James B. Byrne
2014-Jun-27 15:47 UTC
[CentOS] SELinux context for web application directories
CentOS-6.5 We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25. Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this: /var/data/hll_th ├── backups │?? └── pgsql ├── etc │?? └── database.yml ├── hll_th_cc_edi_get │?? ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 │?? ├── releases │?? └── shared ├── hll_th_forex_rss │?? ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 │?? ├── releases │?? └── shared ├── hll_th_hp3000_billing │?? ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 │?? ├── releases │?? └── shared ├── log ├── lost+found └── pgpass -> .pgpass The questions I have are: What is an appropriate SELinux context for such a directory structure given it is used by a httpd service? Is the default user home setting of system_u:object_r:home_root_t acceptable? Is system_u:object_r:httpd_sys_content_t preferable instead? is some other SELinux context preferred for RoR web applications using Apache with mod-passenger? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Daniel J Walsh
2014-Jun-29 10:59 UTC
[CentOS] SELinux context for web application directories
On 06/27/2014 11:47 AM, James B. Byrne wrote:> CentOS-6.5 > > We deploy web applications written with the Ruby on Rails framework using > Capistrano (2.x). Each 'family' of web applications are 'owned' by a > dedicated user id. The present httpd service is Apache 2.2.15 and we use > Passenger 3.0.11. We are moving shortly to a new deployment host and at that > time we will be updating to Apache 2.4.9 and Passenger 4..0.25. > > Our deployment practice is to place the 'family' directory under /var/data/. > This is the home directory of the application user id. We place each > individual web application or component into its own directory underneath the > family root. So that things look like this: > > /var/data/hll_th > ├── backups > │ └── pgsql > ├── etc > │ └── database.yml > ├── hll_th_cc_edi_get > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 > │ ├── releases > │ └── shared > ├── hll_th_forex_rss > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 > │ ├── releases > │ └── shared > ├── hll_th_hp3000_billing > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 > │ ├── releases > │ └── shared > ├── log > ├── lost+found > └── pgpass -> .pgpass > > The questions I have are: What is an appropriate SELinux context for such a > directory structure given it is used by a httpd service? Is the default user > home setting of system_u:object_r:home_root_t acceptable? Is > system_u:object_r:httpd_sys_content_t preferable instead? is some other > SELinux context preferred for RoR web applications using Apache with > mod-passenger? > >I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems.