Make Jobe work with SELinux #88
Description
It appears at the moment that the docs largely say "don't try this, disable SELinux". However, disabling SELinux is not an option here, our IT department won't let us. So I set about getting it working.
First, create a new SELinux module for CodeRunner.
Place the attached file into /usr/share/selinux/targeted/coderunner.te.
(It's just plain text. I had to rename it with a ".txt" extension added on the end to make Github allow me to upload it here, remove the ".txt" off the end.
Then compile and load the new module:
rm coderunner.mod coderunner.pp
semodule -r coderunner
checkmodule -m -M -o coderunner.mod coderunner.te
semodule_package -o coderunner.pp -m coderunner.mod
semodule -i coderunner.pp
Set some booleans to enable various SELinux features to do with httpd:
setsebool -P httpd_execmem 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_mod_auth_pam 1
setsebool -P httpd_read_user_content 1
Add some SELinux tags to make runguard uncontrolled, and to tell SELinux to use the /home/jobe dirs correctly:
semanage fcontext --add -s system_u -t httpd_unconfined_script_exec_t '/var/www/html/jobe/runguard/runguard'
semanage fcontext --add -s unconfined_u -t user_home_t '/home/jobe/files(/.*)?'
semanage fcontext --add -s system_u -t httpd_sys_rw_content_t '/var/www/html/jobe/writable(/.*)?'
restorecon -FRv /var/www/html/jobe /home/jobe
You should then either be able to just reboot, or else just
systemctl restart php-fpm httpd
to restart the relevant daemons.
This is the setup I run here on RHEL 9.
Cheers,
Jules.