SELinux/RedHat and mod_wsgi.
Graham Dumpleton
http://blog.endpoint.com/2010/02/selinux-httpd-modwsgi-26-rhel-centos-5.html
"""
WSGI Socket
When running in daemon mode, httpd and the mod_wsgi daemon communicate
via a UNIX socket file. This should usually have a context of
httpd_var_run_t. The standard Red Hat SELinux policy includes an entry
for /var/run/wsgi.* to use this context, so it makes sense to put the
socket there using the WSGISocketPrefix directive within your httpd
configuration:
WSGISocketPrefix run/wsgi
(Note that run/wsgi translates to /etc/httpd/run/wsgi which is
symlinked to /var/run/wsgi.)
"""
Can someone verify that?
Graham
Deron Meranda
<graham.d...@gmail.com> wrote:
> Seems standard RedHat SELinux policy files may have awareness of mod_wsgi now.
>
> http://blog.endpoint.com/2010/02/selinux-httpd-modwsgi-26-rhel-centos-5.html
For those that didn't notice, this blog, though useful, is not
directly from the Red Hat folks. Also it's apparently about CentOS 5
(a clone of RH Enterprise 5); both of which are a bit behind Red Hat's
bleeding edge, aka, Fedora. So it should apply to pretty much any
"modern" Red Hat based system.
That said, there's not much there that is mod_wsgi specific, but Red
Hat has concentrated much effort on Apache httpd rules, which directly
affects mod_wsgi.
> When running in daemon mode, httpd and the mod_wsgi daemon communicate
> via a UNIX socket file. This should usually have a context of
> httpd_var_run_t. The standard Red Hat SELinux policy includes an entry
> for /var/run/wsgi.* to use this context, so it makes sense to put the
> socket there using the WSGISocketPrefix directive within your httpd
> configuration:
>
> WSGISocketPrefix run/wsgi
Yes, this is basically what I had done, and it is the minimal needed
to make mod_wsgi runnable with SELinux (there are of course other
ways, but setting the prefix to fall under /var/run/httpd is the
easiest.
Note that you don't need to enable the 'httpd_can_network_connect'
boolean as the blog mentions -- mod_wsgi will run just fine with it
disabled. However if your app needs to make network connections
elsewhere then you need to change that boolean.
> (Note that run/wsgi translates to /etc/httpd/run/wsgi which is
> symlinked to /var/run/wsgi.)
> """
Correction, the symlink goes to /var/run/httpd/wsgi
Actually you don't technically need the wsgi sub-directory. You can
set the prefix to just "run" .. aka /var/run/httpd
When set up correctly, you can use "ls -lZ" to see how the socket's
SELinux security contexts should look like. For example,
srwx------. apache root unconfined_u:object_r:httpd_var_run_t:s0
/var/run/httpd/wsgi.24668.0.1.sock=
srwx------. apache root unconfined_u:object_r:httpd_var_run_t:s0
/var/run/httpd/wsgi.24668.0.2.sock=
Most importantly is the file context portion, which is "httpd_var_run_t".
> Can someone verify that?
Yes, this is a correct procedure for using mod_wsgi on Red Hat systems
with SELinux enabled.
The Red Hat developers are always improving the default SELinux
profiles, and so depending on how new your distro version you may find
more and more fine tunability built in without having to edit or
create your own security rules directly. To find the set of SELinux
booleans (e.g., tunables) on your system, run this:
# getsebool -a | grep httpd
Of course SELinux can be much more involved. For instance if you need
to connect to MySQL databases, etc. Also we recently discovered a
strange SELinux conflict with the standard Python "ctypes" module
(imported by the "uuid" module) which causes mod_wsgi apps to crash --
because ctypes tries to create and then execute files under /tmp ...
an action which Red Hat's SELinux rules forbid for the httpd process.
--
Deron Meranda
http://deron.meranda.us/