Miroslav wrote:
m.roth@5-cent.us wrote:
Gag. I hate passenger...
This is CentOS 6.3
Does someone have a link to info on what selinux passenger context to set what files to? I see passenger set to lib_t, which I may have done a while back, but the current policy may be more picky. I've looked at the passenger_selinux manpage, and it doesn't suggest what they should be.
The
version of ruby my users are on is the old 1.8.7 enterprise, *not* installed from an rpm, so nothing's correct....
Following myself up, a clarification: I've seen pages that say to set all of passenger to httpd_sys_content_t; however, since there's explicitly a passenger_*_t, and I *assume* that it allows it to transition to run things like ps, and status, I'd like to set them *correctly*, rather than as httpd*, and then allow all sorts of things for httpd to do as policy.
We have passenger fixes in RHEL6.4. Basically you will need to follow http://git.fedorahosted.org/cgit/selinux-policy.git/tree/passenger.fc?h=f18-...
labeling.
Thanks, Miroslav. Here's what (once I thought of it) seems like an obvious question: is there a way, in selinux, to say "I installed this stuff over here, not in the usual place (say, from a tarball instead of an rpm), but I want to label everything correctly, something like <selinuxrelabel> passenger-policy /opt/ruby/gem/etc?
mark
On 03/14/2013 15:49, m.roth@5-cent.us wrote:
Miroslav wrote:
m.roth@5-cent.us wrote:
Gag. I hate passenger...
This is CentOS 6.3
Does someone have a link to info on what selinux passenger context to set what files to? I see passenger set to lib_t, which I may have done a while back, but the current policy may be more picky. I've looked at the passenger_selinux manpage, and it doesn't suggest what they should be.
The
version of ruby my users are on is the old 1.8.7 enterprise, *not* installed from an rpm, so nothing's correct....
Following myself up, a clarification: I've seen pages that say to set all of passenger to httpd_sys_content_t; however, since there's explicitly a passenger_*_t, and I *assume* that it allows it to transition to run things like ps, and status, I'd like to set them *correctly*, rather than as httpd*, and then allow all sorts of things for httpd to do as policy.
We have passenger fixes in RHEL6.4. Basically you will need to follow
http://git.fedorahosted.org/cgit/selinux-policy.git/tree/passenger.fc?h=f18-...
labeling.
Thanks, Miroslav. Here's what (once I thought of it) seems like an obvious question: is there a way, in selinux, to say "I installed this stuff over here, not in the usual place (say, from a tarball instead of an rpm), but I want to label everything correctly, something like <selinuxrelabel> passenger-policy /opt/ruby/gem/etc?
mark-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
The semanage fcontext -e option is exactly what you want. I think the exact command would be semanage fcontext -a -e <original location> <target location>.
That will say treat target on down the same way you treat the original location down.
Dave
selinux@lists.fedoraproject.org
-
David Quigley -
mark