Sample Passenger/Rails policy for review

[Moray Henderson]

Dominick Grift wrote:
>On 08/16/2010 03:58 PM, Moray Henderson (ICT) wrote:
>> Hi all,
>>
>> I've been looking at getting a Ruby on Rails app working through
>> Passenger under CentOS 5.5.  I felt it should run in its own security
>> context, so I came up with the following sample module.  Please
comment.
>
>
>This is not how i would do it probably, although i am not sure if my
>approach would be much better.
>
>Instead of using the httpd_content_template() i would treat
mod_passenger
>as a normal domain.
>
>Then allow httpd_t to transition to the new mod_passenger domain when
it
>runs the passenger executable file.
>
>The advantage of this, i think, is that you do not have to allow rules
>like this:
>
>allow httpd_t self:capability { fowner fsetid };
>
>Also with regard to the policy below:
>
>allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh
>noatsecure };
>
>This should not be needed and is by default silently denied.

You're right, I removed the allow ...:process rule, and it still worked.


How do I get httpd_t to transition to an ordinary domain?  I've been
experimenting with domain_entry_file and domain_transition_pattern, but
keep getting denials for httpd_t writing to myapp_script_rw_t.  It
obviously has not transitioned by the time it tries to write its
temporary files in /var/run/passenger.

Are any of the macros in /usr/share/selinux/devel/include/support/
documented anywhere?  I couldn't find them in the Tresys Refpolicy API
documentation or the selinuxproject.org wiki.

Oh, I see, it's domain_auto_transition_pattern I need, not
domain_transition_pattern.  I'm trying to use this refpolicy stuff, but
honestly, I find it easier and quicker to program the thing manually
than to find the macro to do it for me!

Now I'm getting a load of process signal denials and a "Cannot stat
'/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/bin/passenger-spawn-serv
er': Permission denied (13)" but at least it's in the correct domain
now.  I'll keep working on it.

>> Summary
>> -------
>>
>> The policy creates a new set of apache content types using
>> apache_content_template.  The Passenger
>> ApplicationPoolServerExecutable is given type
>> httpd_myapp_script_exec_t, so the app will execute in
>> httpd_myapp_script_t.  The remaining Passenger files, and the Rails
>> app itself, are httpd_myapp_content_t.  PassengerTempDir is set to
>> /var/run/passenger, and given httpd_myapp_script_rw_t to allow the
>sockets and stuff to be created.
>>
>> Source
>> ------
>>
>> #### myapp.te ####
>> policy_module(myapp,1.0)
>>
>> # Create a set of apache content types for myapp
>> apache_content_template(myapp);
>>
>> # Give running app access to system things it will ask for
>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>> miscfiles_read_certs(httpd_myapp_script_t);
>> term_use_all_user_ptys(httpd_myapp_script_t);
>>
>> # Allow apache to create and communicate with Passenger allow httpd_t
>> self:capability { fowner fsetid }; allow httpd_t
>> httpd_myapp_script_t:unix_stream_socket rw_socket_perms; allow
httpd_t
>> httpd_myapp_script_t:process { siginh rlimitinh noatsecure }; allow
>> httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms; allow
>> httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>>
>> # Access that Passenger will need
>> allow httpd_myapp_script_t self:capability { chown dac_override
>> dac_read_search fowner fsetid setgid setuid }; allow
>> httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>>
>> #### myapp.fc ####
>>
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/A
>> pp
>> licationPoolServerExecutable  --
>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /usr/local/lib/myapp(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /var/run/passenger(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)