SELinux Context For Web Application Directories

Home » CentOS » SELinux Context For Web Application Directories
CentOS 4 Comments

CentOS-6.5

We deploy web applications written with the Ruby on Rails framework using Capistrano (2.x). Each ‘family’ of web applications are ‘owned’ by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that time we will be updating to Apache 2.4.9 and Passenger 4..0.25.

Our deployment practice is to place the ‘family’ directory under /var/data/. This is the home directory of the application user id. We place each individual web application or component into its own directory underneath the family root. So that things look like this:

/var/data/hll_th
├── backups

4 thoughts on - SELinux Context For Web Application Directories

  • James B. Byrne wrote:

    using Capistrano (2.x). Each ‘family’ of web applications are ‘owned’
    by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that

    /var/data/. individual web application or component into its own directory underneath the

    passenger_exec_t, etc.
    <http://linuxmanpages.net/manpages/fedora17/man8/passenger_selinux.8.html>

    And if you google anything else, note: DO NOT USE CHCON; it does *NOT*
    remain following a reboot. Use semanage fcontext (and the manpage example is what I use all the time), followed by a restorecon -Rv

    mark

  • I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems.

  • Does it matter that the application user has to login so that the capistrano deply receipes will run correctly? Also this deploy makes use of rbenv which is another user login dependent item (requires a shim in .bash_profile). Does that have any impact on the choice?

    Finally, and only peripherally related, what are the SELinux settings, boolean or profile, required on CentOS-6.5 to get Apache mod-passenger to run without generating avc’s?

  • Not sure if this got through – nixspam was being aggravating, so I’m reposting.

    James B. Byrne wrote:

    using Capistrano (2.x). Each ‘family’ of web applications are ‘owned’ by a dedicated user id. The present httpd service is Apache 2.2.15 and we use Passenger 3.0.11. We are moving shortly to a new deployment host and at that

    /var/data/. individual web application or component into its own directory underneath the

    passenger_exec_t, etc.
    <http://linuxmanpages.net/manpages/fedora17/man8/passenger_selinux.8.html>

    And if you google anything else, note: DO NOT USE CHCON; it does *NOT*
    remain following a reboot. Use semanage fcontext (and the manpage example is what I use all the time), followed by a restorecon -Rv

    mark