RedmineAndSELinuxOnCentOS » History » Version 1

Sascha Sanches, 2010-09-18 21:14
As the owner of phundamentals.com I've copied the article as-is to the installation wiki.

1 1 Sascha Sanches
h1. Redmine, Phusion Passenger, Ruby Enterprise Edition, Apache and ... SELinux
2 1 Sascha Sanches
3 1 Sascha Sanches
_Disclaimer: Please make sure you understand the steps detailed below before applying them. I take no responsibility when things go wrong!! Especially software such as Security Enhanced Linux can cause any part of the system to malfunction. Please make sure you test this in an environment you can afford to reinstall, or that you are able to restore the system in another way to a good state. Keep in mind that this has been written with CentOS 5.5 in mind. Another distribution might do things differently. That being said, these instructions worked fine for me._
4 1 Sascha Sanches
5 1 Sascha Sanches
This guide has been tested with the following software and versions:
6 1 Sascha Sanches
7 1 Sascha Sanches
* "Ruby Enterprise Edition":http://www.rubyenterpriseedition.com/ _(1.8.7-2010.02)_
8 1 Sascha Sanches
* "Phusion Passenger":http://www.modrails.com/ _(2.2.15)_
9 1 Sascha Sanches
* "Redmine":http://www.redmine.org/ _(1.0.1)_
10 1 Sascha Sanches
* "Apache":http://httpd.apache.org/ _(2.2)_
11 1 Sascha Sanches
* "SELinux":http://www.selinuxproject.org/
12 1 Sascha Sanches
* "CentOS":http://www.centos.org/ _(5.5)_
13 1 Sascha Sanches
14 1 Sascha Sanches
I will not go into installing these projects. The first three have excellent documentation on their own websites, and the last three come with the operating system.
15 1 Sascha Sanches
16 1 Sascha Sanches
17 1 Sascha Sanches
h3. What I wish to accomplish
18 1 Sascha Sanches
19 1 Sascha Sanches
Mostly, when SELinux is causing problems, the general advice is to disable it. And I know, it can be a real PITA! But it can provide lots of added security as well, so I wish to try to keep it running, at least in targeted mode. Some systems might have problems with a setup like this, such as servers under control of webhosting software. Please consider these things before trying this. I recommend using a test setup to start with.
20 1 Sascha Sanches
21 1 Sascha Sanches
22 1 Sascha Sanches
h3. Assumptions
23 1 Sascha Sanches
24 1 Sascha Sanches
* You have at least some experience with commands such as _chown, chmod, chcon_ (change ownership, change permissions, change SELinux security label).
25 1 Sascha Sanches
* The software referenced above has been installed in a pretty much default way as described on its website.
26 1 Sascha Sanches
* The software runs well when SELinux is disabled or running in permissive mode.
27 1 Sascha Sanches
* The same user account on the system is used to run Apache, Phusion Passenger, and thus Redmine. If not, adapt accordingly.
28 1 Sascha Sanches
* The root user is owner of the websites files, and apache is the group owner, meaning Apache cannot just write to any file or directory. If not, adapt accordingly.
29 1 Sascha Sanches
30 1 Sascha Sanches
Before executing the commands below, you will want to stop Apache, and start it again when finished.
31 1 Sascha Sanches
32 1 Sascha Sanches
33 1 Sascha Sanches
h3. Acronyms and paths
34 1 Sascha Sanches
35 1 Sascha Sanches
* Ruby Enterprise will be referred to as RE, and is installed in some path named ${RE}.
36 1 Sascha Sanches
* Phusion Passenger will be referred to as PP, and is installed in some path named ${PP}. This will probably be some path below RE, such as ${RE}/ruby/gems/1.8/gems/passenger-x.x.x.
37 1 Sascha Sanches
* Redmine will be referred to as RM, and is installed in some path named ${RM}.
38 1 Sascha Sanches
39 1 Sascha Sanches
40 1 Sascha Sanches
h3. Permissions
41 1 Sascha Sanches
42 1 Sascha Sanches
We are going to be dealing with two different sets of permissions here. First, there are the filesystem permissions. Files have to be readable, perhaps writable, or even executable by the webserver user. Second, there are the SELinux permissions. If filesystem permissions disallow access, then access is disallowed. If filesystem permissions allow access, then SELinux can still disallow access based upon its own set of rules.
43 1 Sascha Sanches
44 1 Sascha Sanches
The apache user runs with a certain security label that SELinux understands. Based upon this security label certain actions are allowed or disallowed. For example, the SELinux policy (= rules database) says that the process running with the security label _httpd_t_ (= apache) can listen on port 80. The policy also allows it to read files labeled _httpd_sys_content_t_.
45 1 Sascha Sanches
46 1 Sascha Sanches
We are going to make sure that the filesystem permissions as well as the SELinux permissions allow read/write/execute permissions where needed, using just existing SELinux labels, and that the two sets of permissions are in agreement with each other.
47 1 Sascha Sanches
48 1 Sascha Sanches
49 1 Sascha Sanches
h2. Ruby Enterprise Edition and Phusion Passenger
50 1 Sascha Sanches
51 1 Sascha Sanches
52 1 Sascha Sanches
h3. Basic permissions
53 1 Sascha Sanches
54 1 Sascha Sanches
First, we will give the root user ownership and revoke all execute permissions on REE files. Then we will restore execute permissions on directories only, so they can be entered. Next we will set a default SELinux user and label, so REE can be used normally (actually, you'll need to follow the steps below as well for this to work).
55 1 Sascha Sanches
56 1 Sascha Sanches
# Give the root user ownership:
57 1 Sascha Sanches
<pre>chown -R root:root ${RE}</pre>
58 1 Sascha Sanches
# Revoke all execute permissions, but allow the owner read/write, and everyone else read acces:
59 1 Sascha Sanches
<pre>chmod -R u=rw,g=r,o=r ${RE}</pre>
60 1 Sascha Sanches
# Restore execute permissions for directories only (_note that the X in a+X here is a *capital* X_):
61 1 Sascha Sanches
<pre>chmod -R a+X ${RE}</pre>
62 1 Sascha Sanches
# Set a default SELinux user and label:
63 1 Sascha Sanches
<pre>chcon -R -u system_u -t usr_t ${RE}</pre>
64 1 Sascha Sanches
65 1 Sascha Sanches
66 1 Sascha Sanches
h3. Libraries
67 1 Sascha Sanches
68 1 Sascha Sanches
Now we will restore execute permissions on REE system libraries, and give them the SELinux label for library types.
69 1 Sascha Sanches
70 1 Sascha Sanches
# Set execute permissions on all "*.so" files:
71 1 Sascha Sanches
<pre>find -P ${RE} -type f -name "*.so*" -exec chmod a+x {} \;</pre>
72 1 Sascha Sanches
# Set the SELinux library label on "*.so" files:
73 1 Sascha Sanches
<pre>find -P ${RE} -type f -name "*.so*" -exec chcon -t lib_t {} \;</pre>
74 1 Sascha Sanches
# Set execute permissions on "*.a" files:
75 1 Sascha Sanches
<pre>find -P ${RE} -type f -name "*.a" -exec chmod a+x {} \;</pre>
76 1 Sascha Sanches
# Set the SELinux library label on "*.a" files:
77 1 Sascha Sanches
<pre>find -P ${RE} -type f -name "*.a" -exec chcon -t lib_t {} \;</pre>
78 1 Sascha Sanches
79 1 Sascha Sanches
80 1 Sascha Sanches
h3. Binaries
81 1 Sascha Sanches
82 1 Sascha Sanches
Here we will restore execute permissions on REE binaries, and set their SELinux label.
83 1 Sascha Sanches
84 1 Sascha Sanches
# Set execute permissions on all files in _bin_ directories:
85 1 Sascha Sanches
<pre>find -P ${RE} -type d -name "bin" -exec chmod -R a+x {} \;</pre>
86 1 Sascha Sanches
# Set the SELinux binary label for all files in _bin_ directories:
87 1 Sascha Sanches
<pre>find -P ${RE} -type d -name "bin" -exec chcon -R -t bin_t {} \;</pre>
88 1 Sascha Sanches
89 1 Sascha Sanches
90 1 Sascha Sanches
h3. Apache module
91 1 Sascha Sanches
92 1 Sascha Sanches
Next we will make sure Apache can load Phusion Passenger as a module. SELinux contains a label for that (_httpd_modules_t_). Without this label on the module, apache will not be allowed to load it as such. Phusion Passenger in turn executes a file called _ApplicationPoolServerExecutable_, which must be executable as well. Since it is not in a _bin_ directory, the file has not been marked executable by the actions described above.
93 1 Sascha Sanches
94 1 Sascha Sanches
# Enable Phusion Passenger to run the ApplicationPoolServerExecutable:
95 1 Sascha Sanches
<pre>
96 1 Sascha Sanches
chmod a+x ${PP}/etc/apache2/ApplicationPoolServerExecutable
97 1 Sascha Sanches
chcon -t bin_t ${PP}/etc/apache2/ApplicationPoolServerExecutable
98 1 Sascha Sanches
</pre>
99 1 Sascha Sanches
# Enable Apache to run Phusion Passenger as a module:
100 1 Sascha Sanches
<pre>
101 1 Sascha Sanches
chmod a+x ${PP}/etc/apache2/mod_passenger.so
102 1 Sascha Sanches
chcon -t httpd_modules_t ${PP}/etc/apache2/mod_passenger.so
103 1 Sascha Sanches
</pre>
104 1 Sascha Sanches
105 1 Sascha Sanches
106 1 Sascha Sanches
h3. More on Phusion Passenger: the temporary directory
107 1 Sascha Sanches
108 1 Sascha Sanches
Passenger needs a temporary directory where it can write to. I suggest creating one that will only be used by PP, instead of the system default, as I seem to remember this doesn't work anyway when SELinux is enabled. See "this part":http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerTempDir of the documentation for some details.
109 1 Sascha Sanches
110 1 Sascha Sanches
The PP temporary directory is set by the _PassengerTempDir_ directive in Apaches configuration. Set it there, create the directory, and adjust permissions:
111 1 Sascha Sanches
112 1 Sascha Sanches
<pre>
113 1 Sascha Sanches
chown -R apache:apache ${PP_TEMP_DIR}
114 1 Sascha Sanches
chmod -R u=rwX,g=rX,o-rwx ${PP_TEMP_DIR}
115 1 Sascha Sanches
chcon -R -u system_u -t httpd_tmpfs_t ${PP_TEMP_DIR}
116 1 Sascha Sanches
</pre>
117 1 Sascha Sanches
118 1 Sascha Sanches
The _httpd_tmpfs_t_ label grants some additional rights needed by the passenger module, such as creating special files like sockets or fifos.
119 1 Sascha Sanches
120 1 Sascha Sanches
121 1 Sascha Sanches
h3. Up until now
122 1 Sascha Sanches
123 1 Sascha Sanches
You can download the steps I have described up until now as a bash script file: attachment:RubyAndSELinux. Please do not just execute this file. Make sure you understand it, and change the filesystem paths near the top according to your setup.
124 1 Sascha Sanches
125 1 Sascha Sanches
There is also a script for making the SELinux changes persistent across a filesystem relabel: attachment:RubyAndSEmanage. Note that this does not change any filesystem permissions, nor does it apply the policy. It includes the changes described within the Ruby Enterprise and Phusion Passenger part excluding for the temporary directory part. To apply the policy, do a <pre>touch /.autorelabel</pre> and reboot. Again, make sure you know what you are doing! You might need to understand some regular expression syntax in order to adapt this file to your particular situation.
126 1 Sascha Sanches
127 1 Sascha Sanches
128 1 Sascha Sanches
h2. Redmine
129 1 Sascha Sanches
130 1 Sascha Sanches
If you have made it this far using these instructions, then the next part will be easy to understand.
131 1 Sascha Sanches
132 1 Sascha Sanches
Redmine needs some directories to be writable to function. These are: ${RM}/log, ${RM}/tmp, ${RM}/files, and ${RM}/public/plugin_assets.
133 1 Sascha Sanches
134 1 Sascha Sanches
First we set the basic permissions (_again, the X in ug+X is a *capital* X_):
135 1 Sascha Sanches
<pre>
136 1 Sascha Sanches
chown -R root:apache ${RM}
137 1 Sascha Sanches
chmod -R u=rw,g=r,o-rwx ${RM}
138 1 Sascha Sanches
chmod -R ug+X ${RM}
139 1 Sascha Sanches
chcon -R -u system_u -t httpd_sys_content_t ${RM}
140 1 Sascha Sanches
</pre>
141 1 Sascha Sanches
142 1 Sascha Sanches
And then we apply permissions for individual directories:
143 1 Sascha Sanches
<pre>
144 1 Sascha Sanches
chown -R apache:apache ${RM}/log
145 1 Sascha Sanches
chcon -R -t httpd_log_t ${RM}/log
146 1 Sascha Sanches
147 1 Sascha Sanches
chown -R apache:apache ${RM}/tmp
148 1 Sascha Sanches
chcon -R -t httpd_tmpfs_t ${RM}/tmp
149 1 Sascha Sanches
150 1 Sascha Sanches
chown -R apache:apache ${RM}/files
151 1 Sascha Sanches
chcon -R -t httpd_sys_script_rw_t ${RM}/files
152 1 Sascha Sanches
153 1 Sascha Sanches
chown -R apache:apache ${RM}/public/plugin_assets
154 1 Sascha Sanches
chcon -R -t httpd_sys_script_rw_t ${RM}/public/plugin_assets
155 1 Sascha Sanches
</pre>
156 1 Sascha Sanches
157 1 Sascha Sanches
You can download the second part I have described as a bash script file as well: attachment:RedmineAndSELinux. Please do not just execute this file. Make sure you understand it, and change the filesystem paths near the top according to your setup.
158 1 Sascha Sanches
159 1 Sascha Sanches
160 1 Sascha Sanches
h2. Summary
161 1 Sascha Sanches
162 1 Sascha Sanches
* The default install of Ruby Enterprise Edition seems to have some executable permissions on *.rb-files that I think should not be there. We've fixed this.
163 1 Sascha Sanches
* The default SELinux label for files in the Ruby installation has been set to _usr_t_, for libraries to _lib_t_, for executables to _bin_t_, and for the Apache module (Phusion Passenger, aka mod_rails) to _httpd_modules_t_.
164 1 Sascha Sanches
* Phusion Passenger has a working directory where it can store its files, uploads and sockets.
165 1 Sascha Sanches
* Redmine can write to its logs, files directory, temporary directory, and plugin_assets directory.