fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Sample Passenger/Rails policy for review

Sample Passenger/Rails policy for review

From: Moray Henderson (ICT) <Moray.Henderson_at_nospam>
Date: Mon Aug 16 2010 - 13:58:10 GMT
To: <selinux@lists.fedoraproject.org>

Hi all,

I've been looking at getting a Ruby on Rails app working through
Passenger under CentOS 5.5. I felt it should run in its own security
context, so I came up with the following sample module. Please comment.

Summary
-------

The policy creates a new set of apache content types using
apache_content_template. The Passenger ApplicationPoolServerExecutable
is given type httpd_myapp_script_exec_t, so the app will execute in
httpd_myapp_script_t. The remaining Passenger files, and the Rails app
itself, are httpd_myapp_content_t. PassengerTempDir is set to
/var/run/passenger, and given httpd_myapp_script_rw_t to allow the
sockets and stuff to be created.

Source
------

#### myapp.te ####
policy_module(myapp,1.0)

# Create a set of apache content types for myapp
apache_content_template(myapp);

# Give running app access to system things it will ask for
kernel_read_kernel_sysctls(httpd_myapp_script_t);
miscfiles_read_certs(httpd_myapp_script_t);
term_use_all_user_ptys(httpd_myapp_script_t);

# Allow apache to create and communicate with Passenger
allow httpd_t self:capability { fowner fsetid };
allow httpd_t httpd_myapp_script_t:unix_stream_socket rw_socket_perms;
allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh noatsecure
};
allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };

# Access that Passenger will need
allow httpd_myapp_script_t self:capability { chown dac_override
dac_read_search fowner fsetid setgid setuid };
allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };

#### myapp.fc ####
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
licationPoolServerExecutable --
gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
gen_context(system_u:object_r:httpd_myapp_content_t, s0)
/usr/local/lib/myapp(/.*)?
gen_context(system_u:object_r:httpd_myapp_content_t, s0)
/var/run/passenger(/.*)?
gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)

Moray.
"To err is human. To purr, feline"

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux