mod_passenger and Rails 3 module work
Miroslav Grepl
mgrepl at redhat.com
Mon Jan 17 13:39:26 UTC 2011
On 01/17/2011 12:05 PM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/17/2011 11:47 AM, Erinn Looney-Triggs wrote:
>> This is a lot of groping about in the dark for me with SELinux so please
>> excuse any completely absurd choices I made :).
>>
>> I posted before about getting a setup working with mod_passenger, I was
>> able to work things around such that mod_passenger worked fine with
>> selinux enabled. I came up with this small policy:
> The policy for passenger needs to be revisited. mgrepl mentioned that he
> is going to cooperate with some ruby related people to fix it. I havent
> noticed any progress on that front though.
The passenger v3 is supported by the current SELinux policy (Fedora13+
releases).
The following blog
http://mifo.sk/posts/passenger-selinux-for-fedora/
will be updated to provide correct instructions.
Erinn,
try to follow these instructions except the fifth point which will be
replaced by the following:
---
5. Execute
# restorecon -R -v /var/lib/passenger* /var/run/passenger*
/usr/lib/ruby/gems/1.8/gems/passenger*
---
Dominick,
I am working on fixes for passenger policy based on your policy.
> What you have below, can hardly be called policy ;) Its just avc denials
> ran through audit2allow -M. Basically it compromises the httpd_t domain.
>
> But atleast you got it to work for now. Keep an eye open on the
> selinux-policy changelog with regard to passenger. When policy is redone
> you should be able to remove your myruby module and update to latest
> available selinux-policy instead to get passenger to work with selinux.
>
>> module myruby 1.0;
>>
>> require {
>> type httpd_tmp_t;
>> type lib_t;
>> type httpd_t;
>> type tmp_t;
>> class sock_file { write create unlink getattr setattr };
>> class capability { fowner fsetid };
>> class file { read getattr execute_no_trans };
>> class fifo_file { create unlink getattr setattr };
>> }
>>
>> #============= httpd_t ==============
>> allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
>> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
>> allow httpd_t lib_t:file execute_no_trans;
>> allow httpd_t self:capability { fowner fsetid };
>> allow httpd_t tmp_t:file { read getattr };
>>
>> It worked just fine though I had a bit of a gripe with the execute on
>> lib_t, this was due to the mod_passenger module being automatically
>> labelled as lib_t (it was located in /usr/local/ruby/lib, hence the
>> labelling), but I couldn't really change things as they were in
>> production. Well now we are going through an upgrade to Rails 3 and it
>> is not playing nicely with SELinux again, so around we go with
>> audit2allow, this time I changed the passenger module to be labelled
>> like all the other apache modules (httpd_modules_t), and there are a few
>> other executables that Passenger requires, I labelled them as apache
>> modules as well (for better or worse, I tried httpd_script_t as well
>> thinking that it would fit better, but I don't know if it makes much
>> difference). However, after many runs through adit2allow the outcome is
>> pretty vulgar:
>> module myruby 1.0;
>>
>> require {
>> type unconfined_t;
>> type semanage_t;
>> type hplip_t;
>> type setrans_t;
>> type mysqld_t;
>> type syslogd_t;
>> type getty_t;
>> type xfs_t;
>> type initrc_t;
>> type irqbalance_t;
>> type httpd_modules_t;
>> type snmpd_t;
>> type tmp_t;
>> type avahi_t;
>> type rpm_t;
>> type gpm_t;
>> type unconfined_execmem_t;
>> type restorecond_t;
>> type init_t;
>> type httpd_tmp_t;
>> type ntpd_t;
>> type fsdaemon_t;
>> type postfix_master_t;
>> type auditd_t;
>> type udev_t;
>> type postfix_qmgr_t;
>> type audisp_t;
>> type system_dbusd_t;
>> type cupsd_t;
>> type inetd_t;
>> type portmap_t;
>> type postfix_pickup_t;
>> type kernel_t;
>> type setfiles_t;
>> type hald_t;
>> type apmd_t;
>> type crond_t;
>> type rpcd_t;
>> type httpd_t;
>> class capability { fowner sys_resource fsetid };
>> class process ptrace;
>> class dir { getattr search };
>> class file { read getattr execute_no_trans };
>> class sock_file { write create unlink getattr setattr };
>> }
>>
>> #============= httpd_t ==============
>> allow httpd_t apmd_t:dir { getattr search };
>> allow httpd_t apmd_t:file read;
>> allow httpd_t audisp_t:dir { getattr search };
>> allow httpd_t audisp_t:file read;
>> allow httpd_t auditd_t:dir { getattr search };
>> allow httpd_t auditd_t:file read;
>> allow httpd_t avahi_t:dir { getattr search };
>> allow httpd_t avahi_t:file read;
>> allow httpd_t crond_t:dir { getattr search };
>> allow httpd_t crond_t:file read;
>> allow httpd_t cupsd_t:dir { getattr search };
>> allow httpd_t cupsd_t:file read;
>> allow httpd_t fsdaemon_t:dir { getattr search };
>> allow httpd_t fsdaemon_t:file read;
>> allow httpd_t getty_t:dir { getattr search };
>> allow httpd_t getty_t:file read;
>> allow httpd_t gpm_t:dir { getattr search };
>> allow httpd_t gpm_t:file read;
>> allow httpd_t hald_t:dir { getattr search };
>> allow httpd_t hald_t:file read;
>> allow httpd_t hplip_t:dir { getattr search };
>> allow httpd_t hplip_t:file read;
>> allow httpd_t httpd_modules_t:file execute_no_trans;
>> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
>> allow httpd_t inetd_t:dir { getattr search };
>> allow httpd_t inetd_t:file read;
>> allow httpd_t init_t:dir { getattr search };
>> allow httpd_t init_t:file read;
>> allow httpd_t initrc_t:dir { getattr search };
>> allow httpd_t initrc_t:file read;
>> allow httpd_t irqbalance_t:dir { getattr search };
>> allow httpd_t irqbalance_t:file read;
>> allow httpd_t kernel_t:dir { getattr search };
>> allow httpd_t kernel_t:file read;
>> allow httpd_t mysqld_t:dir { getattr search };
>> allow httpd_t mysqld_t:file read;
>> allow httpd_t ntpd_t:dir { getattr search };
>> allow httpd_t ntpd_t:file read;
>> allow httpd_t portmap_t:dir { getattr search };
>> allow httpd_t portmap_t:file read;
>> allow httpd_t postfix_master_t:dir { getattr search };
>> allow httpd_t postfix_master_t:file read;
>> allow httpd_t postfix_pickup_t:dir { getattr search };
>> allow httpd_t postfix_pickup_t:file read;
>> allow httpd_t postfix_qmgr_t:dir { getattr search };
>> allow httpd_t postfix_qmgr_t:file read;
>> allow httpd_t restorecond_t:dir { getattr search };
>> allow httpd_t restorecond_t:file read;
>> allow httpd_t rpcd_t:dir { getattr search };
>> allow httpd_t rpcd_t:file read;
>> allow httpd_t rpm_t:dir { getattr search };
>> allow httpd_t rpm_t:file read;
>> allow httpd_t self:capability { fowner sys_resource fsetid };
>> allow httpd_t self:process ptrace;
>> allow httpd_t semanage_t:dir getattr;
>> allow httpd_t setfiles_t:dir getattr;
>> allow httpd_t setrans_t:dir { getattr search };
>> allow httpd_t setrans_t:file read;
>> allow httpd_t snmpd_t:dir { getattr search };
>> allow httpd_t snmpd_t:file read;
>> allow httpd_t syslogd_t:dir { getattr search };
>> allow httpd_t syslogd_t:file read;
>> allow httpd_t system_dbusd_t:dir { getattr search };
>> allow httpd_t system_dbusd_t:file read;
>> allow httpd_t tmp_t:file { read getattr };
>> allow httpd_t udev_t:dir { getattr search };
>> allow httpd_t udev_t:file read;
>> allow httpd_t unconfined_execmem_t:dir { getattr search };
>> allow httpd_t unconfined_execmem_t:file read;
>> allow httpd_t unconfined_t:dir { getattr search };
>> allow httpd_t unconfined_t:file read;
>> allow httpd_t xfs_t:dir { getattr search };
>> allow httpd_t xfs_t:file read;
>>
>> This seems like an absurd amount of access to me, it gets things going
>> but really? Anyone have a bit of experience with mod_passenger and Rails
>> 3, any insight? Now I did go through and manually prune out what I
>> though was wrong and came up with this (this was when I was testing the
>> httpd_sys_script type, just mentally change it to httpd_t):
>> module myruby 1.0;
>> require {
>> type httpd_tmp_t;
>> type httpd_sys_script_t;
>> type devpts_t;
>> type httpd_t;
>> type tmp_t;
>> type udev_tbl_t;
>> class process { ptrace setpgid getsched };
>> class sock_file { write create unlink getattr setattr };
>> class capability { kill sys_resource dac_override
>> dac_read_search chown fsetid setgid setuid fowner };
>> class chr_file { read write ioctl };
>> class file { read getattr execute_no_trans };
>> class fifo_file { create unlink getattr setattr };
>> class lnk_file read;
>> class dir search;
>> class unix_stream_socket connectto;
>> }
>>
>> #============= httpd_t ==============
>> allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
>> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
>> allow httpd_t self:capability { fowner fsetid };
>> allow httpd_t tmp_t:file { read getattr };
>> allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
>>
>>
>> #============= httpd_sys_script_t ==============
>> allow httpd_sys_script_t devpts_t:chr_file { read write ioctl };
>> allow httpd_sys_script_t self:capability { kill dac_read_search fsetid
>> sys_resource setuid setgid fowner chown dac_override };
>> allow httpd_sys_script_t self:process { getsched setpgid };
>> allow httpd_sys_script_t udev_tbl_t:lnk_file read;
>> allow httpd_sys_script_t devpts_t:dir search;
>>
>> System works, passenger runs etc. but an obscene amount of logs are
>> being pumped into the audit logs for each of those directory reads etc.
>> I suppose I could add dontaudit rules (not that I know how). But again
>> seeking any other insights into this.
>>
>> Thanks,
>> -Erinn
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk00MJQACgkQMlxVo39jgT8uHQCeIeMSzdK77vSGPHfWJnsqA8I1
> QgIAn2Yd8cYnpHLUV/pEQdMySR1RIzj/
> =j5xq
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list