FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-16-2008, 12:42 PM
Craig White
 
Default **** **** simple question with home serviing ruby on rails web site

On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote:
> Craig White wrote:
> > On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:
> >> Craig White wrote:
> >>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:
> >>>> On Sat, 14 Jun 2008 08:05:56 -0700
> >>>> Craig White <craigwhite@azapple.com> wrote:
> >>> I'm a bit confused myself because in essence, httpd is just a proxy to
> >>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby
> >>> processes and is providing dhtml on higher ports as the user.
> >>>
> >>> FWIW...httpd runs as user 'apache' (as ususal)
> >>> mongrels run as regular 'user' (me)
> >>> all files and folders inside the subdirectory we are discussing...
> >>> (/home/craig/svn-new) are owned by me (not root, not apache)
> >> The conventional unix ownership and permissions make very little
> >> difference as far as SELinux is concerned, so although you need to get
> >> them right, they're not going to affect the file contexts needed.
> >>
> >> What context is mongrels running in (try the -Z option of ps)? How does
> >> that process get started (via an initscript?)?
> > ----
> > yes, a SysV initscript...(running 2 mongrels at present... port & pid
> > #'s 3000 & 3001)
> >
> > # ps auxZ|grep mongrel
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
> > 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel
> > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068
> > 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> > --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
> > log/mongrel.3000.log
> > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052
> > 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> > --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
> > log/mongrel.3001.log
> > ----
>
> OK, so they're running as unconfined_t at the moment.
>
> >
> > I could conceivably run the mongrels as user 'apache' except that the
> > permissions on some of the folders would have to be changed because
> > there are some directories that files are written into by the ruby web
> > server...so I try to just run as user.
>
> Don't change anything about the regular Unix permissions at the moment;
> I guess that for a production server you'd create a separate account for
> the Ruby stuff to run as.
>
> What would be an interesting experiment would be to run the Ruby stuff
> in the same SELinux context as httpd. Try changing the context type of
> /usr/bin/mongrel_rails to httpd_exec_t and restart the services.
>
> # chcon -t httpd_exec_t /usr/bin/mongrel_rails
>
> I'm not sure whether this will make things better or worse but it should
> eliminate some problems for the two httpd-like bits talking to each other.
----
that seems to have cleared things up - I had to restart both
mongrel_cluster service and then the httpd service - I did get an error
the first time through but subsequent restarts seems to have cleared it
up.

Thanks

Craig

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-23-2008, 12:56 PM
Daniel J Walsh
 
Default **** **** simple question with home serviing ruby on rails web site

Craig White wrote:
> On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote:
>> Craig White wrote:
>>> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:
>>>> Craig White wrote:
>>>>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:
>>>>>> On Sat, 14 Jun 2008 08:05:56 -0700
>>>>>> Craig White <craigwhite@azapple.com> wrote:
>>>>> I'm a bit confused myself because in essence, httpd is just a proxy to
>>>>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby
>>>>> processes and is providing dhtml on higher ports as the user.
>>>>>
>>>>> FWIW...httpd runs as user 'apache' (as ususal)
>>>>> mongrels run as regular 'user' (me)
>>>>> all files and folders inside the subdirectory we are discussing...
>>>>> (/home/craig/svn-new) are owned by me (not root, not apache)
>>>> The conventional unix ownership and permissions make very little
>>>> difference as far as SELinux is concerned, so although you need to get
>>>> them right, they're not going to affect the file contexts needed.
>>>>
>>>> What context is mongrels running in (try the -Z option of ps)? How does
>>>> that process get started (via an initscript?)?
>>> ----
>>> yes, a SysV initscript...(running 2 mongrels at present... port & pid
>>> #'s 3000 & 3001)
>>>
>>> # ps auxZ|grep mongrel
>>> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
>>> 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel
>>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068
>>> 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
>>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
>>> --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
>>> log/mongrel.3000.log
>>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052
>>> 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
>>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
>>> --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
>>> log/mongrel.3001.log
>>> ----
>> OK, so they're running as unconfined_t at the moment.
>>
>>> I could conceivably run the mongrels as user 'apache' except that the
>>> permissions on some of the folders would have to be changed because
>>> there are some directories that files are written into by the ruby web
>>> server...so I try to just run as user.
>> Don't change anything about the regular Unix permissions at the moment;
>> I guess that for a production server you'd create a separate account for
>> the Ruby stuff to run as.
>>
>> What would be an interesting experiment would be to run the Ruby stuff
>> in the same SELinux context as httpd. Try changing the context type of
>> /usr/bin/mongrel_rails to httpd_exec_t and restart the services.
>>
>> # chcon -t httpd_exec_t /usr/bin/mongrel_rails
>>
>> I'm not sure whether this will make things better or worse but it should
>> eliminate some problems for the two httpd-like bits talking to each other.
> ----
> that seems to have cleared things up - I had to restart both
> mongrel_cluster service and then the httpd service - I did get an error
> the first time through but subsequent restarts seems to have cleared it
> up.
>
> Thanks
>
> Craig
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Is this the correct context for mongrel_rails? IE Is this basically a
http web server? How does it get started on boot?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org