Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1071145 - httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.6
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-28 02:08 EST by Jan Kaluža
Modified: 2014-10-14 04:00 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-238.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 04:00:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-13 21:27:37 EDT

  None (edit)
Description Jan Kaluža 2014-02-28 02:08:00 EST 
As summary describes, httpd24 (mod_passenger module) is not able to execute /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog. There are more binaries in the same directory which has to be executed by httpd: PassengerHelperAgent  PassengerLoggingAgent  PassengerWatchdog  SpawnPreparer.

type=AVC msg=audit(1393563324.393:1404): avc:  denied  { execute_no_trans } for  pid=6710 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog"
 dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1393563324.393:1404): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f4d28 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6709 pid=6710 auid=0 uid=0 gid=0 eui
d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1393563324.595:1405): avc:  denied  { execute_no_trans } for  pid=6717 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog"
 dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1393563324.595:1405): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f5118 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6712 pid=6717 auid=0 uid=0 gid=0 eui
d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Comment 2 Milos Malik 2014-02-28 05:23:36 EST 
The problem is that PassengerWatchdog file (which belongs to an SCL package) is not labeled correctly on your machine.

Some of your SCL packages should set up an equivalence between / and /opt/rh/ruby193/root (most likely via semanage in an RPM scriptlet). When the equivalence is not set, the files are labeled differently as you can see below:

# matchpathcon /usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog	system_u:object_r:passenger_exec_t:s0
# matchpathcon /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog	system_u:object_r:lib_t:s0
#

Sofar it seems that selinux-policy component cannot be blamed.
Comment 3 Jan Kaluža 2014-02-28 06:43:21 EST 
Thanks, I have fixed this partly. Now I have following problem:

type=AVC msg=audit(1393578063.240:1499): avc:  denied  { write } for  pid=10691 comm="httpd" name="request" dev=dm-0 ino=71692 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:o
bject_r:passenger_tmp_t:s0 tclass=sock_file
Comment 4 Miroslav Grepl 2014-02-28 06:57:42 EST 
We allow it in Fedora. We will need to update the policy in RHEL6.
Comment 5 Lukas Vrabec 2014-06-25 12:35:14 EDT 
patch sent.
Comment 8 errata-xmlrpc 2014-10-14 04:00:18 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.