On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote: > Craig White wrote: > > On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: > >> Craig White wrote: > >>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > >>>> On Sat, 14 Jun 2008 08:05:56 -0700 > >>>> Craig White <craigwhite@xxxxxxxxxxx> wrote: > >>> I'm a bit confused myself because in essence, httpd is just a proxy to > >>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby > >>> processes and is providing dhtml on higher ports as the user. > >>> > >>> FWIW...httpd runs as user 'apache' (as ususal) > >>> mongrels run as regular 'user' (me) > >>> all files and folders inside the subdirectory we are discussing... > >>> (/home/craig/svn-new) are owned by me (not root, not apache) > >> The conventional unix ownership and permissions make very little > >> difference as far as SELinux is concerned, so although you need to get > >> them right, they're not going to affect the file contexts needed. > >> > >> What context is mongrels running in (try the -Z option of ps)? How does > >> that process get started (via an initscript?)? > > ---- > > yes, a SysV initscript...(running 2 mongrels at present... port & pid > > #'s 3000 & 3001) > > > > # ps auxZ|grep mongrel > > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 > > 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel > > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 > > 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > > --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l > > log/mongrel.3000.log > > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 > > 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > > --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l > > log/mongrel.3001.log > > ---- > > OK, so they're running as unconfined_t at the moment. > > > > > I could conceivably run the mongrels as user 'apache' except that the > > permissions on some of the folders would have to be changed because > > there are some directories that files are written into by the ruby web > > server...so I try to just run as user. > > Don't change anything about the regular Unix permissions at the moment; > I guess that for a production server you'd create a separate account for > the Ruby stuff to run as. > > What would be an interesting experiment would be to run the Ruby stuff > in the same SELinux context as httpd. Try changing the context type of > /usr/bin/mongrel_rails to httpd_exec_t and restart the services. > > # chcon -t httpd_exec_t /usr/bin/mongrel_rails > > I'm not sure whether this will make things better or worse but it should > eliminate some problems for the two httpd-like bits talking to each other. ---- that seems to have cleared things up - I had to restart both mongrel_cluster service and then the httpd service - I did get an error the first time through but subsequent restarts seems to have cleared it up. Thanks Craig -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
