Project

General

Profile

RedmineAndSELinuxOnCentOS » History » Version 3

Sascha Sanches, 2011-12-05 13:58

1 1 Sascha Sanches
h1. Redmine, Phusion Passenger, Ruby Enterprise Edition, Apache and ... SELinux
2
3
_Disclaimer: Please make sure you understand the steps detailed below before applying them. I take no responsibility when things go wrong!! Especially software such as Security Enhanced Linux can cause any part of the system to malfunction. Please make sure you test this in an environment you can afford to reinstall, or that you are able to restore the system in another way to a good state. Keep in mind that this has been written with CentOS 5.5 in mind. Another distribution might do things differently. That being said, these instructions worked fine for me._
4
5
This guide has been tested with the following software and versions:
6
7 3 Sascha Sanches
* "Ruby Enterprise Edition":http://www.rubyenterpriseedition.com/ _(1.8.7-2010.02, 1.8.7-2011.03)_
8 1 Sascha Sanches
* "Phusion Passenger":http://www.modrails.com/ _(2.2.15)_
9 3 Sascha Sanches
* "Redmine":http://www.redmine.org/ _(1.0.1 - 1.2)_
10 1 Sascha Sanches
* "Apache":http://httpd.apache.org/ _(2.2)_
11
* "SELinux":http://www.selinuxproject.org/
12 3 Sascha Sanches
* "CentOS":http://www.centos.org/ _(5.5 - 5.7)_
13 1 Sascha Sanches
14
I will not go into installing these projects. The first three have excellent documentation on their own websites, and the last three come with the operating system.
15
16
17
h3. What I wish to accomplish
18
19
Mostly, when SELinux is causing problems, the general advice is to disable it. And I know, it can be a real PITA! But it can provide lots of added security as well, so I wish to try to keep it running, at least in targeted mode. Some systems might have problems with a setup like this, such as servers under control of webhosting software. Please consider these things before trying this. I recommend using a test setup to start with.
20
21
22
h3. Assumptions
23
24
* You have at least some experience with commands such as _chown, chmod, chcon_ (change ownership, change permissions, change SELinux security label).
25
* The software referenced above has been installed in a pretty much default way as described on its website.
26
* The software runs well when SELinux is disabled or running in permissive mode.
27
* The same user account on the system is used to run Apache, Phusion Passenger, and thus Redmine. If not, adapt accordingly.
28
* The root user is owner of the websites files, and apache is the group owner, meaning Apache cannot just write to any file or directory. If not, adapt accordingly.
29
30
Before executing the commands below, you will want to stop Apache, and start it again when finished.
31
32
33
h3. Acronyms and paths
34
35
* Ruby Enterprise will be referred to as RE, and is installed in some path named ${RE}.
36
* Phusion Passenger will be referred to as PP, and is installed in some path named ${PP}. This will probably be some path below RE, such as ${RE}/ruby/gems/1.8/gems/passenger-x.x.x.
37
* Redmine will be referred to as RM, and is installed in some path named ${RM}.
38
39
40
h3. Permissions
41
42
We are going to be dealing with two different sets of permissions here. First, there are the filesystem permissions. Files have to be readable, perhaps writable, or even executable by the webserver user. Second, there are the SELinux permissions. If filesystem permissions disallow access, then access is disallowed. If filesystem permissions allow access, then SELinux can still disallow access based upon its own set of rules.
43
44
The apache user runs with a certain security label that SELinux understands. Based upon this security label certain actions are allowed or disallowed. For example, the SELinux policy (= rules database) says that the process running with the security label _httpd_t_ (= apache) can listen on port 80. The policy also allows it to read files labeled _httpd_sys_content_t_.
45
46
We are going to make sure that the filesystem permissions as well as the SELinux permissions allow read/write/execute permissions where needed, using just existing SELinux labels, and that the two sets of permissions are in agreement with each other.
47
48
49
h2. Ruby Enterprise Edition and Phusion Passenger
50
51
52
h3. Basic permissions
53
54
First, we will give the root user ownership and revoke all execute permissions on REE files. Then we will restore execute permissions on directories only, so they can be entered. Next we will set a default SELinux user and label, so REE can be used normally (actually, you'll need to follow the steps below as well for this to work).
55
56
# Give the root user ownership:
57
<pre>chown -R root:root ${RE}</pre>
58
# Revoke all execute permissions, but allow the owner read/write, and everyone else read acces:
59
<pre>chmod -R u=rw,g=r,o=r ${RE}</pre>
60
# Restore execute permissions for directories only (_note that the X in a+X here is a *capital* X_):
61
<pre>chmod -R a+X ${RE}</pre>
62
# Set a default SELinux user and label:
63
<pre>chcon -R -u system_u -t usr_t ${RE}</pre>
64
65
66
h3. Libraries
67
68
Now we will restore execute permissions on REE system libraries, and give them the SELinux label for library types.
69
70
# Set execute permissions on all "*.so" files:
71
<pre>find -P ${RE} -type f -name "*.so*" -exec chmod a+x {} \;</pre>
72
# Set the SELinux library label on "*.so" files:
73
<pre>find -P ${RE} -type f -name "*.so*" -exec chcon -t lib_t {} \;</pre>
74
# Set execute permissions on "*.a" files:
75
<pre>find -P ${RE} -type f -name "*.a" -exec chmod a+x {} \;</pre>
76
# Set the SELinux library label on "*.a" files:
77
<pre>find -P ${RE} -type f -name "*.a" -exec chcon -t lib_t {} \;</pre>
78
79
80
h3. Binaries
81
82
Here we will restore execute permissions on REE binaries, and set their SELinux label.
83
84
# Set execute permissions on all files in _bin_ directories:
85
<pre>find -P ${RE} -type d -name "bin" -exec chmod -R a+x {} \;</pre>
86
# Set the SELinux binary label for all files in _bin_ directories:
87
<pre>find -P ${RE} -type d -name "bin" -exec chcon -R -t bin_t {} \;</pre>
88
89
90
h3. Apache module
91
92
Next we will make sure Apache can load Phusion Passenger as a module. SELinux contains a label for that (_httpd_modules_t_). Without this label on the module, apache will not be allowed to load it as such. Phusion Passenger in turn executes a file called _ApplicationPoolServerExecutable_, which must be executable as well. Since it is not in a _bin_ directory, the file has not been marked executable by the actions described above.
93
94
# Enable Phusion Passenger to run the ApplicationPoolServerExecutable:
95
<pre>
96
chmod a+x ${PP}/etc/apache2/ApplicationPoolServerExecutable
97
chcon -t bin_t ${PP}/etc/apache2/ApplicationPoolServerExecutable
98
</pre>
99
# Enable Apache to run Phusion Passenger as a module:
100
<pre>
101
chmod a+x ${PP}/etc/apache2/mod_passenger.so
102
chcon -t httpd_modules_t ${PP}/etc/apache2/mod_passenger.so
103
</pre>
104
105
106
h3. More on Phusion Passenger: the temporary directory
107
108
Passenger needs a temporary directory where it can write to. I suggest creating one that will only be used by PP, instead of the system default, as I seem to remember this doesn't work anyway when SELinux is enabled. See "this part":http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerTempDir of the documentation for some details.
109
110
The PP temporary directory is set by the _PassengerTempDir_ directive in Apaches configuration. Set it there, create the directory, and adjust permissions:
111
112
<pre>
113
chown -R apache:apache ${PP_TEMP_DIR}
114
chmod -R u=rwX,g=rX,o-rwx ${PP_TEMP_DIR}
115
chcon -R -u system_u -t httpd_tmpfs_t ${PP_TEMP_DIR}
116
</pre>
117
118
The _httpd_tmpfs_t_ label grants some additional rights needed by the passenger module, such as creating special files like sockets or fifos.
119
120
121
h3. Up until now
122
123
You can download the steps I have described up until now as a bash script file: attachment:RubyAndSELinux. Please do not just execute this file. Make sure you understand it, and change the filesystem paths near the top according to your setup.
124
125
There is also a script for making the SELinux changes persistent across a filesystem relabel: attachment:RubyAndSEmanage. Note that this does not change any filesystem permissions, nor does it apply the policy. It includes the changes described within the Ruby Enterprise and Phusion Passenger part excluding for the temporary directory part. To apply the policy, do a <pre>touch /.autorelabel</pre> and reboot. Again, make sure you know what you are doing! You might need to understand some regular expression syntax in order to adapt this file to your particular situation.
126
127
128
h2. Redmine
129
130
If you have made it this far using these instructions, then the next part will be easy to understand.
131
132
Redmine needs some directories to be writable to function. These are: ${RM}/log, ${RM}/tmp, ${RM}/files, and ${RM}/public/plugin_assets.
133
134
First we set the basic permissions (_again, the X in ug+X is a *capital* X_):
135
<pre>
136
chown -R root:apache ${RM}
137
chmod -R u=rw,g=r,o-rwx ${RM}
138
chmod -R ug+X ${RM}
139
chcon -R -u system_u -t httpd_sys_content_t ${RM}
140
</pre>
141
142
And then we apply permissions for individual directories:
143
<pre>
144
chown -R apache:apache ${RM}/log
145
chcon -R -t httpd_log_t ${RM}/log
146
147
chown -R apache:apache ${RM}/tmp
148
chcon -R -t httpd_tmpfs_t ${RM}/tmp
149
150
chown -R apache:apache ${RM}/files
151
chcon -R -t httpd_sys_script_rw_t ${RM}/files
152
153
chown -R apache:apache ${RM}/public/plugin_assets
154
chcon -R -t httpd_sys_script_rw_t ${RM}/public/plugin_assets
155
</pre>
156
157
You can download the second part I have described as a bash script file as well: attachment:RedmineAndSELinux. Please do not just execute this file. Make sure you understand it, and change the filesystem paths near the top according to your setup.
158
159
160
h2. Summary
161
162
* The default install of Ruby Enterprise Edition seems to have some executable permissions on *.rb-files that I think should not be there. We've fixed this.
163
* The default SELinux label for files in the Ruby installation has been set to _usr_t_, for libraries to _lib_t_, for executables to _bin_t_, and for the Apache module (Phusion Passenger, aka mod_rails) to _httpd_modules_t_.
164
* Phusion Passenger has a working directory where it can store its files, uploads and sockets.
165
* Redmine can write to its logs, files directory, temporary directory, and plugin_assets directory.
166 2 Alexander Kirillov
167
168
h2. Notes
169
170
_I would suggest to stick with Passenger 2.2.15.
171
While it's possible to get 3.0.2 working it will flood your audit log with denials._
172
173
<pre>
174
gem uninstall passenger
175
gem install passenger -v=2.2.15
176
passenger-install-apache2-module
177
</pre>