FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-16-2008, 12:12 PM
Craig White
 
Default **** **** simple question with home serviing ruby on rails web site

On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:
> Craig White wrote:
> > On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:
> >> On Sat, 14 Jun 2008 08:05:56 -0700
> >> Craig White <craigwhite@azapple.com> wrote:
> >>
> >>> I'm running in permissive mode so all I'm getting is warnings but I'm
> >>> wondering the best way to solve this...
> >>>
> >>> error every time httpd starts...
> >>>
> >>> SELinux has denied httpd access to potentially mislabeled file(s)
> >>> (./svn-new). This means that SELinux will not allow httpd to use these
> >>> files. It is common for users to edit files in their home directory or
> >>> tmp directories and then move (mv) them to system directories. The
> >>> problem is that the files end up with the wrong file context which
> >>> confined applications are not allowed to access. Allowing AccessIf you
> >>> want httpd to access this files, you need to relabel them using
> >>> restorecon -v './svn-new'. You might want to relabel the entire
> >>> directory using restorecon -R -v './svn-new'. Additional
> >>> InformationSource Context:
> >>> system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context:
> >>> user_ubject_r:user_home_tTarget Objects: ./svn-new [ dir ]Source:
> >>> httpdSource Path: /usr/sbin/httpd
> >>>
> >>>
> >>> /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT'
> >>> directory for the web server.
> >>>
> >>> $ ls -ldZ /home/craig/svn-new/
> >>> drwxrwxr-x craig craig
> >>> user_ubject_r:user_home_t /home/craig/svn-new/
> >>>
> >>> This is on Fedora 9. In the past, I could have used
> >>> system-config-security and set selinux to allow web page serving from
> >>> user home directories but I don't see that tool any more.
> >>>
> >>> What's the best way to handle this?
> >> Easiest is just to fix the contexts of the files:
> >>
> >> # semanage fcontext -a -t httpd_sys_content_t
> >> '/home/craig/svn-new(/.*)?'
> >> # restorecon -rv /home/craig/svn-new
> >>
> >> I'm not familiar with rails or how you maintain your svn checkout, so
> >> httpd_sys_content_t may not be the appropriate type for all of the
> >> content (are there any scripts in there, are you uploading content via
> >> ftp, samba, etc.?). Since you're in permissive mode, it's not going to
> >> cause you any problem other than possibly different warnings though.
> >> If you maintain the checkout by manually doing an "svn update" from
> >> your regular account, and the content isn't "executed" by httpd,
> >> httpd_sys_content_t should be fine.
> > ----
> > Thanks Paul...miss you on the Fedora-list
>
> Thanks; when I had the first of my two children in September 2005 there
> were a lot more demands on my time and some things I'd enjoyed devoting
> a lot of my time to just had to go, and fedora-list was one of those.
>
> > I'm a bit confused myself because in essence, httpd is just a proxy to
> > the ruby/rails 'mongrel' which is a http server in ruby running the ruby
> > processes and is providing dhtml on higher ports as the user.
> >
> > FWIW...httpd runs as user 'apache' (as ususal)
> > mongrels run as regular 'user' (me)
> > all files and folders inside the subdirectory we are discussing...
> > (/home/craig/svn-new) are owned by me (not root, not apache)
>
> The conventional unix ownership and permissions make very little
> difference as far as SELinux is concerned, so although you need to get
> them right, they're not going to affect the file contexts needed.
>
> What context is mongrels running in (try the -Z option of ps)? How does
> that process get started (via an initscript?)?
----
yes, a SysV initscript...(running 2 mongrels at present... port & pid
#'s 3000 & 3001)

# ps auxZ|grep mongrel
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel
root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068
30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
-e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
--user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
log/mongrel.3000.log
root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052
29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
-e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
--user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
log/mongrel.3001.log
----
>
> > I ran the commands that you suggested (ignoring the alerts raised by the
> > first command) and then restarted httpd service and got a new alert...
> >
> > SELinux is preventing the httpd from using potentially mislabeled files
> > (2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429).
> >
> > This means that SELinux will not allow httpd to use these files. It is
> > common for users to edit files in their home directory or tmp
> > directories and then move (mv) them to system directories. The problem
> > is that the files end up with the wrong file context which confined
> > applications are not allowed to access. Allowing AccessIf you want httpd
> > to access this files, you need to relabel them using restorecon -v
> > '2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429'.
> >
> > You might want to relabel the entire directory using restorecon -R -v
> > '. Additional InformationSource Context:
> > unconfined_u:system_r:httpd_tTarget Context:
> > unconfined_ubject_r:user_tmp_tTarget Objects:
> > 2F7661722F746D702F6B646563616368652D63726169672F6B 70632F6B64652D69636F6E2D63616368652E64617461202864 656C6574656429
> >
> > This is my new development system and I obviously will be doing svn
> > commit/update operations in this directory and it was created by a
> > checkout.
> >
> > There is a 'tmp' directory in the RAILS_ROOT directory
> > (/home/craig/svn-new/th-db/branches/phase5) which holds...
> > - temporary pdf files put there by ruby before 'merging' database data
> > with pdftk
> > - subdirectories but the only 'non-empty' subdirectory is one called
> > 'pids' which holds the pid for the backgroundrd (a separate ruby process
> > that runs long running processes in the background).
> >
> > I'm wondering if this directory shouldn't have some different
> > contexts...
> >
> > My desire is to have a plan to manage selinux contexts when it comes
> > time to merge this on my production server.
>
> You probably need to run the ruby process confined so that it generates
> files that are readable by httpd. It might actually work ok running as
> httpd_t given how closely related the processes are.
----
I'm sort of unclear on what you are telling me here. What did happen
after I made the change you suggested on Saturday is that the 4:02
rotation log restart of httpd stopped triggering selinux alerts but a
full restart of httpd service does generate the latest alert.

I could conceivably run the mongrels as user 'apache' except that the
permissions on some of the folders would have to be changed because
there are some directories that files are written into by the ruby web
server...so I try to just run as user.

Thanks

Craig

Thanks

Craig

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-16-2008, 12:29 PM
Paul Howarth
 
Default **** **** simple question with home serviing ruby on rails web site

Craig White wrote:

On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:

Craig White wrote:

On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:

On Sat, 14 Jun 2008 08:05:56 -0700
Craig White <craigwhite@azapple.com> wrote:

I'm a bit confused myself because in essence, httpd is just a proxy to
the ruby/rails 'mongrel' which is a http server in ruby running the ruby
processes and is providing dhtml on higher ports as the user.

FWIW...httpd runs as user 'apache' (as ususal)
mongrels run as regular 'user' (me)
all files and folders inside the subdirectory we are discussing...
(/home/craig/svn-new) are owned by me (not root, not apache)
The conventional unix ownership and permissions make very little
difference as far as SELinux is concerned, so although you need to get
them right, they're not going to affect the file contexts needed.


What context is mongrels running in (try the -Z option of ps)? How does
that process get started (via an initscript?)?

----
yes, a SysV initscript...(running 2 mongrels at present... port & pid
#'s 3000 & 3001)

# ps auxZ|grep mongrel
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel
root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068
30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
-e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
--user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
log/mongrel.3000.log
root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052
29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
-e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
--user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
log/mongrel.3001.log
----


OK, so they're running as unconfined_t at the moment.


I ran the commands that you suggested (ignoring the alerts raised by the
first command) and then restarted httpd service and got a new alert...

SELinux is preventing the httpd from using potentially mislabeled files
(2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429).

This means that SELinux will not allow httpd to use these files. It is
common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that the files end up with the wrong file context which confined
applications are not allowed to access. Allowing AccessIf you want httpd
to access this files, you need to relabel them using restorecon -v
'2F7661722F746D702F6B646563616368652D63726169672F6 B70632F6B64652D69636F6E2D63616368652E6461746120286 4656C6574656429'.

You might want to relabel the entire directory using restorecon -R -v
'. Additional InformationSource Context:
unconfined_u:system_r:httpd_tTarget Context:
unconfined_ubject_r:user_tmp_tTarget Objects:
2F7661722F746D702F6B646563616368652D63726169672F6B 70632F6B64652D69636F6E2D63616368652E64617461202864 656C6574656429

This is my new development system and I obviously will be doing svn
commit/update operations in this directory and it was created by a
checkout.


There is a 'tmp' directory in the RAILS_ROOT directory
(/home/craig/svn-new/th-db/branches/phase5) which holds...
- temporary pdf files put there by ruby before 'merging' database data
with pdftk
- subdirectories but the only 'non-empty' subdirectory is one called
'pids' which holds the pid for the backgroundrd (a separate ruby process
that runs long running processes in the background).

I'm wondering if this directory shouldn't have some different
contexts...

My desire is to have a plan to manage selinux contexts when it comes
time to merge this on my production server.
You probably need to run the ruby process confined so that it generates
files that are readable by httpd. It might actually work ok running as
httpd_t given how closely related the processes are.

----
I'm sort of unclear on what you are telling me here. What did happen
after I made the change you suggested on Saturday is that the 4:02
rotation log restart of httpd stopped triggering selinux alerts but a
full restart of httpd service does generate the latest alert.

I could conceivably run the mongrels as user 'apache' except that the
permissions on some of the folders would have to be changed because
there are some directories that files are written into by the ruby web
server...so I try to just run as user.


Don't change anything about the regular Unix permissions at the moment;
I guess that for a production server you'd create a separate account for
the Ruby stuff to run as.


What would be an interesting experiment would be to run the Ruby stuff
in the same SELinux context as httpd. Try changing the context type of
/usr/bin/mongrel_rails to httpd_exec_t and restart the services.


# chcon -t httpd_exec_t /usr/bin/mongrel_rails

I'm not sure whether this will make things better or worse but it should
eliminate some problems for the two httpd-like bits talking to each other.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org