****Re: ****Re: simple question with home serviing ruby on rails web site

Craig White craigwhite at azapple.com
Mon Jun 23 13:06:42 UTC 2008


On Mon, 2008-06-23 at 08:56 -0400, Daniel J Walsh wrote:
> Craig White wrote:
> > On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote:
> >> Craig White wrote:
> >>> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote:
> >>>> Craig White wrote:
> >>>>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote:
> >>>>>> On Sat, 14 Jun 2008 08:05:56 -0700
> >>>>>> Craig White <craigwhite at azapple.com> wrote:
> >>>>> I'm a bit confused myself because in essence, httpd is just a proxy to
> >>>>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby
> >>>>> processes and is providing dhtml on higher ports as the user.
> >>>>>
> >>>>> FWIW...httpd runs as user 'apache' (as ususal)
> >>>>>     mongrels run as regular 'user' (me)
> >>>>>     all files and folders inside the subdirectory we are discussing...
> >>>>>     (/home/craig/svn-new) are owned by me (not root, not apache)
> >>>> The conventional unix ownership and permissions make very little 
> >>>> difference as far as SELinux is concerned, so although you need to get 
> >>>> them right, they're not going to affect the file contexts needed.
> >>>>
> >>>> What context is mongrels running in (try the -Z option of ps)? How does 
> >>>> that process get started (via an initscript?)?
> >>> ----
> >>> yes, a SysV initscript...(running 2 mongrels at present... port & pid
> >>> #'s 3000 & 3001)
> >>>
> >>> # ps auxZ|grep mongrel
> >>> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079
> >>> 0.0  0.0 4120 732 pts/6 S+ 05:02   0:00 grep mongrel
> >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0  3.0 45068
> >>> 30164 ?  Sl   Jun15   0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> >>> --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l
> >>> log/mongrel.3000.log
> >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0  2.9 45052
> >>> 29468 ?  Sl   Jun15   0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d
> >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5
> >>> --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l
> >>> log/mongrel.3001.log
> >>> ----
> >> OK, so they're running as unconfined_t at the moment.
> >>
> >>> I could conceivably run the mongrels as user 'apache' except that the
> >>> permissions on some of the folders would have to be changed because
> >>> there are some directories that files are written into by the ruby web
> >>> server...so I try to just run as user.
> >> Don't change anything about the regular Unix permissions at the moment; 
> >> I guess that for a production server you'd create a separate account for 
> >> the Ruby stuff to run as.
> >>
> >> What would be an interesting experiment would be to run the Ruby stuff 
> >> in the same SELinux context as httpd. Try changing the context type of 
> >> /usr/bin/mongrel_rails to httpd_exec_t and restart the services.
> >>
> >> # chcon -t httpd_exec_t /usr/bin/mongrel_rails
> >>
> >> I'm not sure whether this will make things better or worse but it should 
> >> eliminate some problems for the two httpd-like bits talking to each other.
> > ----
> > that seems to have cleared things up - I had to restart both
> > mongrel_cluster service and then the httpd service - I did get an error
> > the first time through but subsequent restarts seems to have cleared it
> > up.
> > 
> > Thanks

> Is this the correct context for mongrel_rails?  IE Is this basically a
> http web server?  How does it get started on boot?
----
seems to be the correct context for mongrel_rails - the sealert's have
stopped.

Yes, mongrel_rails is essentially a ruby language web server which runs
as 'user' on a high numbered port and as is typical configuration, uses
apache (httpd) to proxy the connections to a number of
'mongrels' (configurable) to spread the connections since rails itself
is not thread safe.

It is started at boot by a sysv initscript

Craig




More information about the fedora-selinux-list mailing list