Red Hat Bugzilla – Bug 1071145
httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
Last modified: 2014-10-14 04:00:18 EDT
As summary describes, httpd24 (mod_passenger module) is not able to execute /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog. There are more binaries in the same directory which has to be executed by httpd: PassengerHelperAgent PassengerLoggingAgent PassengerWatchdog SpawnPreparer. type=AVC msg=audit(1393563324.393:1404): avc: denied { execute_no_trans } for pid=6710 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog" dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1393563324.393:1404): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f4d28 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6709 pid=6710 auid=0 uid=0 gid=0 eui d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1393563324.595:1405): avc: denied { execute_no_trans } for pid=6717 comm="httpd" path="/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog" dev=dm-0 ino=15018 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1393563324.595:1405): arch=c000003e syscall=59 success=no exit=-13 a0=7f19351f5118 a1=7fff10393bb0 a2=7fff10396c18 a3=8 items=0 ppid=6712 pid=6717 auid=0 uid=0 gid=0 eui d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=218 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
The problem is that PassengerWatchdog file (which belongs to an SCL package) is not labeled correctly on your machine. Some of your SCL packages should set up an equivalence between / and /opt/rh/ruby193/root (most likely via semanage in an RPM scriptlet). When the equivalence is not set, the files are labeled differently as you can see below: # matchpathcon /usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog /usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog system_u:object_r:passenger_exec_t:s0 # matchpathcon /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog system_u:object_r:lib_t:s0 # Sofar it seems that selinux-policy component cannot be blamed.
Thanks, I have fixed this partly. Now I have following problem: type=AVC msg=audit(1393578063.240:1499): avc: denied { write } for pid=10691 comm="httpd" name="request" dev=dm-0 ino=71692 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:o bject_r:passenger_tmp_t:s0 tclass=sock_file
We allow it in Fedora. We will need to update the policy in RHEL6.
patch sent.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html