RE: Selinux + ruby + httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Erinn Looney-Triggs wrote:
> In trying to develop some SELinux exceptions (via audit2allow) for a
>ruby application I came up with the following:
>
>module myruby 1.0;
>
>require {
>        type httpd_tmp_t;
>        type lib_t;
>        type httpd_t;
>        type tmp_t;
>        class sock_file { write create unlink getattr setattr };
>        class capability { fowner fsetid };
>        class file { read getattr execute_no_trans };
>        class fifo_file { create unlink getattr setattr };
>}
>
>#============= httpd_t ==============
>allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
>allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr
>setattr };
>allow httpd_t lib_t:file execute_no_trans;          #This one is due to
>mod_passenger being labelled lib_t
>allow httpd_t self:capability { fowner fsetid };
>allow httpd_t tmp_t:file { read getattr };
>
>Now the first question I have, is there anything egregiously bad in
>there? Aside from lib_t execute due to auto label labelling
>mod_passenger as lib_t.
>
>My second question is, I have this policy working on one machine, moved
>it to another machine and everything worked, this application was then
>deployed on a third machine and I figured, I would just insert the
>module again. Well installing the module worked fine but apache is
>trying to use a different type on this machine, from audit2allow:
>
>#============= httpd_sys_script_t ==============
>allow httpd_sys_script_t devpts_t:chr_file { read write };
>allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
>allow httpd_sys_script_t self:capability { setuid setgid };
>
>Why all the sudden is this machine using httpd_sys_script_t instead of
>httpd_t which my other systems use? All the boxes are RHEL 5.5 x64
fully
>patched running selinux-policy-2.4.6-279.el5. Now it is possible that
>the myruby.pp module mentioned above is working just fine, but why then
>would this one system need these extra privileges? Exact same codebase
>for the ruby application across the systems. Any insight would be
>appreciated.

Is it mod_passenger you're building?  I've just built an RHEL 5
rubygem-passenger rpm, since I couldn't find one anywhere else.  I
haven't looked at the SELinux side yet, and would also be very
interested if a module is being developed.


Moray.
"To err is human.  To purr, feline"




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux