Monday, February 08, 2010

mod_mono, Centos 5 64 bit, and SELinux

Getting mod_mono up and running on Ubuntu 9.10 is relatively simple. Install the packages, drop in a test asmx file, browse to the URL and you are done.

 
apt-get install libapache2-mod-mono mono-apache-server2


My experience getting the same demo file with Centos 5 running SELinux was a bit more involved. First off, here's the complete simple web service. You should be able to drop it into your document root and browse to the appropriate URL, once mod_mono is properly installed.


<%@ WebService Language="c#" Codebehind="TestService.asmx.cs" Class="WebServiceTests.TestService" %>

using System;
using System.Web.Services;
using System.Web.Services.Protocols;

namespace WebServiceTests
{
public class TestService : System.Web.Services.WebService
{
[WebMethod]
public string Echo (string a)
{
return a;
}

[WebMethod]
public int Add (int a, int b)
{
return a + b;
}
}
}


On Centos 5, install these packages:


yum install mod_mono xsp mono-web


To enable mod_mono for Apache and run the xsp demo programs, add something like the following to the tail end of your http.conf file. Be sure to check that the paths used here are the same on your machine. (Note that I'm using a 64 bit Centos installation.)



AddType application/x-asp-net .aspx
AddType application/x-asp-net .asmx
AddType application/x-asp-net .ashx
AddType application/x-asp-net .asax
AddType application/x-asp-net .ascx
AddType application/x-asp-net .soap
AddType application/x-asp-net .rem
AddType application/x-asp-net .axd
AddType application/x-asp-net .cs
AddType application/x-asp-net .config
AddType application/x-asp-net .Config
AddType application/x-asp-net .dll
AddType application/x-asp-net .asp
DirectoryIndex index.aspx
DirectoryIndex Default.aspx
DirectoryIndex default.aspx


Alias /demo /usr/lib64/xsp/test
MonoApplications "/demo:/usr/lib64/xsp/test"
MonoServerPath /usr/bin/mod-mono-server


You are likely to run into myriad problems if using SELinux. Start with giving permissions to run mono to httpd.


chcon -t httpd_sys_content_t '/usr/bin/mono'


Each time you hit your URL you will likely encounter another SELinux error. You can repeat this process again and again until you come up with a final policy that will allow apache access to mono, its directories, and dependencies. My final policy looked like this.


module mymono 1.0;

require {
type lib_t;
type tmp_t;
type mono_exec_t;
type httpd_t;
type httpd_sys_script_t;
class process ptrace;
class sock_file { write create };
class sem create;
class file { read execute_no_trans };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:sem create;

#============= httpd_t ==============
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t mono_exec_t:file { read execute_no_trans };
allow httpd_t self:process ptrace;
allow httpd_t tmp_t:sock_file { write create };



Mono makes extensive use of a temp directory known as the wapi directory. It is possible for you to specify your own temp directory in your http.conf file or else the default will be used: /tmp/.wapi.

It took awhile to discover that /tmp/.wapi needed different permissions. The best clue I could get from messages was:


Feb 8 08:43:32 carbon setroubleshoot: SELinux is preventing the mono from using potentially mislabeled files (mod_mono_server_global). For complete SELinux messages. run sealert -l a00a5946-cec1-4291-a410-e74c5f96edfd


This was corrected by running...


restorecon -R -v /tmp/.wapi


...as suggested by sealert.

Just as I thought I was finished, as the mono test application was finally working, I found additional errors in the /var/log/audit/audit.log. This policy was the fix:


module mynotify 1.0;

require {
type httpd_t;
type inotifyfs_t;
class dir read;
}

#============= httpd_t ==============
allow httpd_t inotifyfs_t:dir read;



Are we done yet? I sure hope so. I read elsewhere on the web that there is a plan to get the proper SELinux configuration into the mod_mono RPMs. Until that happens, I hope that this info will help you to get your mod_mono setup working.

Note: After rebooting, I had to relabel the temp and bin directory with these two commands:


restorecon -R -v /tmp/.wapi
chcon -t httpd_sys_content_t '/usr/bin/mono'


I'm currently looking for a better, permanent solution.

1 comment:

Devin Venable said...

Quick follow up: These instructions alone may not be sufficient to get mod_mono running under SELinux. See this thread for the latest:

http://go-mono.com/forums/#nabble-td18472872