SELinux

From WeBWorK_wiki
Revision as of 21:29, 28 January 2014 by Charles Fulton (talk | contribs) (save)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page explains how to get WeBWorK running in an SELinux environment. It assumes a basic familiarity with SELinux, WeBWork, and Apache.

Document root

The internal webwork structure will need the following contexts set (assuming you're installing within /opt):

sudo semanage fcontext -a -t httpd_sys_content_t '/opt/webwork(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/webwork/courses(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/webwork/webwork2/tmp(/.*)?'

If /opt isn't normally used to host web applications, you may need to change its context as well (just the top-level, not including sub-directories):

sudo semanage fcontext -a -t httpd_sys_content_t '/opt'

After running this commands you'll need to restore contexts if you have not already done so:

sudo restorecon -vFR /opt

LaTeX

Rending problems as images relies the pdftex binary (invoked by httpd) accessing the texmf libraries. Some SELinux environments don't allow this by default and you may see messages like the following:

SELinux is preventing /usr/bin/pdftex from search access on the directory /var/lib/texmf/web2c/pdftex

You can fix this by creating a policy to allow this access:

module webwork 1.2;

require {
        type file_t;
        type httpd_t;
        type tetex_data_t;
        class dir { search getattr };
        class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t file_t:dir { search getattr };
allow httpd_t tetex_data_t:dir { search getattr };
allow httpd_t tetex_data_t:file { read getattr open };

Follow these steps to create and install a policy:

  1. Copy the above into webwork.te and save.
  2. sudo checkmodule -M -m -o webwork.mod webwork.te
  3. sudo semodule_package -o webwork.pp -m webwork.mod
  4. sudo semodule -i webwork.pp

Links