[CentOS] SELinux context for web application directories

Sun Jun 29 10:59:37 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 06/27/2014 11:47 AM, James B. Byrne wrote:
> CentOS-6.5
>
> We deploy web applications written with the Ruby on Rails framework using
> Capistrano (2.x).  Each 'family' of web applications are 'owned' by a
> dedicated user id.  The present httpd service is Apache 2.2.15 and we use
> Passenger 3.0.11.  We are moving shortly to a new deployment host and at that
> time we will be updating to Apache 2.4.9 and Passenger 4..0.25.
>
> Our deployment practice is to place the 'family' directory under /var/data/. 
> This is the home directory of the application user id. We place each
> individual web application or component into its own directory underneath the
> family root.  So that things look like this:
>
> /var/data/hll_th
> ├── backups
> │   └── pgsql
> ├── etc
> │   └── database.yml
> ├── hll_th_cc_edi_get
> │   ├── current ->
> /var/data/hll_th/hll_th_forex_rss/releases/20140519201615
> │   ├── releases
> │   └── shared
> ├── hll_th_forex_rss
> │   ├── current ->
> /var/data/hll_th/hll_th_forex_rss/releases/20131204193652
> │   ├── releases
> │   └── shared
> ├── hll_th_hp3000_billing
> │   ├── current ->
> /var/data/hll_th/hll_th_forex_rss/releases/20140214211431
> │   ├── releases
> │   └── shared
> ├── log
> ├── lost+found
> └── pgpass -> .pgpass
>
> The questions I have are: What is an appropriate SELinux context for such a
> directory structure given it is used by a httpd service?  Is the default user
> home setting of system_u:object_r:home_root_t acceptable?  Is
> system_u:object_r:httpd_sys_content_t preferable instead?  is some other
> SELinux context preferred for RoR web applications using Apache with
> mod-passenger?
>
>
I would think that httpd_sys_content_t and httpd_sys_rw_content_t would
be appropriate.
These are not real user accounts, meaning normal users do not login to
these systems.