Closed GoogleCodeExporter closed 9 years ago
It is noted in section 'Secure Variants Of UNIX' of:
http://code.google.com/p/modwsgi/wiki/ApplicationIssues
that there may be limitations on using mod_wsgi daemon mode. In particular that
starting them as another user
may be an issue.
What is the actual mod_wsgi configuration are you using for Apache?
Original comment by Graham.Dumpleton@gmail.com
on 30 Jan 2008 at 7:50
WSGIDaemonProcess trac user=apache group=apache processes=2 threads=25
maximum-requests=1000 python-eggs=/var/tmp/eggs python-path=/opt/trac-0.10.4
WSGIDaemonProcess trac_dev user=apache group=apache processes=1 threads=5
maximum-requests=1000 python-eggs=/var/tmp/eggs python-path=/opt/trac-0.11
<VirtualHost 10.0.0.122:443>
ServerName trac:443
RewriteEngine On
# forbid access to the root
RewriteRule ^/$ - [F]
# the default process group
RewriteRule . - [E=trac.process_group:trac]
RewriteCond %{REQUEST_URI} ^/((test|ttt))
RewriteRule . - [E=trac.process_group:trac_dev]
# check for environment existance
RewriteCond %{REQUEST_URI} ^/([^/]+)
RewriteCond /srv/trac/%1/conf/trac.ini !-f
RewriteRule . - [F]
# get trac.env_path
RewriteCond %{REQUEST_URI} ^/([^/]+)
RewriteRule . - [E=trac.env_path:/srv/trac/%1]
WSGIScriptAliasMatch ^/([^/]+) /usr/lib/httpd/modules/fortess/trac.wsgi
<Directory /usr/lib/httpd/modules/fortess>
SSLRequireSSL
SetEnv HTTPS yes
Include conf.d/custom_auth
Require valid-user
WSGIApplicationGroup %{GLOBAL}
WSGIProcessGroup %{ENV:trac.process_group}
Order deny,allow
Allow from all
</Directory>
CustomLog logs/trac_external_access_log common
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/trac.crt
SSLCertificateKeyFile /etc/pki/tls/private/trac.key
</VirtualHost>
Original comment by esizi...@gmail.com
on 31 Jan 2008 at 6:35
Can you explain what 'SElinux policies updating' entails? Do you know if
SELinux tries to signal managed
processes in some way to get them to try and reread policies or something?
If you know of a web site that explains what occurs at point that policies are
updated, might help.
Original comment by Graham.Dumpleton@gmail.com
on 31 Jan 2008 at 7:24
I'm sorry, Graham, but I'm not an expert (or even competent) in the SELinux
technology stack.
Original comment by esizi...@gmail.com
on 12 Feb 2008 at 2:29
Not able to look at this personally as don't have a SELinux environment. Will
look at it in the future if have time
and can get such an environment, or if someone knowledgeable comes along who
understand SELinux.
Original comment by Graham.Dumpleton@gmail.com
on 18 Feb 2008 at 9:33
This is not seen as an issue in mod_wsgi but a SELinux configuration issue. The
link:
http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web- applications
may or may not be helpful to configuring SELinux properly.
Closing this issue for now. If someone can show that there is a problem with
mod_wsgi itself rather than it being
a SELinux configuration issue, then may look at it again, but would need a lot
more information and guidance.
Original comment by Graham.Dumpleton@gmail.com
on 29 Oct 2008 at 11:14
Original issue reported on code.google.com by
esizi...@gmail.com
on 30 Jan 2008 at 10:31