RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1071145 - httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
Summary: httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-28 07:08 UTC by Jan Kaluža
Modified: 2014-10-14 08:00 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-238.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 08:00:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Jan Kaluža 2014-02-28 07:08:00 UTC 
As summary describes, httpd24 (mod_passenger module) is not able to execute /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog. There are more binaries in the same directory which has to be executed by httpd: PassengerHelperAgent  PassengerLoggingAgent  PassengerWatchdog  SpawnPreparer.

type=AVC msg=audit(1393563324.393:1404): avc:  denied  { execute_no_trans } for  pid=6710 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog"
 dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1393563324.393:1404): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f4d28 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6709 pid=6710 auid=0 uid=0 gid=0 eui
d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1393563324.595:1405): avc:  denied  { execute_no_trans } for  pid=6717 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog"
 dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1393563324.595:1405): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f5118 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6712 pid=6717 auid=0 uid=0 gid=0 eui
d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Comment 2 Milos Malik 2014-02-28 10:23:36 UTC 
The problem is that PassengerWatchdog file (which belongs to an SCL package) is not labeled correctly on your machine.

Some of your SCL packages should set up an equivalence between / and /opt/rh/ruby193/root (most likely via semanage in an RPM scriptlet). When the equivalence is not set, the files are labeled differently as you can see below:

# matchpathcon /usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog	system_u:object_r:passenger_exec_t:s0
# matchpathcon /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog	system_u:object_r:lib_t:s0
#

Sofar it seems that selinux-policy component cannot be blamed.
Comment 3 Jan Kaluža 2014-02-28 11:43:21 UTC 
Thanks, I have fixed this partly. Now I have following problem:

type=AVC msg=audit(1393578063.240:1499): avc:  denied  { write } for  pid=10691 comm="httpd" name="request" dev=dm-0 ino=71692 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:o
bject_r:passenger_tmp_t:s0 tclass=sock_file
Comment 4 Miroslav Grepl 2014-02-28 11:57:42 UTC 
We allow it in Fedora. We will need to update the policy in RHEL6.
Comment 5 Lukas Vrabec 2014-06-25 16:35:14 UTC 
patch sent.
Comment 8 errata-xmlrpc 2014-10-14 08:00:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.