mod_passenger and Rails 3 module work

Dominick Grift domg472 at gmail.com
Mon Jan 17 20:40:10 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2011 09:31 PM, Erinn Looney-Triggs wrote:
> Ah, sorry I should have been clearer this is on a RHEL 5 setup, so as
> far as I know this all has to be generated by hand, unless it is
> possible for me to pull the module from fedora, then of course I would
> have to make my ruby and passenger install conform to what is expected.
>
> Yeah I know this is not a policy per se, and this is on of my rubs with
> SELinux, it takes a lot of research and understanding to get to the
> point of being able to generate policy that anyone can have confidence
> in. It was a bit simpler albeit looser with DAC, and sadly we just end
> up hoping that someone who knows what they are doing will make a policy
> for us, or sit down and study SELinux for a month or two and take a
> whack at it ourselves. Any good book recommendations? I have read
> through SELinux by Example as that seems to be the most recommended, but
> there doesn't seem to be much published in the last 4 years or so.

Before you there were several others with issues identical to yours. I
offered my help to both but after a while they gave up and left me with
an unfinished policy.

I do not use ruby on rails nor do i use passenger, and i have no
experience with either one of those. To create a policy for some
application one needs to be able to test and configure it properly.
Without that help i am unable to write a good policy.

This is what i have so far:

http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary

mgrepl is going to use what i have to create a better policy for Fedora.

However, with that we would still need to port it to el5, and we should
probably also make it compatible with the non-packaged version available
on ruby's website (it has files in different paths etc)

all-in-all a lot of work if you ask me.

> I don't like what audit2allow has done here, it isn't audit2allow's,
> fault it is just a matter of the huge number of requests that passenger
> is putting through the system, why for instance does it need access to
> syslogd_t, or crond_t, or snmpd_t? Trying to deduce from where these
> access calls are coming and if/why they are needed is difficult for me.
> 
> Anyway, I am sure Fedora will get there, but this little module may have
> to suffice for my needs (back in the olden days) on RHEL 5.

Yes its not perfect but its something.

> -Erinn
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk00qSoACgkQMlxVo39jgT9wFwCdGR4v1aJaox7/y20NJxaSmrs+
Ff0AnjrRnXgepBAV4XwBlVjaz2u/4Dox
=n2Ow
-----END PGP SIGNATURE-----

More information about the selinux mailing list