Fix selinux problems on vhost

When running on CentOS, two problems appeared:
- when using proxy, apache was failing with an error 500,
fixed by enabling httpd_can_network_connect

- when trying to access files under a vhost, apache was
failing with Access denied because search permissions
are missing. So running chcon on the docroot for each vhost

Change-Id: I87c4c0e51f05eab8f5c8e094c2c54504e60b97af
This commit is contained in:
Yolanda Robla 2016-06-24 14:01:53 +02:00
parent 3f1c21aecb
commit 10844f7c9e
2 changed files with 21 additions and 1 deletions

View File

@ -72,6 +72,20 @@ define httpd::vhost(
httpd::mod { 'version': ensure => present }
}
# selinux may deny directory listing and access to subdirectories
# so update context to allow it
if $::osfamily == 'RedHat' {
if ! defined(Exec["update_context_${docroot}"]) {
exec { "update_context_${docroot}":
command => "chcon -R -t httpd_sys_content_t ${docroot}/",
unless => "ls -lZ ${docroot} | grep httpd_sys_content_t",
path => '/bin:/usr/bin:/usr/local/bin:/usr/sbin',
require => Package['httpd'],
notify => Service['httpd'],
}
}
}
file { "${priority}-${name}.conf":
path => "${httpd::params::vdir}/${priority}-${name}.conf",
content => template($template),

View File

@ -66,5 +66,11 @@ define httpd::vhost::proxy (
notify => Service['httpd'],
}
# enable that setting, that allows httpd scripts and
# modules to connect to the network
if $::osfamily == 'RedHat' {
selinux::boolean { 'httpd_can_network_connect':
ensure => 'on',
}
}
}