Description of problem: passenger-4.0.53-4.el7 from EPEL installs the passenger helper scripts to /usr/libexec/passenger: # ls -lZ /usr/libexec/passenger/ -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerHelperAgent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 PassengerWatchdog -rwxr-xr-x. root root system_u:object_r:bin_t:s0 SpawnPreparer -rwxr-xr-x. root root system_u:object_r:bin_t:s0 TempDirToucher But these do not get labeled as passenger_exec_t so I get: type=AVC msg=audit(1474475501.759:1134): avc: denied { sys_resource } for pid=4248 comm="PassengerWatchd" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1474475507.804:1136): avc: denied { fowner } for pid=4292 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1474475507.804:1136): avc: denied { fsetid } for pid=4292 comm="chmod" capability=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-3.13.1-60.el7_2.9.noarch Incorrect label still present with selinux-policy-3.13.1-93.el7.noarch After changing the label I see: type=AVC msg=audit(1474475865.558:1139): avc: denied { getattr } for pid=4418 comm="ruby" path="/usr/bin/sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file type=AVC msg=audit(1474475865.558:1140): avc: denied { execute } for pid=4418 comm="ruby" name="sudo" dev="vda2" ino=34460398 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file No quite sure what passenger does with sudo.
You're right, they are not labeled correctly: # matchpathcon /usr/libexec/passenger/Passenger* /usr/libexec/passenger/PassengerHelperAgent system_u:object_r:bin_t:s0 /usr/libexec/passenger/PassengerLoggingAgent system_u:object_r:bin_t:s0 /usr/libexec/passenger/PassengerWatchdog system_u:object_r:bin_t:s0 # It seems that their location has changed: # semanage fcontext -l | grep -i passenger /usr/share/.*/gems/.*/helper-scripts/prespawn regular file system_u:object_r:passenger_exec_t:s0 /usr/lib/gems/.*/Passenger.* regular file system_u:object_r:passenger_exec_t:s0 /usr/lib/gems/.*/ApplicationPoolServerExecutable regular file system_u:object_r:passenger_exec_t:s0 /usr/share/gems/.*/Passenger.* regular file system_u:object_r:passenger_exec_t:s0 /usr/share/gems/.*/ApplicationPoolServerExecutable regular file system_u:object_r:passenger_exec_t:s0 /var/log/passenger.* all files system_u:object_r:passenger_log_t:s0 /var/lib/passenger(/.*)? all files system_u:object_r:passenger_var_lib_t:s0 /var/run/passenger(/.*)? all files system_u:object_r:passenger_var_run_t:s0 # To avoid the AVCs, please enable the httpd_run_stickshift boolean.
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.