| Summary: | Passenger scripts from EPEL rpm are mislabeled | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Orion Poplawski <orion> |
| Component: | passenger | Assignee: | Dennis Chen <barracks510> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | epel7 | CC: | barracks510, dominic, lvrabec, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1393066 | ||
You're right, they are not labeled correctly: # matchpathcon /usr/libexec/passenger/Passenger* /usr/libexec/passenger/PassengerHelperAgent system_u:object_r:bin_t:s0 /usr/libexec/passenger/PassengerLoggingAgent system_u:object_r:bin_t:s0 /usr/libexec/passenger/PassengerWatchdog system_u:object_r:bin_t:s0 # It seems that their location has changed: # semanage fcontext -l | grep -i passenger /usr/share/.*/gems/.*/helper-scripts/prespawn regular file system_u:object_r:passenger_exec_t:s0 /usr/lib/gems/.*/Passenger.* regular file system_u:object_r:passenger_exec_t:s0 /usr/lib/gems/.*/ApplicationPoolServerExecutable regular file system_u:object_r:passenger_exec_t:s0 /usr/share/gems/.*/Passenger.* regular file system_u:object_r:passenger_exec_t:s0 /usr/share/gems/.*/ApplicationPoolServerExecutable regular file system_u:object_r:passenger_exec_t:s0 /var/log/passenger.* all files system_u:object_r:passenger_log_t:s0 /var/lib/passenger(/.*)? all files system_u:object_r:passenger_var_lib_t:s0 /var/run/passenger(/.*)? all files system_u:object_r:passenger_var_run_t:s0 # To avoid the AVCs, please enable the httpd_run_stickshift boolean. This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline. |
Description of problem: passenger-4.0.53-4.el7 from EPEL installs the passenger helper scripts to /usr/libexec/passenger: # ls -lZ /usr/libexec/passenger/ -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerHelperAgent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerWatchdog -rwxr-xr-x. root root system_u:object_r:bin_t:s0 SpawnPreparer -rwxr-xr-x. root root system_u:object_r:bin_t:s0 TempDirToucher But these do not get labeled as passenger_exec_t so I get: type=AVC msg=audit(1474475501.759:1134): avc: denied { sys_resource } for pid=4248 comm="PassengerWatchd" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1474475507.804:1136): avc: denied { fowner } for pid=4292 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1474475507.804:1136): avc: denied { fsetid } for pid=4292 comm="chmod" capability=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-3.13.1-60.el7_2.9.noarch Incorrect label still present with selinux-policy-3.13.1-93.el7.noarch After changing the label I see: type=AVC msg=audit(1474475865.558:1139): avc: denied { getattr } for pid=4418 comm="ruby" path="/usr/bin/sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=AVC msg=audit(1474475865.558:1140): avc: denied { execute } for pid=4418 comm="ruby" name="sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file No quite sure what passenger does with sudo.