Tag Archives: SELinux

Django/mod_wsgi on Fedora 12

I recently deployed a Django application with mod_wsgi on my server which runs Fedora 12. Since this required a bit more configuration than a standard Apache virtual host I thought it might be useful to document the configuration for others.


While SELinux can be a little annoying if you don’t understand how it works it is a very powerful security layer that should not be disabled. In order to get the Django/mod_wsgi application working I had to modify a couple of SELinux booleans which give Apache extra permissions.

setsebool httpd_tmp_exec on
setsebool httpd_can_network_connect on

mod_wsgi configuration

The default configuration tries to create the mod_wsgi sockets in a directory that SELinux does not allow Apache access to. You can change this by adding the following line to /etc/httpd/conf.d/wsgi.conf.

WSGISocketPrefix run/mod_wsgi

Apache virtual host configuration

Below is the Apache virtual host configuration. Note that I have chosen to use mod_wsgi’s daemon mode and processes instead of threads because some of the libraries I’m using are not thread safe.

<VirtualHost *:80>
 ServerAdmin dan@example.com
 DocumentRoot /home/vhosts/example.com/
 ServerName www.example.com

 Alias /robots.txt /home/vhosts/example.com/example/web/static/robots.txt
 Alias /favicon.ico /home/vhosts/example.com/example/web/static/favicon.ico

 # Static files.
 Alias /static /home/vhosts/example.com/example/web/static

 # Admin static files.
 Alias /media /home/vhosts/example.com/dependencies/Django-1.2.1/django/contrib/admin/media

 WSGIScriptAlias / /home/vhosts/example.com/example/web/example/django.wsgi
 WSGIDaemonProcess example.com processes=15 threads=1 display-name=%{GROUP}
 WSGIProcessGroup example.com

 ErrorLog logs/example.com-error_log
 LogFormat "%a %l \"%u\" %t %m \"%U\" \"%q\" %p %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" custom_log
 CustomLog logs/example.com-access_log combinedio