CentOS-6.5
We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25.
Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this:
/var/data/hll_th ├── backups │ └── pgsql ├── etc │ └── database.yml ├── hll_th_cc_edi_get │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 │ ├── releases │ └── shared ├── hll_th_forex_rss │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 │ ├── releases │ └── shared ├── hll_th_hp3000_billing │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 │ ├── releases │ └── shared ├── log ├── lost+found └── pgpass -> .pgpass
The questions I have are: What is an appropriate SELinux context for such a directory structure given it is used by a httpd service? Is the default user home setting of system_u:object_r:home_root_t acceptable? Is system_u:object_r:httpd_sys_content_t preferable instead? is some other SELinux context preferred for RoR web applications using Apache with mod-passenger?
On 06/27/2014 11:47 AM, James B. Byrne wrote:
CentOS-6.5
We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each 'family' of web applications are 'owned' by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25.
Our deployment practice is to place the 'family' directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this:
/var/data/hll_th ├── backups │ └── pgsql ├── etc │ └── database.yml ├── hll_th_cc_edi_get │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 │ ├── releases │ └── shared ├── hll_th_forex_rss │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 │ ├── releases │ └── shared ├── hll_th_hp3000_billing │ ├── current -> /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 │ ├── releases │ └── shared ├── log ├── lost+found └── pgpass -> .pgpass
The questions I have are: What is an appropriate SELinux context for such a directory structure given it is used by a httpd service? Is the default user home setting of system_u:object_r:home_root_t acceptable? Is system_u:object_r:httpd_sys_content_t preferable instead? is some other SELinux context preferred for RoR web applications using Apache with mod-passenger?
I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems.
-
Daniel J Walsh -
James B. Byrne