Add new comment

SELinux with passenger/puppet

I've tried to install passenger to serve the puppetmaster's application on my network.

The installation was easy but running httpd with SElinux was pretty hard, I've found a solution, creating an SEmodule on this website.

I've completed it with an additional rule allowing sock_file write... result down there (file puppet_passenger.te) :

module puppet_passenger 1.10;
 
require {
    type bin_t;
    type devpts_t;
    type httpd_t;
    type passenger_t;
    type passenger_tmp_t;
    type puppet_log_t;
    type puppet_var_lib_t;
    type port_t;
    type proc_net_t;
    type rpm_var_lib_t;
 
    class process { getattr siginh setexec sigchld noatsecure transition rlimitinh };
    class unix_stream_socket { getattr accept read write };
    class capability { sys_resource sys_ptrace };
    class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink };
    class lnk_file { getattr read };
    class udp_socket name_bind;
    class sock_file write;
    class dir { create getattr setattr add_name remove_name search open read write ioctl lock rmdir };
}
 
#============= httpd_t ==============
allow httpd_t passenger_tmp_t:sock_file write;
allow httpd_t port_t:udp_socket name_bind;
 
allow httpd_t proc_net_t:file { read getattr open };
 
allow httpd_t rpm_var_lib_t:dir { search getattr };
allow httpd_t rpm_var_lib_t:file open;
 
allow httpd_t bin_t:file entrypoint;
 
allow httpd_t passenger_t:process sigchld;
allow httpd_t passenger_t:unix_stream_socket { getattr accept read write };
 
puppet_manage_lib(httpd_t)
puppet_search_log(httpd_t)
puppet_search_pid(httpd_t)
allow httpd_t puppet_log_t:dir { setattr };
allow httpd_t puppet_log_t:file { setattr };
allow httpd_t puppet_var_lib_t:dir { create rmdir };
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto };
 
#============= passenger_t ==============
allow passenger_t devpts_t:dir search;
allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure };
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t self:process setexec;
 
ps_process_pattern(passenger_t, httpd_t)
domain_read_all_domains_state(passenger_t)

And to compile it :

make -f /usr/share/selinux/devel/Makefile

Filtered HTML

  • Flickr Filter options. expand / collapse
    Insert a Flickr photo. A working example:
    • [flickr-photo:id=7357144724, size=m, mintitle=999, minmetadata=999] (accepts only the parameters id, class, style, size, mintitle and minmetadata)
    To float single photos use [flickr-photo:id=9247386562, class="floatright"], [flickr-photo:id=9247388074, style="float:left;"] or use the AutoFloat module (recommended).

    Insert a Flickr album. Working examples:
    • [flickr-photoset:id=72157634563269642, size=s, num=8, tags=kids/men, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-gallery:id=72157648989290536, size=q, num=4, sort=views]
    • [flickr-group:id=91484156@N00, size=q, num=8, tags=flowers, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-user:id=lolandese1, size=q, num=6, tags=kids/men, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-user:id=public, size=q, num=10,tags=Augusto Canario, filter=interesting, sort=views, extend=true]
    • [flickr-user:id=public, size=q, num=8,location=48.867556/2.364088, date=2015-01-11, filter=interesting, sort=views]
    • [flickr-favorites:id=lolandese, size=q, num=4, tags=tomosborn/people, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]

    Common sizes:
    s : small square 75
    t : thumbnail, 100 on longest side
    q : big square 150
    m : small, 240 on longest side
    n : small, 320 on longest side
    - : medium, 500 on longest side
    x: Responsive slideshow (for group, set and user IDs only)
    y: Basic responsive slideshow (for set and user IDs only)
    The 'c' size (800px) is missing on Flickr images uploaded before March 1, 2012. Photos with non existing sizes will be skipped in albums.

    TIP: Not only the node body but also blocks make use of a text format. Build your own custom Flickr album block using the Flickr Filter syntax.

