zondag 14 februari 2010

About apache_content_template

In refpolicy there are about eight modules that have calls to apache_content_template in their private policy. These template calls are located in optional policy blocks. This is so that these modules do not depend on the apache module being present.

The problem is that seven out of these eight modules have file context specifications containing a executable type, that is declared in the apache content template, in their file context file. As far as i know file context specifications are never optional.

So even though calls to apache content template are optional, they really aren't because the file context specifications that accompany them are not optional.

This means that eight modules depend on the apache module being installed. Try to de-install the apache module (semodule -r apache) and you will be presented with some very unclear errors. Most people will not know what to do.

So how can we fix that?

Well here is an example. We use the apache_cgi_domain() instead:

########################################
#
# BackupPC admin private declarations.
#

type backuppc_admin_t, backuppc_domains;
type backuppc_admin_exec_t;
domain_type(backuppc_admin_t)
domain_entry_file(backuppc_admin_t, backuppc_admin_exec_t)
role system_r types backuppc_admin_t;

########################################
#
# BackupPC admin private policy.
#

optional_policy(`
apache_cgi_domain(backuppc_admin_t, backuppc_admin_exec_t)
')

/usr/share/BackupPC/sbin/BackupPC_Admin -- gen_context(system_u:object_r:backuppc_admin_exec_t, s0)

This way we can make the call to apache_cgi_domain() *really* optional. It is a bit more work initially but in my view this is maintainable unlike apache_content_template.