fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: RE: Selinux + ruby + httpd

RE: Selinux + ruby + httpd

From: Moray Henderson <Moray.Henderson_at_nospam>
Date: Mon Aug 16 2010 - 13:04:30 GMT
To: "'Erinn Looney-Triggs'" <erinn.looneytriggs@gmail.com>, <selinux@lists.fedoraproject.org>

Erinn Looney-Triggs wrote:
>My second question is, I have this policy working on one machine, moved
>it to another machine and everything worked, this application was then
>deployed on a third machine and I figured, I would just insert the
>module again. Well installing the module worked fine but apache is
>trying to use a different type on this machine, from audit2allow:
>#============= httpd_sys_script_t ==============
>allow httpd_sys_script_t devpts_t:chr_file { read write };
>allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
>allow httpd_sys_script_t self:capability { setuid setgid };
>Why all the sudden is this machine using httpd_sys_script_t instead of
>httpd_t which my other systems use? All the boxes are RHEL 5.5 x64
>patched running selinux-policy-2.4.6-279.el5. Now it is possible that
>the myruby.pp module mentioned above is working just fine, but why then
>would this one system need these extra privileges? Exact same codebase
>for the ruby application across the systems. Any insight would be

Did you get anywhere with this?

Things to check:
  Types on httpd, ApplicationPoolServerExecutable and other scripts
  Other loaded policy modules

Running in httpd_sys_script_t seems more usual than running in httpd_t -
although I'm about to submit an alternative policy module that creates
its own type for the Rails app.

"To err is human. To purr, feline"

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux