On Mon, 2008-06-23 at 08:56 -0400, Daniel J Walsh wrote: > Craig White wrote: > > On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote: > >> Craig White wrote: > >>> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: > >>>> Craig White wrote: > >>>>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > >>>>>> On Sat, 14 Jun 2008 08:05:56 -0700 > >>>>>> Craig White <craigwhite@xxxxxxxxxxx> wrote: > >>>>> I'm a bit confused myself because in essence, httpd is just a proxy to > >>>>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby > >>>>> processes and is providing dhtml on higher ports as the user. > >>>>> > >>>>> FWIW...httpd runs as user 'apache' (as ususal) > >>>>> mongrels run as regular 'user' (me) > >>>>> all files and folders inside the subdirectory we are discussing... > >>>>> (/home/craig/svn-new) are owned by me (not root, not apache) > >>>> The conventional unix ownership and permissions make very little > >>>> difference as far as SELinux is concerned, so although you need to get > >>>> them right, they're not going to affect the file contexts needed. > >>>> > >>>> What context is mongrels running in (try the -Z option of ps)? How does > >>>> that process get started (via an initscript?)? > >>> ---- > >>> yes, a SysV initscript...(running 2 mongrels at present... port & pid > >>> #'s 3000 & 3001) > >>> > >>> # ps auxZ|grep mongrel > >>> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 > >>> 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel > >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 > >>> 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > >>> --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l > >>> log/mongrel.3000.log > >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 > >>> 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > >>> --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l > >>> log/mongrel.3001.log > >>> ---- > >> OK, so they're running as unconfined_t at the moment. > >> > >>> I could conceivably run the mongrels as user 'apache' except that the > >>> permissions on some of the folders would have to be changed because > >>> there are some directories that files are written into by the ruby web > >>> server...so I try to just run as user. > >> Don't change anything about the regular Unix permissions at the moment; > >> I guess that for a production server you'd create a separate account for > >> the Ruby stuff to run as. > >> > >> What would be an interesting experiment would be to run the Ruby stuff > >> in the same SELinux context as httpd. Try changing the context type of > >> /usr/bin/mongrel_rails to httpd_exec_t and restart the services. > >> > >> # chcon -t httpd_exec_t /usr/bin/mongrel_rails > >> > >> I'm not sure whether this will make things better or worse but it should > >> eliminate some problems for the two httpd-like bits talking to each other. > > ---- > > that seems to have cleared things up - I had to restart both > > mongrel_cluster service and then the httpd service - I did get an error > > the first time through but subsequent restarts seems to have cleared it > > up. > > > > Thanks > Is this the correct context for mongrel_rails? IE Is this basically a > http web server? How does it get started on boot? ---- seems to be the correct context for mongrel_rails - the sealert's have stopped. Yes, mongrel_rails is essentially a ruby language web server which runs as 'user' on a high numbered port and as is typical configuration, uses apache (httpd) to proxy the connections to a number of 'mongrels' (configurable) to spread the connections since rails itself is not thread safe. It is started at boot by a sysv initscript Craig -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
