Re: [phusion-passenger] Run passenger applications in separate selinux security domains

29 views
Skip to first unread message
Message has been deleted

Hongli Lai

unread,
Sep 24, 2012, 6:21:10 PM9/24/12
to phusion-...@googlegroups.com
Great work! Let's take the discussion to the issue tracker.

On Fri, Sep 21, 2012 at 6:29 PM, iandall <i...@beware.dropbear.id.au> wrote:
> Currently passenger applications run in the same selinux domain as each
> other and as the server.
>
> This causes a number of problems. For example, on a Fedora 17 system, there
> is a puppet selinux module, but it assumes puppet runs in the puppet_t
> domain. If puppet is run as a passenger application, it will be in the
> passenger_t domain. Adding all the puppet rules to the passenger module is
> sub-optimal!
>
> I have devised a way to get passenger to switch security domains for
> applications. I have tested it for conservative, smart and smartlv2 spawn
> methods. Currently only the apache module and rack applications are
> supported, but it could easily be extended. The apache specific bit is just
> handling the extra options.
>
> I have reported this as issue 798 [patch included] (BTW I can't see a way to
> change the type to "enhancement" so it shows as a "defect").
>
> It would be great if this could be adopted.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Phusion Passenger Discussions" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/phusion-passenger/-/laX6pdMGNVcJ.
> To post to this group, send email to phusion-...@googlegroups.com.
> To unsubscribe from this group, send email to
> phusion-passen...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/phusion-passenger?hl=en.



--
Phusion | Ruby & Rails deployment, scaling and tuning solutions

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 08173483 (The Netherlands)
Reply all
Reply to author
Forward
0 new messages