Bug 865082

Summary: ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the normal passenger selinux policy
Product: OKD Reporter: Thomas Wiest <twiest>
Component: ContainersAssignee: Rob Millner <rmillner>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.xCC: jhou, mfisher, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-passenger-3.0.4-15.el6_3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-06 18:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Wiest 2012-10-10 19:11:51 UTC 
Description of problem:
Both rubygem-passenger-native and ruby193-rubygem-passenger-native are trying to load a policy called rubygem-passenger.pp (listed as rubygem_passenger when doing semanage -l). This means that whichever package is installed last will have thier policy loaded.

When we create new hosts in INT and PROD, some get the policy from rubygem-passenger-native and others get the policy from ruby193-rubygem-passenger-native. This is a problem as the policies aren't identical and therefore we have inconsistent fcontext and other rules.

This causes quite a few issues for us. Right now I'm having to manually sync up the policies using the manual fix described below.


Proposed fix:
ruby193-rubygem-passenger-native's selinux policy should really be named something like: 
ruby193_rubygem_passenger

This would prevent it from stomping on the other rubygem_passenger policy.


Manual fix:
1) Get them all on the rubygem_passenger 1.1 module:
   semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp

2) Add the missing lines to the rubygem_passenger 1.1 module:
semanage fcontext -a --seuser system_u --type httpd_log_t '/var/log/passenger-analytics'
semanage fcontext -a --seuser system_u --type httpd_exec_t '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.4/agents/((apache2|nginx)/)?Passenger.*'


Here are the paths to the two policy files laid down by the rpms:
/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
/opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp


Version-Release number of selected component (if applicable):
rubygem-passenger-native-3.0.4-12.el6_3.x86_64
ruby193-rubygem-passenger-native-3.0.12-16.el6_3.x86_64


How reproducible:
It's random because it's based on which rpm gets installed last, but happens frequently when building new nodes. Not sure why this isn't a problem in the devenvs.


Steps to Reproduce:
1. To see the problem with the modules overriding each other, load one then the other:
2. semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp
3. semodule -l|grep rubygem_passenger
4. Notice that rubygem_passenger 1.1 is loaded
5. semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
6. semodule -l|grep rubygem_passenger
7. Notice that rubygem_passenger 1.0 is now loaded


Actual results:
The two policies are stomping on each other when loaded into selinux.


Expected results:
The two policies should both be able to be loaded and should coexist.
Comment 1 Rob Millner 2012-10-19 00:50:03 UTC 
Was able to eliminate everything in the SELinux policies except two lines in the file policy which makes each package re-use the existing passenger module's file contexts.  They no longer conflict.
Comment 2 Rob Millner 2012-10-19 20:36:02 UTC 
The updated packages have been built:

rubygem-passenger-3.0.4-15.el6_3
ruby193-rubygem-passenger-3.0.12-19.el6_3
Comment 3 Jianwei Hou 2012-10-22 05:14:16 UTC 
Verified on devenv_2360(for INT and PROD, QE does not have access)
ruby193-rubygem-passenger-native-3.0.12-19.el6_3.x86_64
rubygem-passenger-native-3.0.4-15.el6_3.x86_64

Steps:
1. [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
2. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
3. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3