    PARAMETER EXAMPLES. Omitting a parameter will result in the default value to be used.
    id=lolandese1 : A photo, set, user or group ID. id=public grabs CC licensed public photos (only for [flickr-user:...]). Default: id=k4cy (set in config).
      Find a Flickr group ID. Valid ID values: numeric ID (the one that contains a '@'), path alias, Flickr username or the user's email.
    class="floatleft foo bar" : Syntax as in HTML. Wrap the value in quotes (or not) and put spaces between multiple classes.
      Applies to the outer HTML element of a photo or album.
    style="float:left; border:solid 2px;" : Syntax as in HTML. Wrap the value in quotes (or not) and put semicolons between different style declarations.
      Applies to the outer HTML element of a photo or album.
    size=q : Big square (150px). The sizes x and y display a slideshow and ignore number, media, tags, location and sort settings.
      Default single photo: size=m, album photo: size=s (both set in config).
    num=4 : Display 4 photos. Default: num=30 (set in config). For albums only.
      If set to 1, the single image will behave as such. Heading and counter will be omitted, and float might apply.
      Used to display a single changing random or recent image.
    media=all : Display both photos and videos. Default: media=photos. For albums only.
    tags=kids/men : Separate multiple tags with a slash (/). Display all set, group or user photos that contain the indicated tags.
      Case insensitive, matches any tag, for photosets and galleries even partial. You can exclude results that match a term by prepending it with a - character.
      Public albums will only display photos that match all tags. Like on Flickr spaces are removed from tags (e.g. 'Victoria park' becomes 'victoriapark').
      For albums only.
    extend=true : Extend the tag filter to search for matching terms also in the Flickr photo title and description besides Flickr tags.
      Default: extend=true (set in config). For albums only.
    tag_mode=all : Matches 'all' defined tags (AND). The other possible value is 'any' (OR).
      If this parameter is omitted, 'all' is used if no Flickr user ID is known (public search), otherwise 'any' is used. For albums only.
    location=48.85837/2.294481/0.2 : Display photos within 200 mt from the Eiffel Tower. Lat/lon/radius (in km). Separate values with a slash (/).
      To get the coordinates for a location, right-click on a Google map and choose 'What's here?' or copy/paste it from the URL.
      Substitute the comma (,) with a slash (/). Optionally add a radius to force a major number of results to filter on (max. 32 km).
      If the radius is omitted it defaults to 14 meter and gradually expands to 32 km until a sufficient number of results are returned.
      Besides decimal coordinates also degrees are accepted, e.g. 2° 21' 50.72". For user and group albums only, also public.
    date=2015-01-11 : Display photos taken on 11 January 2015.
      Many accepted date formats (e.g. '11 Jan 2015'), also relative formats (e.g. 'first day of last month | last day of last month').
      Separate two date values with a vertical bar (|) to cover a timespan of multiple days. For user and group albums only, also public.
      Tip: Use a date in combination with a location to grab public photos of an event.
    heading=h3 : Wraps the album title in HTML tags. Use 'p' to apply no style or 'none' to suppress the title. Default heading=p (set in config). For albums only.
    sort=views : Display the most viewed Flickr photos first (popularity, slower response after cache clear).
      Other values: unsorted = recent as delivered by the Flickr API (fastest response),
      random (slower response after cache clear), taken (newest first), posted (newest first) , added (for groups only, newest first) and id (on photo ID, newest first).
      Default: sort=unsorted. For albums only.
    filter=interesting : Display the most interesting photos. Other possible value: relevant. For user and group albums only, also public.
    count=false : Suppress display of the counter under the album (e.g. 5 out of 124 on Flickr). Default: count=true (set in config). For albums only.
    mintitle=999 : Suppress display of the title in the photo captions for images below a width of 999 px. Default: mintitle=100 (set in config).
    minmetadata=999 : Suppress display of the metadata in the photo captions for images below a width of 999 px. Default: minmetadata=150 (set in config).
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <p> <code> <bash> <java> <apache>
  • Lines and paragraphs break automatically.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <apache>, <bash>, <html>, <ini>, <java>, <php>, <properties>, <sql>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and e-mail addresses turn into links automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
9 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.