From 10844f7c9e84d1640039e1c6d73930b9b599c304 Mon Sep 17 00:00:00 2001
From: Yolanda Robla <yroblamo@redhat.com>
Date: Fri, 24 Jun 2016 14:01:53 +0200
Subject: [PATCH] Fix selinux problems on vhost
When running on CentOS, two problems appeared:
- when using proxy, apache was failing with an error 500,
fixed by enabling httpd_can_network_connect
- when trying to access files under a vhost, apache was
failing with Access denied because search permissions
are missing. So running chcon on the docroot for each vhost
Change-Id: I87c4c0e51f05eab8f5c8e094c2c54504e60b97af
---
manifests/vhost.pp | 14 ++++++++++++++
manifests/vhost/proxy.pp | 8 +++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 86e4870..d06f801 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -72,6 +72,20 @@ define httpd::vhost(
httpd::mod { 'version': ensure => present }
}
+ # selinux may deny directory listing and access to subdirectories
+ # so update context to allow it
+ if $::osfamily == 'RedHat' {
+ if ! defined(Exec["update_context_${docroot}"]) {
+ exec { "update_context_${docroot}":
+ command => "chcon -R -t httpd_sys_content_t ${docroot}/",
+ unless => "ls -lZ ${docroot} | grep httpd_sys_content_t",
+ path => '/bin:/usr/bin:/usr/local/bin:/usr/sbin',
+ require => Package['httpd'],
+ notify => Service['httpd'],
+ }
+ }
+ }
+
file { "${priority}-${name}.conf":
path => "${httpd::params::vdir}/${priority}-${name}.conf",
content => template($template),
diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp
index a79c927..5c74d52 100644
--- a/manifests/vhost/proxy.pp
+++ b/manifests/vhost/proxy.pp
@@ -66,5 +66,11 @@ define httpd::vhost::proxy (
notify => Service['httpd'],
}
-
+ # enable that setting, that allows httpd scripts and
+ # modules to connect to the network
+ if $::osfamily == 'RedHat' {
+ selinux::boolean { 'httpd_can_network_connect':
+ ensure => 'on',
+ }
+ }
}