Bug 843638

Summary: SELinux is prevent PassengerWatchdog from loading
Product: [Fedora] Fedora Reporter: W Hibdon <austin.hibdon>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-01 18:21:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W Hibdon 2012-07-26 20:22:13 UTC 
[15:24] <wahibdon> so I was schooled in here a week or two ago with some useful information.  I was told to use semanage fcontext -a -t [context] [file] and restorecon [file] to make a file play nicely with selinux, specifically passenger.so.  However, I have ran into another hang up as (and I have checked the premissions already) PassengerWatchdog is being denied when setenforce 1 and not with setenforce 0 and I tried the semanage.  Any thoughts?
[15:26] <wahibdon> Now, everything I have found people have just disabled selinux but I don't want to HAVE to do that.
[15:26] <grift> show the avc denials youre getting
[15:28] <wahibdon> okay, one moment.
[15:30] <wahibdon> grift: http://fpaste.org/d9DA/
[15:31] <grift> and your distro is?
[15:31] <wahibdon> 17
[15:31] <grift> hold on , ill have a look
[15:32] <grift> k try this:
[15:33] <grift> find /usr -inum 665184
[15:33] <grift> what does it return
[15:34] <grift> please show that location
[15:34] <grift> i want to know the full path
[15:34] <wahibdon> it is /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog
[15:34] <grift> ok now do this:
[15:35] <grift> matchpathcon /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog
[15:35] <grift> what does it return
[15:36] <wahibdon> it returns the path then system_u:object_r:usr_t:s0
[15:36] <grift> ok this is a bug in policy
[15:36] <wahibdon> is it a fixed bug?
[15:36] <grift> you can fix it by labelling it passenger_exec_t:
[15:36] <wahibdon> instead of user_t ?
[15:36] <grift> chcon -t passenger_exec_t /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog]
[15:37] <grift> do the same for:
[15:37] <grift> PassengerLoggingAgent
[15:38] <grift> apache2/PassengerHelperAgent
[15:38] <grift> ext/apache2/ApplicationPoolServerExecutable
[15:38] <grift> bugzilla.redhat.com
[15:38] <grift> the current file context spec isnt catching that location
[15:45] <wahibdon> watchdog is now crashing on startup for "some reason" exit code 1
[15:46] <grift> see avc denials
[15:47] <wahibdon> http://fpaste.org/uMOr/
[15:49] <grift> echo "avc:  denied  { sys_resource } for  pid=738 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -M mypassenger; sudo semodule -i mypassenger.pp
[15:49] <grift> looks like passenger poplicy is as buggy as ever
[15:55] <wahibdon> mypassenger.te:6:ERROR 'syntax error' at token '' on line 6:
[15:55] <grift> grrr
[15:55] <wahibdon> : /usr/bin/checkmodule: errors encountered while parsing configuration
[15:55] <grift> yes there have been some stupid changes in audit2allow
[15:56] <grift> hold on
[15:56] <grift> try:
[15:56] <grift> echo "avc:  denied  { sys_resource } for  pid=738 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -r -M mypassenger; sudo semodule -i mypassenger.pp
[16:01] <wahibdon> still failed, same error.
[16:05] <grift> mkdir ~/mypassenger; cd ~/mypassenger; echo "policy_module(mypassenger, 1.0.0) optional_policy(\` gen_require(\` type passenger_t; ') allow passenger_t self:capability sys_reqource; ')" > mypassenger.te; make -f /usr/share/selinux/devel/Makefile mypassenger.pp; sudo semodule -i mypassenger.pp

that last try also did not work
Comment 1 Miroslav Grepl 2012-07-27 07:36:12 UTC 
Ok the problem is labeling. We have defined labels for the following path

/usr/lib/ruby/gems

so I am adding also support for /usr/local

What is your policy version?

I see

sesearch -A -s passenger_t -t passenger_t -c capability -p sys_resource
Found 1 semantic av rules:
   allow passenger_t passenger_t : capability { chown dac_override fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource } ;
Comment 2 Fedora Update System 2012-07-27 15:34:37 UTC 
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 3 Fedora Update System 2012-07-28 01:24:24 UTC 
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-08-01 18:21:54 UTC 
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.