Selinux + ruby + httpd

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Thu Jul 22 20:16:16 UTC 2010 

 In trying to develop some SELinux exceptions (via audit2allow) for a
ruby application I came up with the following:

module myruby 1.0;

require {
        type httpd_tmp_t;
        type lib_t;
        type httpd_t;
        type tmp_t;
        class sock_file { write create unlink getattr setattr };
        class capability { fowner fsetid };
        class file { read getattr execute_no_trans };
        class fifo_file { create unlink getattr setattr };
}

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t lib_t:file execute_no_trans;          #This one is due to
mod_passenger being labelled lib_t
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };

Now the first question I have, is there anything egregiously bad in
there? Aside from lib_t execute due to auto label labelling
mod_passenger as lib_t.

My second question is, I have this policy working on one machine, moved
it to another machine and everything worked, this application was then
deployed on a third machine and I figured, I would just insert the
module again. Well installing the module worked fine but apache is
trying to use a different type on this machine, from audit2allow:

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t self:capability { setuid setgid };

Why all the sudden is this machine using httpd_sys_script_t instead of
httpd_t which my other systems use? All the boxes are RHEL 5.5 x64 fully
patched running selinux-policy-2.4.6-279.el5. Now it is possible that
the myruby.pp module mentioned above is working just fine, but why then
would this one system need these extra privileges? Exact same codebase
for the ruby application across the systems. Any insight would be
appreciated.

Thanks,
-Erinn

More information about the selinux mailing list