Created attachment 822508 [details] module that solve the issue Description of problem: Trying to restart httpd after mod_passenger installation gives the following output in httpd error log: Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 Running "setenforce Permissive" and restarting httpd solves the problem. Version-Release number of selected component (if applicable): mod_passenger-4.0.18-3.fc20.x86_64 selinux-policy-targeted-3.12.1-90.fc20.noarch How reproducible: Always Steps to Reproduce: 1. yum install mod_passenger 2. systemctl restart httpd.service && tailf /var/log/httpd/error_log 3. look the error message Actual results: Error starting passenger Expected results: Passenger starts as expected :) Additional info: grift on the #fedora-selinux IRC chan write an selinux module solving the problem (see attachment)
f5cca08f7e8c19e424c2d240fa3325d7f1cf1f47 fixes the passenger_stream_connect interface which should fix this problem.
selinux-policy-3.12.1-105.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-105.fc20
Package selinux-policy-3.12.1-105.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-105.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22285/selinux-policy-3.12.1-105.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-105.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
I'm experiencing this bug on Fedora 20. Apache was installed and working normally. I did a yum install of mod_passenger, then restarted apache. Error log says: [Wed May 21 18:24:51.323889 2014] [passenger:error] [pid 24765] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 Could this be a regression in the selinux rules?
Could you attach the AVC messages you are seeing?
Hi. I'm new to the Fedora Bugzilla and processes, but I'm confused. This is showing as CLOSED ERRATA, even though the problem still exists and the last comment prior to asking for more information suggests it is back again. Indeed, I am experienceing this same problem. If I setenforce 0 everything works, and if I setenforce 1 I get the error, but no message from AVC :-( I'd be glad to help hunt the problem down if you just let me know how to proceed.
Could you try turning off dontaudit rules semodule -DB And gater the AVC's related to passenger_t. semodule -B Will turn back on dontaudit rules.
Actually, I realized I had to create a link because there was no buildout/agents directory and the locations were wrong with regard to /usr/share and /usr/lib64, so basically there is no sense in trying to troubleshoot this issue. There should be a general bug that mod_passenger and the passenger gem are foobared completely. Anything we do here will just be hacking together a workaround and leaving the real problem in tact. :-(
OK. Now that I have learrned a little about SELinux and got things working I understand, at least to some degree what is going on here, and I believe that this is indeed a regression. I first used audit2allow to create: [root@fireball Redmine]# cat Redmine.local.te module Redmine.local 1.0; require { type passenger_t; type httpd_t; class process getsession; class unix_stream_socket getattr; class capability2 block_suspend; } #============= passenger_t ============== allow passenger_t httpd_t:unix_stream_socket getattr; allow passenger_t self:capability2 block_suspend; allow passenger_t self:process getsession; ... and everything worked except the 'systemctl restart httpd.service', which would fail with: Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 ... then I did the semodule -DB and did another restart and got: [root@fireball Redmine]# cat Passenger.local.pol.te module Passenger.local.pol 1.0; require { type init_t; type passenger_t; type httpd_t; class process { siginh getsession noatsecure rlimitinh }; class unix_stream_socket { read write getattr }; class capability2 block_suspend; } #============= httpd_t ============== allow httpd_t passenger_t:process { siginh rlimitinh noatsecure }; #============= passenger_t ============== #!!!! This avc is allowed in the current policy allow passenger_t httpd_t:unix_stream_socket getattr; allow passenger_t httpd_t:unix_stream_socket { read write }; allow passenger_t init_t:unix_stream_socket { read write }; #!!!! This avc is allowed in the current policy allow passenger_t self:capability2 block_suspend; #!!!! This avc is allowed in the current policy allow passenger_t self:process getsession; ... so for some reason the denial that generates the 'allow httpd_t passenger_t:process { siginh rlimitinh noatsecure };' isn't being reported by the AVC unless dontaudit rules are disabled :-( Also, it seems like the allows that appear in both should also always be needed for Passenger, but maybe I'm mistaken on that. This *is* an issue regardless of the issue related to Passenger looking for PassengerWatchd, etc in the wrong place if I am not mistaken. (I symlinked buildout/agents and chcon'ed everything so that it will find them where it is looking for them and not generated AVC denials before doing all of this) Please reopen this issue based on the above information unless you see an error in my approach or analysis.
Are you sure you need these allow httpd_t passenger_t:process { siginh rlimitinh noatsecure }; access? To make this work?
