May 2010 Archives

2010-05-24 20:56:27

Putting the fun in funionfs

Since a lot of the world still evolves around PHP, and a friend of mine asked me to host a PHP based blog, I was confronted with a typical PHP application which, like all typical PHP applications, enjoys heavily writing to its installation directory and keeping its own configuration there.

Being the automation freak I am, I rolled an RPM package of the PHP application which installs it into /usr/share. Then, a Puppet rule creates an Apache vhost in /home/www and union mounts the shared installation into htdocs, with a vhost subdirectory named confdata as read-write layer.

It turned out I had better used NetBSD for the task. The only unionfs implementation available in CentOS 5.5 is fuse based and called funionfs. However, funionfs doesn't support SElinux contexts, so everything ends up in the context fusefs_t, leaving it inaccessible to Apache. A small SElinux module fixed that:

module serendipity 1.0;

require {
    type httpd_t;
    type fusefs_t;
    class lnk_file read;
    class dir { read write remove_name getattr create search add_name };
    class file { read write getattr create setattr rename };

#============= httpd_t ==============
allow httpd_t fusefs_t:dir { read write remove_name getattr create search add_name };
allow httpd_t fusefs_t:file { read write getattr create setattr rename };
allow httpd_t fusefs_t:lnk_file read;

This might not be the most secure solution but nothing other than Apache runs on this VM anyway, so I didn't care enough. It's still better than turning off SElinux entirely.

In order to allow the software to access the database, I had to flip another SElinux switch:

httpd_can_network_connect_db --> on

Now things almost worked. However, installing templates via the web interface does not, so I went on to investigate:

% cd /home/www/
% mkdir test
mkdir: cannot create directory `test': No such file or directory
% ls -ld test
ls: test: No such file or directory
% touch test
touch: setting times of `test': File exists
% ls -ld test
-rw-r--r-- 1 root root 0 May 24 20:49 test
% rm test

It's impossible to create directories in the funionfs. Apparently it's some kind of bug. Creating the template in confdir worked but it means the web interface is not working.

Looking forward to aufs2 in later versions of CentOS.

Posted by Tonnerre Lombard | Permanent link | File under: broken