summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYolanda Robla <yroblamo@redhat.com>2016-06-24 14:01:53 +0200
committerYolanda Robla <yroblamo@redhat.com>2016-06-26 09:53:35 +0200
commit10844f7c9e84d1640039e1c6d73930b9b599c304 (patch)
treeb8ab9bde9fc1f42128c07a3a9618054a0ba36ba3
parent3f1c21aecb5b584d8e39e062289323d89f4013fa (diff)
Fix selinux problems on vhost
When running on CentOS, two problems appeared: - when using proxy, apache was failing with an error 500, fixed by enabling httpd_can_network_connect - when trying to access files under a vhost, apache was failing with Access denied because search permissions are missing. So running chcon on the docroot for each vhost Change-Id: I87c4c0e51f05eab8f5c8e094c2c54504e60b97af
Notes
Notes (review): Code-Review+2: Elizabeth K. Joseph <lyz@princessleia.com> Code-Review+2: Ricardo Carrillo Cruz <ricardo.carrillo.cruz@gmail.com> Workflow+1: Ricardo Carrillo Cruz <ricardo.carrillo.cruz@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Mon, 18 Jul 2016 16:24:18 +0000 Reviewed-on: https://review.openstack.org/333873 Project: openstack-infra/puppet-httpd Branch: refs/heads/master
-rw-r--r--manifests/vhost.pp14
-rw-r--r--manifests/vhost/proxy.pp8
2 files changed, 21 insertions, 1 deletions
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 86e4870..d06f801 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -72,6 +72,20 @@ define httpd::vhost(
72 httpd::mod { 'version': ensure => present } 72 httpd::mod { 'version': ensure => present }
73 } 73 }
74 74
75 # selinux may deny directory listing and access to subdirectories
76 # so update context to allow it
77 if $::osfamily == 'RedHat' {
78 if ! defined(Exec["update_context_${docroot}"]) {
79 exec { "update_context_${docroot}":
80 command => "chcon -R -t httpd_sys_content_t ${docroot}/",
81 unless => "ls -lZ ${docroot} | grep httpd_sys_content_t",
82 path => '/bin:/usr/bin:/usr/local/bin:/usr/sbin',
83 require => Package['httpd'],
84 notify => Service['httpd'],
85 }
86 }
87 }
88
75 file { "${priority}-${name}.conf": 89 file { "${priority}-${name}.conf":
76 path => "${httpd::params::vdir}/${priority}-${name}.conf", 90 path => "${httpd::params::vdir}/${priority}-${name}.conf",
77 content => template($template), 91 content => template($template),
diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp
index a79c927..5c74d52 100644
--- a/manifests/vhost/proxy.pp
+++ b/manifests/vhost/proxy.pp
@@ -66,5 +66,11 @@ define httpd::vhost::proxy (
66 notify => Service['httpd'], 66 notify => Service['httpd'],
67 } 67 }
68 68
69 69 # enable that setting, that allows httpd scripts and
70 # modules to connect to the network
71 if $::osfamily == 'RedHat' {
72 selinux::boolean { 'httpd_can_network_connect':
73 ensure => 'on',
74 }
75 }
70} 76}