Fix selinux problems on vhost

When running on CentOS, two problems appeared: - when using proxy, apache was failing with an error 500, fixed by enabling httpd_can_network_connect - when trying to access files under a vhost, apache was failing with Access denied because search permissions are missing. So running chcon on the docroot for each vhost Change-Id: I87c4c0e51f05eab8f5c8e094c2c54504e60b97af
2016-06-24 14:01:53 +02:00 · 2016-06-24 14:01:53 +02:00 · 10844f7c9e
commit 10844f7c9e
parent 3f1c21aecb
2 changed files with 21 additions and 1 deletions
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@ -72,6 +72,20 @@ define httpd::vhost(
    httpd::mod { 'version': ensure => present }
  }

+  # selinux may deny directory listing and access to subdirectories
+  # so update context to allow it
+  if $::osfamily == 'RedHat' {
+    if ! defined(Exec["update_context_${docroot}"]) {
+      exec { "update_context_${docroot}":
+        command => "chcon -R -t httpd_sys_content_t ${docroot}/",
+        unless  => "ls -lZ ${docroot} | grep httpd_sys_content_t",
+        path    => '/bin:/usr/bin:/usr/local/bin:/usr/sbin',
+        require => Package['httpd'],
+        notify  => Service['httpd'],
+      }
+    }
+  }
+
  file { "${priority}-${name}.conf":
      path    => "${httpd::params::vdir}/${priority}-${name}.conf",
      content => template($template),
--- a/manifests/vhost/proxy.pp
+++ b/manifests/vhost/proxy.pp
@ -66,5 +66,11 @@ define httpd::vhost::proxy (
    notify  => Service['httpd'],
  }

-
+  # enable that setting, that allows httpd scripts and
+  # modules to connect to the network
+  if $::osfamily == 'RedHat' {
+    selinux::boolean { 'httpd_can_network_connect':
+      ensure => 'on',
+    }
+  }
 }