users of this module add it to their own code.
Add it to this module, so users don't have to worry.

In both cases, a change should be done in this module: either document that users with SELinux enabled need to set this flag in order for their Dispatcher to actually work. Or add this flag to the module, so users don't have to worry.

I think adding it to this module is better, since I think you would want to provide a complete and working solution. This is really an aspect of the way the Dispatcher module works and therefore should be added to this module.

WDYT?

bstopp commented 4 years ago

I originally posted that i would be looking into this. But as i wrote it, i ran my test and what i thought would happen, happened.

Because Apache is managing the file for the docroot - my module cannot add/change parameters to that resource. If i attempt to modify the resource to add the seltype, the result is:

Error: Only subclasses can override parameters (file: /tmp/vagrant-puppet/environments/local/manifests/site.pp, line: 169) on node vagrant.aem

And since this module (or the Adobe Puppet-Dispatcher replacement) does not manage the vhost directory, or any of its parents. It still falls on that module or the individual consumers to set this flag.

My suggestion is to set manage_docroot to false on the Apache Vhost, and define the File resource directly in your containing profile.

bstopp commented 4 years ago

What about this? https://github.com/adobe/puppet-dispatcher/issues/4

henrykuijpers commented 4 years ago

Can this issue be reopened? @bstopp

bstopp commented 4 years ago

@henrykuijpers - I added support for this in the new module. Here's the pr.

A release for that module is coming as soon as the Forge password is fixed.