Bug 1196555
| Summary: | avc in mod_passenger "rm /" { getattr } | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ondřej Pták <optak> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.1 | CC: | bgollahe, jkaluza, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, vanhoof | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-47.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1217188 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:28:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1208765, 1217188 | |||
|
Description
Ondřej Pták
2015-02-26 09:39:53 UTC
this is what passenger try to do: rm -rf /var/run/rh-passenger40/passenger.1.0.16997/generation-0 rm -rf /var/run/rh-passenger40/passenger.1.0.16997 According to my tests, this is the minimal SELinux policy module needed by passenger to work in RHEL7 without AVCs:
module test 1.0;
require {
type fs_t;
type passenger_t;
type httpd_t;
class unix_stream_socket { read write getattr };
class process getsession;
class capability2 block_suspend;
class tcp_socket accept;
class filesystem getattr;
}
allow passenger_t self:capability2 block_suspend;
allow passenger_t self:process getsession;
allow passenger_t fs_t:filesystem getattr;
allow passenger_t self:tcp_socket accept;
allow passenger_t httpd_t:unix_stream_socket { getattr read write };
(In reply to Jan Kaluža from comment #2) > According to my tests, this is the minimal SELinux policy module needed by > passenger to work in RHEL7 without AVCs: > > module test 1.0; > > require { > type fs_t; > type passenger_t; > type httpd_t; > class unix_stream_socket { read write getattr }; > class process getsession; > class capability2 block_suspend; > class tcp_socket accept; > class filesystem getattr; > } > > allow passenger_t self:capability2 block_suspend; > allow passenger_t self:process getsession; > allow passenger_t fs_t:filesystem getattr; > allow passenger_t self:tcp_socket accept; > allow passenger_t httpd_t:unix_stream_socket { getattr read write }; My test pass with this module and Enforcing mode. Test is about running passenger with mod_passenger and 3 ruby collection (ruby193,ruby200,rh-ruby22) as interpret. commit 972c57ac37720defc8b6bd7e100ce9dcb4bb9309
Author: Lukas Vrabec <lvrabec>
Date: Tue Sep 1 18:01:36 2015 +0200
Allow passenger to getattr filesystem xattr
Resolves: #1196555
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |