fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: RE: Sample Passenger/Rails policy for review

RE: Sample Passenger/Rails policy for review

From: Moray Henderson <Moray.Henderson_at_nospam>
Date: Tue Aug 17 2010 - 15:34:24 GMT
To: <selinux@lists.fedoraproject.org>

Dominick Grift wrote:
>On 08/16/2010 03:58 PM, Moray Henderson (ICT) wrote:
>> Hi all,
>> I've been looking at getting a Ruby on Rails app working through
>> Passenger under CentOS 5.5. I felt it should run in its own security
>> context, so I came up with the following sample module. Please
>This is not how i would do it probably, although i am not sure if my
>approach would be much better.
>Instead of using the httpd_content_template() i would treat
>as a normal domain.
>Then allow httpd_t to transition to the new mod_passenger domain when
>runs the passenger executable file.
>The advantage of this, i think, is that you do not have to allow rules
>like this:
>allow httpd_t self:capability { fowner fsetid };
>Also with regard to the policy below:
>allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh
>noatsecure };
>This should not be needed and is by default silently denied.

You're right, I removed the allow ...:process rule, and it still worked.

How do I get httpd_t to transition to an ordinary domain? I've been
experimenting with domain_entry_file and domain_transition_pattern, but
keep getting denials for httpd_t writing to myapp_script_rw_t. It
obviously has not transitioned by the time it tries to write its
temporary files in /var/run/passenger.

Are any of the macros in /usr/share/selinux/devel/include/support/
documented anywhere? I couldn't find them in the Tresys Refpolicy API
documentation or the selinuxproject.org wiki.

Oh, I see, it's domain_auto_transition_pattern I need, not
domain_transition_pattern. I'm trying to use this refpolicy stuff, but
honestly, I find it easier and quicker to program the thing manually
than to find the macro to do it for me!

Now I'm getting a load of process signal denials and a "Cannot stat
er': Permission denied (13)" but at least it's in the correct domain
now. I'll keep working on it.

>> Summary
>> -------
>> The policy creates a new set of apache content types using
>> apache_content_template. The Passenger
>> ApplicationPoolServerExecutable is given type
>> httpd_myapp_script_exec_t, so the app will execute in
>> httpd_myapp_script_t. The remaining Passenger files, and the Rails
>> app itself, are httpd_myapp_content_t. PassengerTempDir is set to
>> /var/run/passenger, and given httpd_myapp_script_rw_t to allow the
>sockets and stuff to be created.
>> Source
>> ------
>> #### myapp.te ####
>> policy_module(myapp,1.0)
>> # Create a set of apache content types for myapp
>> apache_content_template(myapp);
>> # Give running app access to system things it will ask for
>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>> miscfiles_read_certs(httpd_myapp_script_t);
>> term_use_all_user_ptys(httpd_myapp_script_t);
>> # Allow apache to create and communicate with Passenger allow httpd_t
>> self:capability { fowner fsetid }; allow httpd_t
>> httpd_myapp_script_t:unix_stream_socket rw_socket_perms; allow
>> httpd_myapp_script_t:process { siginh rlimitinh noatsecure }; allow
>> httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms; allow
>> httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>> # Access that Passenger will need
>> allow httpd_myapp_script_t self:capability { chown dac_override
>> dac_read_search fowner fsetid setgid setuid }; allow
>> httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>> #### myapp.fc ####
>> pp
>> licationPoolServerExecutable --
>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /usr/local/lib/myapp(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /var/run/passenger(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux