[CentOS] SELinux context for web application directories

Mon Jun 30 18:03:13 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Sun, June 29, 2014 06:59, Daniel J Walsh wrote:
> On 06/27/2014 11:47 AM, James B. Byrne wrote:
>> CentOS-6.5

>> The questions I have are: What is an appropriate SELinux context for such a
>> directory structure given it is used by a httpd service?  Is the default
>> user
>> home setting of system_u:object_r:home_root_t acceptable?  Is
>> system_u:object_r:httpd_sys_content_t preferable instead?  is some other
>> SELinux context preferred for RoR web applications using Apache with
>> mod-passenger?
> I would think that httpd_sys_content_t and httpd_sys_rw_content_t would
> be appropriate.
> These are not real user accounts, meaning normal users do not login to
> these systems.

Does it matter that the application user has to login so that the capistrano
deply receipes will run correctly?  Also this deploy makes use of rbenv which
is another user login dependent item (requires a shim in .bash_profile).  Does
that have any impact on the choice?

Finally, and only peripherally related, what are the SELinux settings, boolean
or profile, required on CentOS-6.5 to get Apache mod-passenger to run without
generating avc's?

***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3