Copterfly / modwsgi

Automatically exported from code.google.com/p/modwsgi
0 stars 0 forks source link

WSGIDaemonProcess hangs when SElinux is enabled and policies are being updating #54

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. configure apache + mod_wsgi w/ WSGIDaemonProcess
2. yum update (if updates selinux-policy and selinuxpolicy-targeted rpms)

I'm using mod_wsgi from SVN trunk under Apache httpd 2.2.6 on Fedora 8
Linux (i386). SElinux is enabled as 'enforcing' in 'targeted' mode.

Please provide any additional information below.
When SElinux targeted(?) policies are being updated,
apache+mod_wsgi-enabled web services becomes unavailable. Apache httpd
required restart to be able to process mod_wsgi-geared requests. All other
apache's modules (services like WebDAV or static html pages) keeps being
available.

If not using WSGIDaemonProcess all things goes well even during (or after)
the SElinux policies updating.

Original issue reported on code.google.com by esizi...@gmail.com on 30 Jan 2008 at 10:31

GoogleCodeExporter commented 9 years ago
It is noted in section 'Secure Variants Of UNIX' of:

  http://code.google.com/p/modwsgi/wiki/ApplicationIssues

that there may be limitations on using mod_wsgi daemon mode. In particular that 
starting them as another user 
may be an issue.

What is the actual mod_wsgi configuration are you using for Apache?

Original comment by Graham.Dumpleton@gmail.com on 30 Jan 2008 at 7:50

GoogleCodeExporter commented 9 years ago
WSGIDaemonProcess trac user=apache group=apache processes=2 threads=25
maximum-requests=1000 python-eggs=/var/tmp/eggs python-path=/opt/trac-0.10.4
WSGIDaemonProcess trac_dev user=apache group=apache processes=1 threads=5
maximum-requests=1000 python-eggs=/var/tmp/eggs python-path=/opt/trac-0.11

<VirtualHost 10.0.0.122:443>
    ServerName trac:443

    RewriteEngine On

    # forbid access to the root
    RewriteRule ^/$ - [F]

    # the default process group
    RewriteRule . - [E=trac.process_group:trac]
    RewriteCond %{REQUEST_URI} ^/((test|ttt))
    RewriteRule . - [E=trac.process_group:trac_dev]

    # check for environment existance
    RewriteCond %{REQUEST_URI} ^/([^/]+)
    RewriteCond /srv/trac/%1/conf/trac.ini !-f
    RewriteRule . - [F]

    # get trac.env_path
    RewriteCond %{REQUEST_URI} ^/([^/]+)
    RewriteRule . - [E=trac.env_path:/srv/trac/%1]

    WSGIScriptAliasMatch ^/([^/]+) /usr/lib/httpd/modules/fortess/trac.wsgi

    <Directory /usr/lib/httpd/modules/fortess>
        SSLRequireSSL
        SetEnv HTTPS yes

        Include conf.d/custom_auth
        Require valid-user

        WSGIApplicationGroup %{GLOBAL}
        WSGIProcessGroup %{ENV:trac.process_group}

        Order deny,allow
        Allow from all
    </Directory>

    CustomLog logs/trac_external_access_log common

    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/trac.crt
    SSLCertificateKeyFile /etc/pki/tls/private/trac.key

</VirtualHost>

Original comment by esizi...@gmail.com on 31 Jan 2008 at 6:35

GoogleCodeExporter commented 9 years ago
Can you explain what 'SElinux policies updating' entails? Do you know if 
SELinux tries to signal managed 
processes in some way to get them to try and reread policies or something?

If you know of a web site that explains what occurs at point that policies are 
updated, might help.

Original comment by Graham.Dumpleton@gmail.com on 31 Jan 2008 at 7:24

GoogleCodeExporter commented 9 years ago
I'm sorry, Graham, but I'm not an expert (or even competent) in the SELinux
technology stack.

Original comment by esizi...@gmail.com on 12 Feb 2008 at 2:29

GoogleCodeExporter commented 9 years ago
Not able to look at this personally as don't have a SELinux environment. Will 
look at it in the future if have time 
and can get such an environment, or if someone knowledgeable comes along who 
understand SELinux.

Original comment by Graham.Dumpleton@gmail.com on 18 Feb 2008 at 9:33

GoogleCodeExporter commented 9 years ago
This is not seen as an issue in mod_wsgi but a SELinux configuration issue. The 
link:

  http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web- applications

may or may not be helpful to configuring SELinux properly.

Closing this issue for now. If someone can show that there is a problem with 
mod_wsgi itself rather than it being 
a SELinux configuration issue, then may look at it again, but would need a lot 
more information and guidance.

Original comment by Graham.Dumpleton@gmail.com on 29 Oct 2008 at 11:14