On 06/27/2014 11:47 AM, James B. Byrne wrote: > CentOS-6.5 > > We deploy web applications written with the Ruby on Rails framework using > Capistrano (2.x). Each 'family' of web applications are 'owned' by a > dedicated user id. The present httpd service is Apache 2.2.15 and we use > Passenger 3.0.11. We are moving shortly to a new deployment host and at that > time we will be updating to Apache 2.4.9 and Passenger 4..0.25. > > Our deployment practice is to place the 'family' directory under /var/data/. > This is the home directory of the application user id. We place each > individual web application or component into its own directory underneath the > family root. So that things look like this: > > /var/data/hll_th > ├── backups > │ └── pgsql > ├── etc > │ └── database.yml > ├── hll_th_cc_edi_get > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 > │ ├── releases > │ └── shared > ├── hll_th_forex_rss > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 > │ ├── releases > │ └── shared > ├── hll_th_hp3000_billing > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 > │ ├── releases > │ └── shared > ├── log > ├── lost+found > └── pgpass -> .pgpass > > The questions I have are: What is an appropriate SELinux context for such a > directory structure given it is used by a httpd service? Is the default user > home setting of system_u:object_r:home_root_t acceptable? Is > system_u:object_r:httpd_sys_content_t preferable instead? is some other > SELinux context preferred for RoR web applications using Apache with > mod-passenger? > > I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems.