- Add passenger.sh install script

- Rename mod_passanger.* files to appropriate name
- Fixes for passenger policy
- Add /var/run/passenger directory

7 files changed, 168 insertions, 108 deletions

diff --git a/mod_passanger.fc b/mod_passanger.fc
deleted file mode 100644
index f925d50..0000000
--- a/mod_passanger.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-
-/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:httpd_passenger_exec_t,s0)
-
-/var/lib/passenger(/.*)?           gen_context(system_u:object_r:httpd_passenger_var_lib_t,s0)
diff --git a/mod_passanger.if b/mod_passanger.if
deleted file mode 100644
index 3eb6a30..0000000
--- a/mod_passanger.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary></summary>
diff --git a/mod_passanger.te b/mod_passanger.te
deleted file mode 100644
index ca0d9fe..0000000
--- a/mod_passanger.te
+++ /dev/null
@@ -1,103 +0,0 @@
-
-policy_module(mod_passanger,1.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Allow httpd to use mod_passenger
-## </p>
-## </desc>
-gen_tunable(httpd_use_passenger, false)
-
-type httpd_passenger_t;
-type httpd_passenger_exec_t;
-domain_type(httpd_passenger_t)
-domain_entry_file(httpd_passenger_t, httpd_passenger_exec_t)
-role system_r types httpd_passenger_t;
-
-type httpd_passenger_tmp_t;
-files_tmp_file(httpd_passenger_tmp_t)
-
-type httpd_passenger_var_lib_t;
-files_type(httpd_passenger_var_lib_t)
-
-type httpd_passenger_rw_content_t;
-files_type(httpd_passenger_rw_content_t)
-
-#permissive httpd_passenger_t;
-
-#### apache section ####
-
-require{
- type httpd_t;
- type httpd_sys_content_t;
- type httpd_log_t;
- type httpd_tmp_t;
-}
-
-
-manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-manage_fifo_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { sock_file fifo_file })
-
-optional_policy(`
-        tunable_policy(`httpd_use_passenger',`
-
-		# needed by /tmp/passenger/ 
-		allow httpd_t self:capability { fowner fsetid };
-
-		allow httpd_t httpd_passenger_t:process signal;
-
-		domtrans_pattern(httpd_t, httpd_passenger_exec_t, httpd_passenger_t)
-		allow httpd_t httpd_passenger_t:unix_stream_socket { read write shutdown };
-
-		manage_dirs_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
-		manage_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
-		manage_fifo_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
-		manage_sock_files_pattern(httpd_passenger_t, httpd_tmp_t, httpd_tmp_t)
-
-		read_files_pattern(httpd_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
-        ')
-')
-
-########################################
-#
-# Apache mod_passanger local policy
-#
-
-# /tmp/passenger/
-allow httpd_passenger_t self:capability dac_override;
-allow httpd_passenger_t self:process signal;
-
-allow httpd_passenger_t self:fifo_file rw_fifo_file_perms;
-allow httpd_passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow httpd_passenger_t httpd_t:unix_stream_socket { read write };
-
-# allow passenger to read and append to apache logfiles
-allow httpd_passenger_t httpd_log_t:file { append_file_perms };
-
-read_files_pattern(httpd_passenger_t, httpd_sys_content_t, httpd_sys_content_t)
-
-rw_dirs_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
-rw_files_pattern(httpd_passenger_t, httpd_passenger_rw_content_t, httpd_passenger_rw_content_t)
-
-manage_dirs_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
-manage_files_pattern(httpd_passenger_t, httpd_passenger_var_lib_t, httpd_passenger_var_lib_t)
-
-kernel_read_kernel_sysctls(httpd_passenger_t)
-
-corecmd_exec_bin(httpd_passenger_t)
-
-dev_read_urand(httpd_passenger_t)
-
-files_read_etc_files(httpd_passenger_t)
-
-#auth_use_nsswitch(httpd_passenger_t)
-
-miscfiles_read_localization(httpd_passenger_t)
-
diff --git a/passenger.fc b/passenger.fc
new file mode 100644
index 0000000..895a4d9
--- /dev/null
+++ b/passenger.fc
@@ -0,0 +1,7 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+
+/var/run/passenger(/.*)?           gen_context(system_u:object_r:passenger_state_t,s0)
diff --git a/passenger.if b/passenger.if
new file mode 100644
index 0000000..e738452
--- /dev/null
+++ b/passenger.if
@@ -0,0 +1,68 @@
+## <summary>Passenger policy</summary>
+
+######################################
+## <summary>
+##      Execute passenger in the passenger domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`passenger_domtrans',`
+        gen_require(`
+                type passenger_t;
+        ')
+
+	allow $1 self:capability { fowner fsetid };
+
+	allow $1 passenger_t:process signal;
+
+	domtrans_pattern($1, passenger_exec_t, passenger_t)
+	allow $1 passenger_t:unix_stream_socket { read write shutdown };
+	allow passenger_t $1:unix_stream_socket { read write };
+')
+
+######################################
+## <summary>
+##      Manage passenger state content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`passenger_manage_state_content',`
+        gen_require(`
+                type passenger_state_t;
+        ')
+
+        files_search_pids($1)
+	manage_dirs_pattern($1, passenger_state_t, passenger_state_t)
+        manage_files_pattern($1, passenger_state_t, passenger_state_t)
+	manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t)
+	manage_sock_files_pattern($1, passenger_state_t, passenger_state_t)
+')
+
+########################################
+## <summary>
+##      Read passenger lib files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`passenger_read_lib_files',`
+        gen_require(`
+                type passenger_var_lib_t;
+        ')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+        read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+')
+
diff --git a/passenger.sh b/passenger.sh
new file mode 100755
index 0000000..a026c3c
--- /dev/null
+++ b/passenger.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile
+/usr/sbin/semodule -i mod_passanger.pp
+
+/sbin/restorecon -F -R -v /var/lib/passenger /var/run/passenger
+/sbin/restorecon -F -R -v "/usr/lib/ruby/gems/1.8/gems/passenger-2.2.15/ext/apache2/ApplicationPoolServerExecutable"
diff --git a/passenger.te b/passenger.te
new file mode 100644
index 0000000..be9d06d
--- /dev/null
+++ b/passenger.te
@@ -0,0 +1,76 @@
+
+policy_module(mod_passanger,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_state_t;
+files_pid_file(passenger_state_t)
+
+type passenger_rw_content_t;
+files_type(passenger_rw_content_t)
+
+#permissive httpd_passenger_t;
+
+#### apache section ####
+
+require{
+ type httpd_t;
+}
+
+optional_policy(`
+	passenger_domtrans(httpd_t)
+	passenger_manage_state_content(httpd_t)
+	passenger_read_lib_files(httpd_t)
+')
+
+########################################
+#
+# Apache mod_passanger local policy
+#
+
+allow passenger_t self:capability dac_override;
+allow passenger_t self:process signal;
+
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
+
+rw_dirs_pattern(passenger_t, passenger_rw_content_t, passenger_rw_content_t)
+rw_files_pattern(passenger_t, passenger_rw_content_t, passenger_rw_content_t)
+
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+
+kernel_read_kernel_sysctls(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+optional_policy(`
+	apache_append_log(passenger_t)
+	apache_read_sys_content(passenger_t)
+')