mod_passenger and Rails 3 module work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a lot of groping about in the dark for me with SELinux so please
excuse any completely absurd choices I made :).

I posted before about getting a setup working with mod_passenger, I was
able to work things around such that mod_passenger worked fine with
selinux enabled. I came up with this small policy:

module myruby 1.0;

require {
        type httpd_tmp_t;
        type lib_t;
        type httpd_t;
        type tmp_t;
        class sock_file { write create unlink getattr setattr };
        class capability { fowner fsetid };
        class file { read getattr execute_no_trans };
        class fifo_file { create unlink getattr setattr };
}

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };

It worked just fine though I had a bit of a gripe with the execute on
lib_t, this was due to the mod_passenger module being automatically
labelled as lib_t (it was located in /usr/local/ruby/lib, hence the
labelling), but I couldn't really change things as they were in
production. Well now we are going through an upgrade to Rails 3 and it
is not playing nicely with SELinux again, so around we go with
audit2allow, this time I changed the passenger module to be labelled
like all the other apache modules (httpd_modules_t), and there are a few
other executables that Passenger requires, I labelled them as apache
modules as well (for better or worse, I tried httpd_script_t as well
thinking that it would fit better, but I don't know if it makes much
difference). However, after many runs through adit2allow the outcome is
pretty vulgar:
module myruby 1.0;

require {
        type unconfined_t;
        type semanage_t;
        type hplip_t;
        type setrans_t;
        type mysqld_t;
        type syslogd_t;
        type getty_t;
        type xfs_t;
        type initrc_t;
        type irqbalance_t;
        type httpd_modules_t;
        type snmpd_t;
        type tmp_t;
        type avahi_t;
        type rpm_t;
        type gpm_t;
        type unconfined_execmem_t;
        type restorecond_t;
        type init_t;
        type httpd_tmp_t;
        type ntpd_t;
        type fsdaemon_t;
        type postfix_master_t;
        type auditd_t;
        type udev_t;
        type postfix_qmgr_t;
        type audisp_t;
        type system_dbusd_t;
        type cupsd_t;
        type inetd_t;
        type portmap_t;
        type postfix_pickup_t;
        type kernel_t;
        type setfiles_t;
        type hald_t;
        type apmd_t;
        type crond_t;
        type rpcd_t;
        type httpd_t;
        class capability { fowner sys_resource fsetid };
        class process ptrace;
        class dir { getattr search };
        class file { read getattr execute_no_trans };
        class sock_file { write create unlink getattr setattr };
}

#============= httpd_t ==============
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t apmd_t:file read;
allow httpd_t audisp_t:dir { getattr search };
allow httpd_t audisp_t:file read;
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t auditd_t:file read;
allow httpd_t avahi_t:dir { getattr search };
allow httpd_t avahi_t:file read;
allow httpd_t crond_t:dir { getattr search };
allow httpd_t crond_t:file read;
allow httpd_t cupsd_t:dir { getattr search };
allow httpd_t cupsd_t:file read;
allow httpd_t fsdaemon_t:dir { getattr search };
allow httpd_t fsdaemon_t:file read;
allow httpd_t getty_t:dir { getattr search };
allow httpd_t getty_t:file read;
allow httpd_t gpm_t:dir { getattr search };
allow httpd_t gpm_t:file read;
allow httpd_t hald_t:dir { getattr search };
allow httpd_t hald_t:file read;
allow httpd_t hplip_t:dir { getattr search };
allow httpd_t hplip_t:file read;
allow httpd_t httpd_modules_t:file execute_no_trans;
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t inetd_t:dir { getattr search };
allow httpd_t inetd_t:file read;
allow httpd_t init_t:dir { getattr search };
allow httpd_t init_t:file read;
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_t:file read;
allow httpd_t irqbalance_t:dir { getattr search };
allow httpd_t irqbalance_t:file read;
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t kernel_t:file read;
allow httpd_t mysqld_t:dir { getattr search };
allow httpd_t mysqld_t:file read;
allow httpd_t ntpd_t:dir { getattr search };
allow httpd_t ntpd_t:file read;
allow httpd_t portmap_t:dir { getattr search };
allow httpd_t portmap_t:file read;
allow httpd_t postfix_master_t:dir { getattr search };
allow httpd_t postfix_master_t:file read;
allow httpd_t postfix_pickup_t:dir { getattr search };
allow httpd_t postfix_pickup_t:file read;
allow httpd_t postfix_qmgr_t:dir { getattr search };
allow httpd_t postfix_qmgr_t:file read;
allow httpd_t restorecond_t:dir { getattr search };
allow httpd_t restorecond_t:file read;
allow httpd_t rpcd_t:dir { getattr search };
allow httpd_t rpcd_t:file read;
allow httpd_t rpm_t:dir { getattr search };
allow httpd_t rpm_t:file read;
allow httpd_t self:capability { fowner sys_resource fsetid };
allow httpd_t self:process ptrace;
allow httpd_t semanage_t:dir getattr;
allow httpd_t setfiles_t:dir getattr;
allow httpd_t setrans_t:dir { getattr search };
allow httpd_t setrans_t:file read;
allow httpd_t snmpd_t:dir { getattr search };
allow httpd_t snmpd_t:file read;
allow httpd_t syslogd_t:dir { getattr search };
allow httpd_t syslogd_t:file read;
allow httpd_t system_dbusd_t:dir { getattr search };
allow httpd_t system_dbusd_t:file read;
allow httpd_t tmp_t:file { read getattr };
allow httpd_t udev_t:dir { getattr search };
allow httpd_t udev_t:file read;
allow httpd_t unconfined_execmem_t:dir { getattr search };
allow httpd_t unconfined_execmem_t:file read;
allow httpd_t unconfined_t:dir { getattr search };
allow httpd_t unconfined_t:file read;
allow httpd_t xfs_t:dir { getattr search };
allow httpd_t xfs_t:file read;

This seems like an absurd amount of access to me, it gets things going
but really? Anyone have a bit of experience with mod_passenger and Rails
3, any insight? Now I did go through and manually prune out what I
though was wrong and came up with this (this was when I was testing the
httpd_sys_script type, just mentally change it to httpd_t):
module myruby 1.0;
require {
        type httpd_tmp_t;
        type httpd_sys_script_t;
        type devpts_t;
        type httpd_t;
        type tmp_t;
        type udev_tbl_t;
        class process { ptrace setpgid getsched };
        class sock_file { write create unlink getattr setattr };
        class capability { kill sys_resource dac_override
dac_read_search chown fsetid setgid setuid fowner };
        class chr_file { read write ioctl };
        class file { read getattr execute_no_trans };
        class fifo_file { create unlink getattr setattr };
        class lnk_file read;
        class dir search;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write ioctl };
allow httpd_sys_script_t self:capability { kill dac_read_search fsetid
sys_resource setuid setgid fowner chown dac_override };
allow httpd_sys_script_t self:process { getsched setpgid };
allow httpd_sys_script_t udev_tbl_t:lnk_file read;
allow httpd_sys_script_t devpts_t:dir search;

System works, passenger runs etc. but an obscene amount of logs are
being pumped into the audit logs for each of those directory reads etc.
I suppose I could add dontaudit rules (not that I know how). But again
seeking any other insights into this.

Thanks,
-Erinn
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux