Hi,
intrigued (for lack of a better word) by the state of the review of mod_passenger (BZ 470696) I spent a little time reviving Jeroen's spec file and bringing it up to date for passenger 2.2.15. Updated spec and a probably braindead mod_passenger.conf attached (sadly, the passenger SRPM seems to have vanished from Jeroen's site).
As I see it, there's three issues with the spec right now:
* the stance of upstream on using a stock boost. I think if we ever want to have passenger in Fedora, somebody with the spare time will need to browbeat^W handhold upstream to send their patches upstream * the scripts installed into /usr/bin (passenger-status etc.) are broken since they expect to be executed from the gemdir. We need to add wrapper scripts similar to what 'gem install' to /usr/bin * passenger is horribly broken with SELinux. I tried following the instructions from the Passenger manual[1] and somebody's SELinux policy[2] to no avail; passenger can not create its socket with that. Some of the instructions in [1] sound odd, like doing 'chcon -R httpd_sys_content_t' on the gemdir
I doubt I have the time to work much more on this, thought I'll document what I did for posterity's sake.
David
[1] http://modrails.org/documentation/Users%20guide.html [2] http://smerpology.org/sprocket/2010/03/17/passenger-phusion-aka-mod_rails-an...
David Lutterkort wrote:
Hi,
intrigued (for lack of a better word) by the state of the review of mod_passenger (BZ 470696) I spent a little time reviving Jeroen's spec file and bringing it up to date for passenger 2.2.15. Updated spec and a probably braindead mod_passenger.conf attached (sadly, the passenger SRPM seems to have vanished from Jeroen's site).
It has merely moved:
http://mirror.nl.ergo-project.org/repositories/ and
http://koji.ergo-project.org/koji/packageinfo?packageID=1
As I see it, there's three issues with the spec right now:
* the stance of upstream on using a stock boost. I think if we ever want to have passenger in Fedora, somebody with the spare time will need to browbeat^W handhold upstream to send their patches upstream
It will actually need to be someone willing to hold hands upstream as well as capable to poke around the boost stack.
To me, the former isn't necessarily the problem but my knowledge of boost is lacking.
* the scripts installed into /usr/bin (passenger-status etc.) are broken since they expect to be executed from the gemdir. We need to add wrapper scripts similar to what 'gem install' to /usr/bin
I think I shipped some patch(es) for this.
* passenger is horribly broken with SELinux. I tried following the instructions from the Passenger manual[1] and somebody's SELinux policy[2] to no avail; passenger can not create its socket with that. Some of the instructions in [1] sound odd, like doing 'chcon -R httpd_sys_content_t' on the gemdir
I've had a conversation about this before, and it'll take some cycles to come up with a sane /var/lib/passenger/ type of security context, some policy to allow httpd_t to do something or the other, and so forth.
The very ugly version of a custom policy that I use now is attached.
-- Jeroen
On Wed, 2010-07-28 at 18:01 +0200, Jeroen van Meeuwen wrote:
It has merely moved:
Aahh .. that's why I couldn't find it.
* the scripts installed into /usr/bin (passenger-status etc.) are broken since they expect to be executed from the gemdir. We need to add wrapper scripts similar to what 'gem install' to /usr/bin
I think I shipped some patch(es) for this.
I can't find them in your latest SRPM for 2.2.10, pulled from your koji.
* passenger is horribly broken with SELinux. I tried following the instructions from the Passenger manual[1] and somebody's SELinux policy[2] to no avail; passenger can not create its socket with that. Some of the instructions in [1] sound odd, like doing 'chcon -R httpd_sys_content_t' on the gemdir
I've had a conversation about this before, and it'll take some cycles to come up with a sane /var/lib/passenger/ type of security context, some policy to allow httpd_t to do something or the other, and so forth.
The very ugly version of a custom policy that I use now is attached.
Have you talked to Dan Walsh about it ? I bet if somebody who understands what passenger does in terms of security-relevant operations, he'd help write a policy.
David
David Lutterkort wrote:
Have you talked to Dan Walsh about it ? I bet if somebody who understands what passenger does in terms of security-relevant operations, he'd help write a policy.
Yes I talked to Dan about the subject briefly. We may or may not have started drinking beers at some point in the conversation though ;-)
I'm sure he would be very willing to help writing a sane policy for Passenger, I've just not gotten around to sinking my teeth into it.
-- Jeroen
ruby-sig@lists.fedoraproject.org