Sample Passenger/Rails policy for review

Dominick Grift domg472 at gmail.com
Mon Aug 16 14:19:36 UTC 2010 

On 08/16/2010 03:58 PM, Moray Henderson (ICT) wrote:
> Hi all,
> 
> I've been looking at getting a Ruby on Rails app working through
> Passenger under CentOS 5.5.  I felt it should run in its own security
> context, so I came up with the following sample module.  Please comment.


This is not how i would do it probably, although i am not sure if my
approach would be much better.

Instead of using the httpd_content_template() i would treat
mod_passenger as a normal domain.

Then allow httpd_t to transition to the new mod_passenger domain when it
runs the passenger executable file.

The advantage of this, i think, is that you do not have to allow rules
like this:

allow httpd_t self:capability { fowner fsetid };

Also with regard to the policy below:

allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh noatsecure };

This should not be needed and is by default silently denied.

> Summary
> -------
> 
> The policy creates a new set of apache content types using
> apache_content_template.  The Passenger ApplicationPoolServerExecutable
> is given type httpd_myapp_script_exec_t, so the app will execute in
> httpd_myapp_script_t.  The remaining Passenger files, and the Rails app
> itself, are httpd_myapp_content_t.  PassengerTempDir is set to
> /var/run/passenger, and given httpd_myapp_script_rw_t to allow the
> sockets and stuff to be created.
> 
> Source
> ------
> 
> #### myapp.te ####
> policy_module(myapp,1.0)
> 
> # Create a set of apache content types for myapp
> apache_content_template(myapp);
> 
> # Give running app access to system things it will ask for
> kernel_read_kernel_sysctls(httpd_myapp_script_t);
> miscfiles_read_certs(httpd_myapp_script_t);
> term_use_all_user_ptys(httpd_myapp_script_t);
> 
> # Allow apache to create and communicate with Passenger
> allow httpd_t self:capability { fowner fsetid };
> allow httpd_t httpd_myapp_script_t:unix_stream_socket rw_socket_perms;
> allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh noatsecure
> };
> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
> 
> # Access that Passenger will need
> allow httpd_myapp_script_t self:capability { chown dac_override
> dac_read_search fowner fsetid setgid setuid };
> allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
> 
> #### myapp.fc ####
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
> licationPoolServerExecutable  --
> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
> /usr/local/lib/myapp(/.*)?
> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
> /var/run/passenger(/.*)?
> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
> 
> 
> 
> Moray.
> "To err is human.  To purr, feline"
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100816/40511a1b/attachment.bin

More information about the selinux mailing list