Description of problem: The openshift-broker server won't start on the latest F19 due to AVC denials. To confirm this is a SELinux issue I tried to start it under permissive mode and it works fine. Version-Release number of selected component (if applicable): Origin installed using the openshift-puppet module. How reproducible: Install OpenShift Origin on updated F19 with enabled selinux using: $ puppet module install openshift/openshift_origin Actual results: [Thu Sep 05 11:23:52.887124 2013] [core:notice] [pid 2216] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [ pid=2217 thr=140690826508096 file=ext/common/AgentBase.cpp:419 time=2013-09-05 11:23:52.890 ]: *** ERROR: Unexpected end-of-file encountered in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140) in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355) [Thu Sep 05 11:23:52.899706 2013] [passenger:error] [pid 2216] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 [ pid=2220 thr=140649429509952 file=ext/common/AgentBase.cpp:419 time=2013-09-05 11:23:52.910 ]: *** ERROR: Unexpected end-of-file encountered in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140) in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355) [Thu Sep 05 11:23:52.919720 2013] [passenger:error] [pid 2219] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 When starting in permissive mode I got these denials: type=SERVICE_STOP msg=audit(1378380755.753:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="openshift-broker" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1378380755.803:284): avc: denied { getattr } for pid=4253 comm="ruby-mri" path="socket:[34280]" dev="sockfs" ino=34280 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1378380755.803:284): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff14621e20 a2=7fff14621e20 a3=7fff14621bd0 items=0 ppid=4251 pid=4253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380755.806:285): avc: denied { write } for pid=4247 comm="httpd" name="socket" dev="tmpfs" ino=34367 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1378380755.806:285): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff990e31e0 a2=6e a3=69746172656e6567 items=0 ppid=1 pid=4247 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1378380755.808:286): avc: denied { ioctl } for pid=4253 comm="ruby-mri" path="socket:[34280]" dev="sockfs" ino=34280 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1378380755.808:286): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff14621c70 a3=19661f8 items=0 ppid=4251 pid=4253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=SERVICE_START msg=audit(1378380755.868:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="openshift-broker" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1378380758.036:288): avc: denied { name_connect } for pid=4288 comm="ruby-mri" dest=8080 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1378380758.036:288): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=cdaa30 a2=10 a3=7fff5322bfd0 items=0 ppid=4251 pid=4288 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.489:289): avc: denied { append } for pid=4295 comm="ruby-mri" name="development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1378380760.489:289): avc: denied { open } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.489:289): arch=c000003e syscall=2 success=yes exit=3 a0=37e5ee0 a1=80441 a2=1b6 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.489:290): avc: denied { getattr } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.489:290): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff328fbe50 a2=7fff328fbe50 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.489:291): avc: denied { ioctl } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.489:291): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff328fbea0 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.579:292): avc: denied { getattr } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.579:292): arch=c000003e syscall=4 success=yes exit=0 a0=37a8900 a1=7fff328fa820 a2=7fff328fa820 a3=7f9aee3a6ab0 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.580:293): avc: denied { append } for pid=4295 comm="ruby-mri" name="user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1378380760.580:293): avc: denied { open } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.580:293): arch=c000003e syscall=2 success=yes exit=10 a0=37a8900 a1=80401 a2=1b6 a3=2 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380760.580:294): avc: denied { ioctl } for pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1378380760.580:294): arch=c000003e syscall=16 success=no exit=-25 a0=a a1=5401 a2=7fff328fa520 a3=2 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1378380761.618:295): avc: denied { name_connect } for pid=4295 comm="ruby-mri" dest=27017 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:mongod_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1378380761.618:295): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=4b77cc0 a2=10 a3=7fff328f4600 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null) Expected results: [Thu Sep 05 11:32:35.780632 2013] [core:notice] [pid 4247] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu Sep 05 11:32:35.874130 2013] [mpm_prefork:notice] [pid 4266] AH00163: Apache/2.4.6 (Fedora) Phusion_Passenger/3.0.21 configured -- resuming normal operations [Thu Sep 05 11:32:35.874167 2013] [core:notice] [pid 4266] AH00094: Command line: '/usr/sbin/httpd -C Include /var/www/openshift/broker/httpd/broker.conf -f /var/www/openshift/broker/httpd/httpd.conf' Additional info:
This seems to be fixed automagically ;-) Closing this one.