Bug 1378170

Summary: Passenger scripts from EPEL rpm are mislabeled
Product: [Fedora] Fedora EPEL Reporter: Orion Poplawski <orion>
Component: passengerAssignee: Dennis Chen <barracks510>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: epel7CC: barracks510, dominic, lvrabec, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-08 22:24:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393066    

Description Orion Poplawski 2016-09-21 17:21:20 UTC 
Description of problem:

passenger-4.0.53-4.el7 from EPEL installs the passenger helper scripts to /usr/libexec/passenger:

# ls -lZ /usr/libexec/passenger/
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       SpawnPreparer
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       TempDirToucher

But these do not get labeled as passenger_exec_t so I get:

type=AVC msg=audit(1474475501.759:1134): avc:  denied  { sys_resource } for  pid=4248 comm="PassengerWatchd" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1474475507.804:1136): avc:  denied  { fowner } for  pid=4292 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1474475507.804:1136): avc:  denied  { fsetid } for  pid=4292 comm="chmod" capability=4  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.9.noarch

Incorrect label still present with selinux-policy-3.13.1-93.el7.noarch

After changing the label I see:

type=AVC msg=audit(1474475865.558:1139): avc:  denied  { getattr } for  pid=4418 comm="ruby" path="/usr/bin/sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
type=AVC msg=audit(1474475865.558:1140): avc:  denied  { execute } for  pid=4418 comm="ruby" name="sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file

No quite sure what passenger does with sudo.
Comment 2 Milos Malik 2016-09-22 07:06:36 UTC 
You're right, they are not labeled correctly:

# matchpathcon /usr/libexec/passenger/Passenger*
/usr/libexec/passenger/PassengerHelperAgent	system_u:object_r:bin_t:s0
/usr/libexec/passenger/PassengerLoggingAgent	system_u:object_r:bin_t:s0
/usr/libexec/passenger/PassengerWatchdog	system_u:object_r:bin_t:s0
#

It seems that their location has changed:

# semanage fcontext -l | grep -i passenger
/usr/share/.*/gems/.*/helper-scripts/prespawn      regular file       system_u:object_r:passenger_exec_t:s0 
/usr/lib/gems/.*/Passenger.*                       regular file       system_u:object_r:passenger_exec_t:s0 
/usr/lib/gems/.*/ApplicationPoolServerExecutable   regular file       system_u:object_r:passenger_exec_t:s0 
/usr/share/gems/.*/Passenger.*                     regular file       system_u:object_r:passenger_exec_t:s0 
/usr/share/gems/.*/ApplicationPoolServerExecutable regular file       system_u:object_r:passenger_exec_t:s0 
/var/log/passenger.*                               all files          system_u:object_r:passenger_log_t:s0 
/var/lib/passenger(/.*)?                           all files          system_u:object_r:passenger_var_lib_t:s0 
/var/run/passenger(/.*)?                           all files          system_u:object_r:passenger_var_run_t:s0 
#

To avoid the AVCs, please enable the httpd_run_stickshift boolean.
Comment 4 Lukas Vrabec 2017-03-21 16:04:25 UTC 
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Comment 5 Troy Dawson 2024-07-08 22:24:50 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.