Re: ****Re: ****Re: simple question with home serviing ruby on rails web site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote:
> Craig White wrote:
> > On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:
> >> Craig White wrote:
> >>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:
> >>>> On Sat, 14 Jun 2008 08:05:56 -0700
> >>>> Craig White <craigwhite@xxxxxxxxxxx> wrote:
> >>> I'm a bit confused myself because in essence, httpd is just a proxy to
> >>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby
> >>> processes and is providing dhtml on higher ports as the user.
> >>>
> >>> FWIW...httpd runs as user 'apache' (as ususal)
> >>>     mongrels run as regular 'user' (me)
> >>>     all files and folders inside the subdirectory we are discussing...
> >>>     (/home/craig/svn-new) are owned by me (not root, not apache)
> >> The conventional unix ownership and permissions make very little 
> >> difference as far as SELinux is concerned, so although you need to get 
> >> them right, they're not going to affect the file contexts needed.
> >>
> >> What context is mongrels running in (try the -Z option of ps)? How does 
> >> that process get started (via an initscript?)?
> > ----
> > yes, a SysV initscript...(running 2 mongrels at present... port & pid
> > #'s 3000 & 3001)
> > 
> > # ps auxZ|grep mongrel
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
> > 0.0  0.0 4120 732 pts/6 S+ 05:02   0:00 grep mongrel
> > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0  3.0 45068
> > 30164 ?  Sl   Jun15   0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> > --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
> > log/mongrel.3000.log
> > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0  2.9 45052
> > 29468 ?  Sl   Jun15   0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> > --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
> > log/mongrel.3001.log
> > ----
> 
> OK, so they're running as unconfined_t at the moment.
> 
> > 
> > I could conceivably run the mongrels as user 'apache' except that the
> > permissions on some of the folders would have to be changed because
> > there are some directories that files are written into by the ruby web
> > server...so I try to just run as user.
> 
> Don't change anything about the regular Unix permissions at the moment; 
> I guess that for a production server you'd create a separate account for 
> the Ruby stuff to run as.
> 
> What would be an interesting experiment would be to run the Ruby stuff 
> in the same SELinux context as httpd. Try changing the context type of 
> /usr/bin/mongrel_rails to httpd_exec_t and restart the services.
> 
> # chcon -t httpd_exec_t /usr/bin/mongrel_rails
> 
> I'm not sure whether this will make things better or worse but it should 
> eliminate some problems for the two httpd-like bits talking to each other.
----
that seems to have cleared things up - I had to restart both
mongrel_cluster service and then the httpd service - I did get an error
the first time through but subsequent restarts seems to have cleared it
up.

Thanks

Craig

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux