On Fri, Oct 15, 2010 at 8:18 PM, Graham Dumpleton <[email protected]> wrote: > Seems standard RedHat SELinux policy files may have awareness of mod_wsgi now. > > http://blog.endpoint.com/2010/02/selinux-httpd-modwsgi-26-rhel-centos-5.html
For those that didn't notice, this blog, though useful, is not directly from the Red Hat folks. Also it's apparently about CentOS 5 (a clone of RH Enterprise 5); both of which are a bit behind Red Hat's bleeding edge, aka, Fedora. So it should apply to pretty much any "modern" Red Hat based system. That said, there's not much there that is mod_wsgi specific, but Red Hat has concentrated much effort on Apache httpd rules, which directly affects mod_wsgi. > When running in daemon mode, httpd and the mod_wsgi daemon communicate > via a UNIX socket file. This should usually have a context of > httpd_var_run_t. The standard Red Hat SELinux policy includes an entry > for /var/run/wsgi.* to use this context, so it makes sense to put the > socket there using the WSGISocketPrefix directive within your httpd > configuration: > > Â WSGISocketPrefix run/wsgi Yes, this is basically what I had done, and it is the minimal needed to make mod_wsgi runnable with SELinux (there are of course other ways, but setting the prefix to fall under /var/run/httpd is the easiest. Note that you don't need to enable the 'httpd_can_network_connect' boolean as the blog mentions -- mod_wsgi will run just fine with it disabled. However if your app needs to make network connections elsewhere then you need to change that boolean. > (Note that run/wsgi translates to /etc/httpd/run/wsgi which is > symlinked to /var/run/wsgi.) > """ Correction, the symlink goes to /var/run/httpd/wsgi Actually you don't technically need the wsgi sub-directory. You can set the prefix to just "run" .. aka /var/run/httpd When set up correctly, you can use "ls -lZ" to see how the socket's SELinux security contexts should look like. For example, srwx------. apache root unconfined_u:object_r:httpd_var_run_t:s0 /var/run/httpd/wsgi.24668.0.1.sock= srwx------. apache root unconfined_u:object_r:httpd_var_run_t:s0 /var/run/httpd/wsgi.24668.0.2.sock= Most importantly is the file context portion, which is "httpd_var_run_t". > Can someone verify that? Yes, this is a correct procedure for using mod_wsgi on Red Hat systems with SELinux enabled. The Red Hat developers are always improving the default SELinux profiles, and so depending on how new your distro version you may find more and more fine tunability built in without having to edit or create your own security rules directly. To find the set of SELinux booleans (e.g., tunables) on your system, run this: # getsebool -a | grep httpd Of course SELinux can be much more involved. For instance if you need to connect to MySQL databases, etc. Also we recently discovered a strange SELinux conflict with the standard Python "ctypes" module (imported by the "uuid" module) which causes mod_wsgi apps to crash -- because ctypes tries to create and then execute files under /tmp ... an action which Red Hat's SELinux rules forbid for the httpd process. -- Deron Meranda http://deron.meranda.us/ -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
