SELinux

From WeBWorK_wiki
Jump to navigation Jump to search

This page explains how to get WeBWorK running in an SELinux environment. It assumes a basic familiarity with SELinux, WeBWork, and Apache.

Document root

The internal webwork structure will need the following contexts set (assuming you're installing within /opt):

sudo semanage fcontext -a -t httpd_sys_content_t '/opt/webwork(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/webwork/courses(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/webwork/webwork2/tmp(/.*)?'

If /opt isn't normally used to host web applications, you may need to change its context as well (just the top-level, not including sub-directories):

sudo semanage fcontext -a -t httpd_sys_content_t '/opt'

After running this command you'll need to restore contexts if you have not already done so:

sudo restorecon -vFR /opt

Sendmail

If you want to allow httpd to send email via sendmail then you have to enable that boolean:

sudo setsebool -P httpd_can_sendmail 1

LaTeX

Rendering problems as images relies on the pdftex binary (invoked by httpd) accessing the texmf libraries. Some SELinux environments don't allow this by default and you may see messages like the following:

SELinux is preventing /usr/bin/pdftex from search access on the directory /var/lib/texmf/web2c/pdftex

You can fix this by creating a policy to allow this access:

module webwork 1.2;

require {
        type file_t;
        type httpd_t;
        type tetex_data_t;
        class dir { search getattr };
        class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t file_t:dir { search getattr };
allow httpd_t tetex_data_t:dir { search getattr };
allow httpd_t tetex_data_t:file { read getattr open };

Follow these steps to create and install a policy:

  1. Copy the above into webwork.te and save.
  2. sudo checkmodule -M -m -o webwork.mod webwork.te
  3. sudo semodule_package -o webwork.pp -m webwork.mod
  4. sudo semodule -i webwork.pp

Links