Sunday, November 19, 2006

Running a BOINC Server on SELinux

This is a shortened excerpt of one version of a much longer document. It has enough use on its own than I am posting it here separately.

In my previous post on Creating Users and Groups for a BOINC Server, I explained how to create the boinc user and group. Here I explain how to grant the appropriate permissions to allow a project to operate without disabling or crippling SELinux.

After you have used make_project to create the basic files for a project, you need to change some of the permissions.

Assuming you have done as shown on The make_project script page and that you created a cplan project in the projects directory inside of your home directory as explained there, you will need to grant read permission to your home directory. You can do this with
$ sudo chmod 755 ~
That will allow the Apache webserver to access files hosted in your home directory. Then we need to grant the boinc group access to the new files in the project.
$ sudo chgrp -R boinc ~/projects/cplan/html
Without SELinux running this would be sufficient to allow access to the project. However, if you have SELinux enabled, a few more steps are necessary. If you loaded your project into one of the system web server directories instead of creating them within a user's directory, you should replace httpd_user_content_t with httpd_sys_content_t in the following instructions.
$ sudo chcon -R -h -t httpd_user_content_t ~/projects/cplan/html
$ sudo chcon -h -t httpd_user_content_t ~/projects/cplan
$ sudo chcon -h -t httpd_user_content_t ~/projects/cplan/config.xml
$ sudo chcon -R -h -t httpd_user_script_exec_t ~/projects/cplan/cgi-bin
The chcon command changes the SELinux context that is assigned to an object. In this case were are changing the type of the object to indicate that it is for use by httpd, but resides in a user's directory. The first command recursively gives permission to the html directory. The second gives permission to be able to see config.xml in the directory and the third grants access to the configuration file itself. The last line indicates that scripts should be allowed to run in the cgi-bin directory.

You still have the details of writing your project and configuring Apache to serve it, but hopefully this post has helped with any SELinux issues you may have had.

No comments: