Description of problem: I'm trying to create a Puppetmaster using Apache and mod_passenger although I don't think the fact the application is Puppet matters at this point. I'm using the Puppetlabs Puppet packages, standard EL6 Apache and the EPEL mod_passenger packages. I'm using the default /etc/httpd/conf.d/passenger.conf which sets: PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21 PassengerRuby /usr/bin/ruby Apache starts but as soon as I start an agent run against the Puppetmaster, the agent stops with a HTTP 500 error and the following is logged in /var/log/audit/audit.log: type=AVC msg=audit(1389349283.934:224): avc: denied { write } for pid=19148 comm="httpd" name="socket" dev=dm-0 ino=270945 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:passenger_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389349283.934:224): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff65052d50 a2=6e a3=746172656e65672f items=0 ppid=19127 pid=19148 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=19 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) The socket in question is under /tmp/passenger*/ which seems to be the default without me setting PassengerTempDir to anything. Disabling Selinux stops the error. Version-Release number of selected component (if applicable): mod_passenger-3.0.21-5.el6.x86_64 selinux-policy-3.7.19-231.el6.noarch How reproducible: Always. Steps to Reproduce: 1. Install mod_passenger and a suitable application 2. Try to access application 3. Error Actual results: Expected results: Additional info:
Created attachment 851804 [details] the generated puppet_passenger.pp file semodule -i puppet_passenger.pp Should make puppet/passenger working.
mod_passenger-3.0.21-11.el6.x86_64 from testing (mod_passenger-3.0.21-5.el6.x86_64 does work properly, see bug https://bugzilla.redhat.com/show_bug.cgi?id=999384) selinux-policy-3.7.19-231.el6.noarch ==== The puppet_passenger.te file module puppet_passenger 1.0; require { type user_tmp_t; type locale_t; type passenger_t; type ifconfig_exec_t; type passenger_tmp_t; type sysfs_t; type postfix_pickup_t; type puppet_var_lib_t; type sysctl_net_t; type httpd_t; type proc_net_t; class sock_file write; class tcp_socket listen; class dir { search create rmdir }; class file { relabelfrom getattr read relabelto open execute execute_no_trans }; } #============= httpd_t ============== allow httpd_t passenger_tmp_t:sock_file write; #============= passenger_t ============== allow passenger_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; allow passenger_t locale_t:file getattr; allow passenger_t proc_net_t:file { read getattr open }; allow passenger_t puppet_var_lib_t:dir { create rmdir }; allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto }; #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow passenger_t self:tcp_socket listen; allow passenger_t sysctl_net_t:dir search; allow passenger_t sysfs_t:dir search; allow passenger_t sysfs_t:file { read open }; allow passenger_t user_tmp_t:file { read getattr open };
Created attachment 851816 [details] audit.log entries used with audit2allow
I have this same problem trying to run a generic hello world application under mod_passenger-3.0.21-11.el6.x86_64 on RHEL6. I believe the root of the problem is that mod_passenger fails to set PassengerTempDir to a value that makes the selinux policy (3.7.19-231.el6_5.3) happy. Adding the following line to the IfModule section of /etc/httpd/conf.d/passenger.conf fixes the problem: PassengerTempDir /var/run/rubygem-passenger I think this line should be added to this file in the mod_passenger RPM.
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version. Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version. Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version, you are encouraged to change the 'version' to a later version prior this bug is closed as described in the policy above.
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of EPEL please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.