Re: [CentOS] SELinux context for web application directories
On Sun, June 29, 2014 06:59, Daniel J Walsh wrote: On 06/27/2014 11:47 AM, James B. Byrne wrote: CentOS-6.5 The questions I have are: What is an appropriate SELinux context for such a directory structure given it is used by a httpd service? Is the default user home setting of system_u:object_r:home_root_t acceptable? Is system_u:object_r:httpd_sys_content_t preferable instead? is some other SELinux context preferred for RoR web applications using Apache with mod-passenger? I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems. Does it matter that the application user has to login so that the capistrano deply receipes will run correctly? Also this deploy makes use of rbenv which is another user login dependent item (requires a shim in .bash_profile). Does that have any impact on the choice? Finally, and only peripherally related, what are the SELinux settings, boolean or profile, required on CentOS-6.5 to get Apache mod-passenger to run without generating avc's? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for web application directories
Not sure if this got through - nixspam was being aggravating, so I'm reposting. James B. Byrne wrote: CentOS-6.5 We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25. Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this: passenger_exec_t, etc. http://linuxmanpages.net/manpages/fedora17/man8/passenger_selinux.8.html And if you google anything else, note: DO NOT USE CHCON; it does *NOT* remain following a reboot. Use semanage fcontext (and the manpage example is what I use all the time), followed by a restorecon -Rv mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for web application directories
On 06/27/2014 11:47 AM, James B. Byrne wrote: CentOS-6.5 We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25. Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this: /var/data/hll_th #9500;#9472;#9472; backups #9474; #9492;#9472;#9472; pgsql #9500;#9472;#9472; etc #9474; #9492;#9472;#9472; database.yml #9500;#9472;#9472; hll_th_cc_edi_get #9474; #9500;#9472;#9472; current - /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 #9474; #9500;#9472;#9472; releases #9474; #9492;#9472;#9472; shared #9500;#9472;#9472; hll_th_forex_rss #9474; #9500;#9472;#9472; current - /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 #9474; #9500;#9472;#9472; releases #9474; #9492;#9472;#9472; shared #9500;#9472;#9472; hll_th_hp3000_billing #9474; #9500;#9472;#9472; current - /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 #9474; #9500;#9472;#9472; releases #9474; #9492;#9472;#9472; shared #9500;#9472;#9472; log #9500;#9472;#9472; lost+found #9492;#9472;#9472; pgpass - .pgpass The questions I have are: What is an appropriate SELinux context for such a directory structure given it is used by a httpd service? Is the default user home setting of system_u:object_r:home_root_t acceptable? Is system_u:object_r:httpd_sys_content_t preferable instead? is some other SELinux context preferred for RoR web applications using Apache with mod-passenger? I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for web application directories
James B. Byrne wrote: CentOS-6.5 We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25. Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this: passenger_exec_t, etc. http://linuxmanpages.net/manpages/fedora17/man8/passenger_selinux.8.html And if you google anything else, note: DO NOT USE CHCON; it does *NOT* remain following a reboot. Use semanage fcontext (and the manpage example is what I use all the time), followed by a restorecon -Rv mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos