Bug 870392

Summary: Some AVC denial about PassengerHelper's prespawn is seen in audit.log on broker
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: NodeAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED NEXTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: urgent    
Version: 1.1.0CC: bleanhar, jkeck
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 14:26:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 886619    
Bug Blocks:    

Description Johnny Liu 2012-10-26 11:11:01 UTC 
Description of problem:
The following error message is seen in broker http log file:
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Though these error was existing, it seem like does not affect to create app. App can be created successfully, but these error should be fixed.

Version-Release number of selected component (if applicable):
2012-10-25.1 puddle
selinux-policy-targeted-3.7.19-174.el6.noarch
selinux-policy-3.7.19-174.el6.noarch
mod_passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-libs-3.0.17-2.el6op.1.x86_64
# semodule -l|grep passen
passenger	1.0.0	



How reproducible:
Always

Steps to Reproduce:
1. Setup broker node.
2. tail -f /var/www/openshift/broker/httpd/logs/*
3. service openshift-broker restart
  
Actual results:
The output of step 2:
<--snip-->
[Fri Oct 26 07:06:11 2012] [notice] caught SIGTERM, shutting down
[Fri Oct 26 07:06:12 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Oct 26 07:06:12 2012] [notice] Apache/2.2.15 (Unix) Phusion_Passenger/3.0.17 configured -- resuming normal operations
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Check the /var/log/audit/audit.log, found the following AVC denial:
<--snip-->
type=AVC msg=audit(1351263758.126:15): avc:  denied  { execute } for  pid=1718 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1351263758.131:16): avc:  denied  { execute } for  pid=1719 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


Expected results:
There should no AVC denial is seen.

Additional info:
Comment 2 Brenton Leanhardt 2012-12-12 17:03:12 UTC 
I believe this has to be fixed in the selinux-policy package.
Comment 3 Brenton Leanhardt 2012-12-20 13:51:06 UTC 
This bug has been fixed in the upstream selinux-policy package.  It will ship with RHEL 6.4 (shortly after our 1.1 release).

I'm going to ask for a new target milestone to be created that will sync up with our RHEL6.4 release.  At that time this bug will be moved there.
Comment 4 RHEL Program Management 2012-12-20 14:26:21 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 5 Brenton Leanhardt 2013-02-06 20:54:56 UTC 
This bug was closed in error.