I'm not, but my system sure seems to be :-) I just went back, removed all my local policies, cleared the audit log and started from scratch. What is most interesting to me is that the AVC doesn't report that all the following rules are needed until you disable the dontaudit rules and rebuild with 'semodule -DB' As an SELinux guru you probably understand it, but it confused me :-( Here is the log of my actions after I rebooted with a clean audit.log and httpd.service disabled at boot time. Sorry for the long log, but I don't see a way to attach a file anywhere in this bugzilla :-( [root@fireball ~]# systemctl start httpd.service [root@fireball ~]# grep denied /var/log/audit/audit.log [root@fireball ~]# tail /etc/httpd/logs/error_log [Tue Aug 12 10:06:37.549634 2014] [:warn] [pid 2411] ModSecurity: Loaded APR do not match with compiled! [Tue Aug 12 10:06:37.549670 2014] [:notice] [pid 2411] ModSecurity: PCRE compiled version="8.33 "; loaded version="8.33 2013-05-28" [Tue Aug 12 10:06:37.549707 2014] [:notice] [pid 2411] ModSecurity: LUA compiled version="Lua 5.2" [Tue Aug 12 10:06:37.549740 2014] [:notice] [pid 2411] ModSecurity: LIBXML compiled version="2.9.1" [Tue Aug 12 10:06:37.854006 2014] [auth_digest:notice] [pid 2411] AH01757: generating secret for digest authentication ... [Tue Aug 12 10:06:37.855894 2014] [lbmethod_heartbeat:notice] [pid 2411] AH02282: No slotmem from mod_heartmonitor You're not supposed to start this program from the command line. It's used internally by Phusion Passenger. [Tue Aug 12 10:06:38.234228 2014] [passenger:error] [pid 2411] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 [Tue Aug 12 10:06:38.258001 2014] [mpm_prefork:notice] [pid 2411] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1e-fips mod_nss/2.4.6 NSS/3.15.3 Basic ECC PHP/5.5.15 mod_wsgi/3.5 Python/2.7.5 Phusion_Passenger/4.0.18 mod_gnutls/0.5.10 mod_fcgid/2.3.9 mod_perl/2.0.9-dev Perl/v5.18.2 configured -- resuming normal operations [Tue Aug 12 10:06:38.258091 2014] [core:notice] [pid 2411] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [root@fireball ~]# semodule -DB [root@fireball ~]# systemctl restart httpd.service [root@fireball ~]# grep denied /var/log/audit/audit.log type=AVC msg=audit(1407852495.081:388): avc: denied { write } for pid=2454 comm="/usr/sbin/httpd" name="source" dev="dm-0" ino=526342 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852495.082:389): avc: denied { write } for pid=2454 comm="/usr/sbin/httpd" name="ca-trust-source" dev="dm-0" ino=526355 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852495.097:390): avc: denied { write } for pid=2456 comm="nss_pcache" name="source" dev="dm-0" ino=526342 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852495.101:391): avc: denied { write } for pid=2456 comm="nss_pcache" name="ca-trust-source" dev="dm-0" ino=526355 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852495.144:392): avc: denied { rlimitinh } for pid=2458 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process permissive=0 type=AVC msg=audit(1407852495.144:392): avc: denied { siginh } for pid=2458 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process permissive=0 type=AVC msg=audit(1407852495.144:392): avc: denied { noatsecure } for pid=2458 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process permissive=0 type=AVC msg=audit(1407852495.537:393): avc: denied { read write } for pid=2463 comm="PassengerWatchd" path="socket:[28961]" dev="sockfs" ino=28961 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1407852495.537:393): avc: denied { read write } for pid=2463 comm="PassengerWatchd" path="socket:[28996]" dev="sockfs" ino=28996 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1407852495.537:393): avc: denied { rlimitinh } for pid=2463 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.537:393): avc: denied { siginh } for pid=2463 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.537:393): avc: denied { noatsecure } for pid=2463 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.804:394): avc: denied { read write } for pid=2467 comm="PassengerWatchd" path="socket:[28961]" dev="sockfs" ino=28961 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1407852495.804:394): avc: denied { read write } for pid=2467 comm="PassengerWatchd" path="socket:[30724]" dev="sockfs" ino=30724 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1407852495.804:394): avc: denied { rlimitinh } for pid=2467 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.804:394): avc: denied { siginh } for pid=2467 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.804:394): avc: denied { noatsecure } for pid=2467 comm="PassengerWatchd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=AVC msg=audit(1407852495.809:395): avc: denied { write } for pid=2466 comm="crlhelper" name="source" dev="dm-0" ino=526342 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852495.810:396): avc: denied { write } for pid=2466 comm="crlhelper" name="ca-trust-source" dev="dm-0" ino=526355 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1407852496.026:398): avc: denied { write } for pid=2458 comm="setroubleshootd" name=".dbenv.lock" dev="dm-0" ino=2359306 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0 [root@fireball ~]# tail /etc/httpd/logs/error_log [Tue Aug 12 10:08:15.553373 2014] [:warn] [pid 2454] ModSecurity: Loaded APR do not match with compiled! [Tue Aug 12 10:08:15.553388 2014] [:notice] [pid 2454] ModSecurity: PCRE compiled version="8.33 "; loaded version="8.33 2013-05-28" [Tue Aug 12 10:08:15.553401 2014] [:notice] [pid 2454] ModSecurity: LUA compiled version="Lua 5.2" [Tue Aug 12 10:08:15.553414 2014] [:notice] [pid 2454] ModSecurity: LIBXML compiled version="2.9.1" [Tue Aug 12 10:08:15.762982 2014] [auth_digest:notice] [pid 2454] AH01757: generating secret for digest authentication ... [Tue Aug 12 10:08:15.764624 2014] [lbmethod_heartbeat:notice] [pid 2454] AH02282: No slotmem from mod_heartmonitor You're not supposed to start this program from the command line. It's used internally by Phusion Passenger. [Tue Aug 12 10:08:15.819921 2014] [passenger:error] [pid 2454] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 [Tue Aug 12 10:08:15.838170 2014] [mpm_prefork:notice] [pid 2454] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1e-fips mod_nss/2.4.6 NSS/3.15.3 Basic ECC PHP/5.5.15 mod_wsgi/3.5 Python/2.7.5 Phusion_Passenger/4.0.18 mod_gnutls/0.5.10 mod_fcgid/2.3.9 mod_perl/2.0.9-dev Perl/v5.18.2 configured -- resuming normal operations [Tue Aug 12 10:08:15.838252 2014] [core:notice] [pid 2454] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [root@fireball ~]# grep denied /var/log/audit/audit.log | audit2allow -m SELinux/LocalPolicies/Passenger.local error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "." [root@fireball ~]# cd SELinux/LocalPolicies/ [root@fireball LocalPolicies]# grep denied /var/log/audit/audit.log | audit2allow -m Passenger.local module Passenger.local 1.0; require { type rpm_var_lib_t; type init_t; type httpd_t; type system_dbusd_t; type passenger_t; type setroubleshootd_t; type cert_t; class process { siginh noatsecure rlimitinh }; class unix_stream_socket { read write }; class file write; class dir write; } #============= httpd_t ============== allow httpd_t cert_t:dir write; allow httpd_t passenger_t:process { siginh rlimitinh noatsecure }; #============= passenger_t ============== allow passenger_t httpd_t:unix_stream_socket { read write }; allow passenger_t init_t:unix_stream_socket { read write }; #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_var_lib_t:file write; #============= system_dbusd_t ============== allow system_dbusd_t setroubleshootd_t:process { siginh rlimitinh noatsecure }; [root@fireball LocalPolicies]# ls Redmine [root@fireball LocalPolicies]# grep denied /var/log/audit/audit.log | audit2allow -M Passenger.local ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i Passenger.local.pp [root@fireball LocalPolicies]# semodule -i Passenger.local.pp [root@fireball LocalPolicies]# systemctl restart httpd.service [root@fireball LocalPolicies]# tail /etc/httpd/logs/error_log [Tue Aug 12 10:13:51.521967 2014] [:notice] [pid 2536] ModSecurity: LUA compiled version="Lua 5.2" [Tue Aug 12 10:13:51.521987 2014] [:notice] [pid 2536] ModSecurity: LIBXML compiled version="2.9.1" [Tue Aug 12 10:13:51.762930 2014] [auth_digest:notice] [pid 2536] AH01757: generating secret for digest authentication ... [Tue Aug 12 10:13:51.764544 2014] [lbmethod_heartbeat:notice] [pid 2536] AH02282: No slotmem from mod_heartmonitor [ 2014-08-12 10:13:51.8095 2567/7f6395a87780 agents/Watchdog/Main.cpp:450 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nobody', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_instances_per_app' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/share/gems/gems/passenger-4.0.18', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_pid' => '2536', 'web_server_type' => 'apache', 'web_server_worker_gid' => '48', 'web_server_worker_uid' => '48' } [ 2014-08-12 10:13:51.8193 2570/7f7d8def4780 agents/HelperAgent/Main.cpp:602 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.2536/generation-1/request [ 2014-08-12 10:13:51.8261 2575/7fc20e224880 agents/LoggingAgent/Main.cpp:318 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.2536/generation-1/logging [ 2014-08-12 10:13:51.8265 2567/7f6395a87780 agents/Watchdog/Main.cpp:631 ]: All Phusion Passenger agents started! [Tue Aug 12 10:13:51.842674 2014] [mpm_prefork:notice] [pid 2536] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1e-fips mod_nss/2.4.6 NSS/3.15.3 Basic ECC PHP/5.5.15 mod_wsgi/3.5 Python/2.7.5 Phusion_Passenger/4.0.18 mod_gnutls/0.5.10 mod_fcgid/2.3.9 mod_perl/2.0.9-dev Perl/v5.18.2 configured -- resuming normal operations [Tue Aug 12 10:13:51.842744 2014] [core:notice] [pid 2536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Some more info in which the plot thickens :-( After doing 'semodule -B' and then rebooting, the AVC denies getattr on unix_stream_socket, which it didn't deny with dontaudit rules disabled, but Passenger still starts : [root@fireball ~]# systemctl start httpd.service [root@fireball ~]# grep denied /var/log/audit/audit.log type=AVC msg=audit(1407859925.800:419): avc: denied { getattr } for pid=3003 comm="PassengerWatchd" path="socket:[36145]" dev="sockfs" ino=36145 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1407859927.395:420): avc: denied { getattr } for pid=3031 comm="PassengerWatchd" path="socket:[36914]" dev="sockfs" ino=36914 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket permissive=0 [root@fireball ~]# tail /etc/httpd/logs/error_log [Tue Aug 12 12:12:06.124956 2014] [:notice] [pid 2998] ModSecurity: LUA compiled version="Lua 5.2" [Tue Aug 12 12:12:06.124968 2014] [:notice] [pid 2998] ModSecurity: LIBXML compiled version="2.9.1" [Tue Aug 12 12:12:06.372492 2014] [auth_digest:notice] [pid 2998] AH01757: generating secret for digest authentication ... [Tue Aug 12 12:12:06.374418 2014] [lbmethod_heartbeat:notice] [pid 2998] AH02282: No slotmem from mod_heartmonitor [ 2014-08-12 12:12:07.3962 3031/7fef8c1c9780 agents/Watchdog/Main.cpp:450 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nobody', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_instances_per_app' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/share/gems/gems/passenger-4.0.18', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_pid' => '2998', 'web_server_type' => 'apache', 'web_server_worker_gid' => '48', 'web_server_worker_uid' => '48' } [ 2014-08-12 12:12:07.4079 3034/7f05dbd94780 agents/HelperAgent/Main.cpp:602 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.2998/generation-1/request [ 2014-08-12 12:12:07.4143 3039/7f368cf2f880 agents/LoggingAgent/Main.cpp:318 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.2998/generation-1/logging [ 2014-08-12 12:12:07.4233 3031/7fef8c1c9780 agents/Watchdog/Main.cpp:631 ]: All Phusion Passenger agents started! [Tue Aug 12 12:12:07.430460 2014] [mpm_prefork:notice] [pid 2998] AH00163: Apache/2.4.10 (Fedora) OpenSSL/1.0.1e-fips mod_nss/2.4.6 NSS/3.15.3 Basic ECC PHP/5.5.15 mod_wsgi/3.5 Python/2.7.5 Phusion_Passenger/4.0.18 mod_gnutls/0.5.10 mod_fcgid/2.3.9 mod_perl/2.0.9-dev Perl/v5.18.2 configured -- resuming normal operations [Tue Aug 12 12:12:07.430548 2014] [core:notice] [pid 2998] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
What I was actually looking for was which of these permissions is required. I doubt all of them. We are blocking passenger based on one or two actions, where apache has to leak some priv into passenger. Which of the following is actually needed to get passenger to work. allow httpd_t passenger_t:process { siginh rlimitinh noatsecure }; #============= passenger_t ============== allow passenger_t httpd_t:unix_stream_socket { read write }; allow passenger_t init_t:unix_stream_socket { read write };
I don't understand the question. Apache will start but Passenger won't. There will be NO MESSAGE in the audits as to why. Then one disbles the don't audit rules and rebuilds with ''semodule -DB'' at which point the AVC reports that it needs additional allow rules. I have provided ALL logs. The only way to troubleshoot this issue is to do a fresh install, add mod_passenger and configure it, and then dig in. I don't purport to be an SELinux expert, but I DO purport to know how the read the apache logs. I DO know that it doesn't work as the rules are configured right now without these allows. If it shouldn't need some of the then that is an SELinux config issue. Until this gets straightened out they should be allowed, since as it stands now everyone who tries to install mod_passenger and use it with apache is going to get nowhere. I'm all for locking things down tightly, but that's locking things down just a little TOO tightly :-) Good luck guys!
It looks like the answer is this line: allow passenger_t httpd_t:unix_stream_socket { read write }; I think this line is not needed in EPEL 6, but it is needed (and not audited) on Fedora 20.
Yes, we need to have allow passenger_t httpd_t:unix_stream_socket { read write };
commit fd027c0c212efc9d821606c87dfa0c191dd0890f Author: Miroslav Grepl <mgrepl> Date: Wed Sep 3 15:44:28 2014 +0200 ALlow passeneger to read/write apache stream socket.
selinux-policy-3.12.1-183.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-183.fc20
selinux-policy-3.12.1-183.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.