RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 730837 - SELinux prevents puppet running as Passenger webapp
Summary: SELinux prevents puppet running as Passenger webapp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-15 21:39 UTC by Orion Poplawski
Modified: 2011-12-06 10:13 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:13:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
httpd_t denials running passenger (1.11 MB, text/x-log)
2011-08-15 21:39 UTC, Orion Poplawski
no flags Details
denials running puppet under passenger (4.81 KB, text/plain)
2011-09-07 17:32 UTC, Orion Poplawski
no flags Details
denials running puppet under passenger (6.30 KB, text/plain)
2011-09-22 17:02 UTC, Orion Poplawski
no flags Details
denials running puppet under passenger (9.81 KB, text/plain)
2011-11-21 21:00 UTC, Orion Poplawski
no flags Details
ps -feZ (77.10 KB, text/plain)
2011-11-22 16:25 UTC, Orion Poplawski
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Orion Poplawski 2011-08-15 21:39:24 UTC
Created attachment 518348 [details]
httpd_t denials running passenger

Description of problem:

It's common to run the puppet server as a Passenger web application for scaling purposes.  However, the current policy prevent this.  This looks like a pretty tricky problem as it otherwise is simply a configuration of the standard httpd process.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-106.el6.noarch

Comment 2 Daniel Walsh 2011-08-16 12:50:50 UTC
Orion is there a script that httpd executes to start ruby?  Or does it execute ruby directly?

Comment 3 Orion Poplawski 2011-08-16 15:00:38 UTC
It's a rack/passenger based app:

LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8
PassengerRuby /usr/bin/ruby

<VirtualHost *:8140>
...
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /usr/share//puppet/rack/puppetmasterd/>

httpd spawns off:

root      8393     1  0 Aug15 ?        00:00:02 /usr/sbin/httpd
root      8395  8393  0 Aug15 ?        00:00:00 PassengerWatchdog
root      8398  8395  0 Aug15 ?        00:01:28 PassengerHelperAgent
root      8400  8398  0 Aug15 ?        00:00:47 Passenger spawn server

Which apparently has started:

unconfined_u:system_r:httpd_t:s0 puppet   25277     1  0 07:39 ?        00:00:13 Rack: /usr/share/puppet/rack/puppetmasterd

which is a ruby process.  So I'm guessing it is starting ruby directly with an argument pointing it to a directory containing the web app to serve.  It's this process that is serving the puppet files:

type=AVC msg=audit(1313506521.745:62657): avc:  denied  { write } for  pid=25277 comm="ruby" name="andrew.cora.nwra.com.yaml" dev=dm-4 ino=655824 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file

Comment 4 Miroslav Grepl 2011-08-19 18:34:54 UTC
passenger shouldn't be running in the httpd domain. How are labeled passenger agents?


# ls -lZ /usr/lib/ruby/gems/1.8/passenger-.3.0.8/agents

Comment 5 Orion Poplawski 2011-08-19 18:50:17 UTC
# ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents
drwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   apache2
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   PassengerLoggingAgent
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   PassengerWatchdog
# restorecon -r -v /usr/lib/ruby/
restorecon reset /usr/lib/ruby/gems/1.8/gems/rake-0.9.2/bin context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/rake-0.9.2/bin/rake context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-config context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-status context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-make-enterprisey context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-memory-stats context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-install-nginx-module context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-install-apache2-module context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/apache2/PassengerHelperAgent context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/PassengerLoggingAgent context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/PassengerWatchdog context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts/prespawn context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts/passenger-spawn-server context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -feZ | grep -Fi pass
unconfined_u:system_r:passenger_t:s0 root 20167 20165  0 12:46 ?       00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 20170 20167  0 12:46 ?       00:00:00 PassengerHelperAgent
unconfined_u:system_r:passenger_t:s0 root 20172 20170  1 12:46 ?       00:00:00 Passenger spawn server
unconfined_u:system_r:passenger_t:s0 nobody 20175 20167  0 12:46 ?     00:00:00 PassengerLoggingAgent


Still get some denials though:
type=AVC msg=audit(1313779737.516:108290): avc:  denied  { write } for  pid=20183 comm="httpd" name="ruby.xPKq5mGg6wTGqD4U2UO0waCletpkXzHjq8PPT6T279HnPjaTNfTIRUu" dev=tmpfs ino=242803 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779738.846:108294): avc:  denied  { getattr } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108295): avc:  denied  { read } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108295): avc:  denied  { open } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108296): avc:  denied  { lock } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.867:108297): avc:  denied  { write } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779739.042:108298): avc:  denied  { sendto } for  pid=20318 comm="ruby" path="/dev/log" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1313779741.363:108299): avc:  denied  { lock } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/draco.cora.nwra.com.yaml" dev=dm-4 ino=655832 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779741.376:108300): avc:  denied  { write } for  pid=20318 comm="ruby" name="draco.cora.nwra.com.yaml" dev=dm-4 ino=655832 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779750.215:108312): avc:  denied  { write } for  pid=20377 comm="PassengerHelper" name="socket.20170.38116192" dev=tmpfs ino=238056 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { write } for  pid=20379 comm="ruby" name="backends" dev=tmpfs ino=238025 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { add_name } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { create } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779750.221:108314): avc:  denied  { setattr } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" dev=tmpfs ino=248295 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file

Comment 6 Miroslav Grepl 2011-08-22 10:51:06 UTC
I am adding fixes which Dan added to Fedora.

Comment 7 Miroslav Grepl 2011-08-22 10:52:44 UTC
Also could you use 

/var/run/passenger 

directory instead of /tmp directory.

Comment 8 Orion Poplawski 2011-08-22 14:15:13 UTC
Thanks.  I have no idea how to use /var/run/passenger instead of /tmp though.

Comment 9 Orion Poplawski 2011-08-23 17:28:24 UTC
Okay, set PassengerTempDir in the puppetmaster.conf apache config file.

Comment 10 Miroslav Grepl 2011-08-24 15:32:02 UTC
Fixed in selinux-policy-3.7.19-108.el6

Comment 11 Orion Poplawski 2011-08-30 16:13:50 UTC
The puppet certs are kept in /var/lib/puppet/ssl/certs/ and need to be read by httpd via the puppetmaster.conf file:

        SSLCertificateFile      /var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/saga.cora.nwra.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem

However this is denied, along with binding to the puppet port.

type=AVC msg=audit(1314720716.796:861667): avc:  denied  { search } for  pid=23939 comm="httpd" name="puppet" dev=dm-4 ino=524342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1314720716.796:861667): avc:  denied  { getattr } for  pid=23939 comm="httpd" path="/var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720716.898:861668): avc:  denied  { name_bind } for  pid=23939 comm="httpd" src=8140 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1314720717.243:861669): avc:  denied  { sys_resource } for  pid=23940 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1314720717.664:861670): avc:  denied  { getattr } for  pid=23939 comm="httpd" path="/var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720717.664:861671): avc:  denied  { read } for  pid=23939 comm="httpd" name="saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720717.664:861671): avc:  denied  { open } for  pid=23939 comm="httpd" name="saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file

Comment 13 Miroslav Grepl 2011-09-05 07:55:25 UTC
Orion, 
what does

# ps -efZ |grep passenger

Comment 14 Orion Poplawski 2011-09-06 16:24:02 UTC
# ps -efZ | grep -Fi passenger
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 14393 3083  1 10:22 pts/0 00:00:00 grep -Fi passenger
system_u:system_r:httpd_t:s0    root     18141 10488  0 Sep04 ?        00:00:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root     18149 18141  0 Sep04 ?        00:05:21 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root     18165 18149  0 Sep04 ?        00:01:18 Passenger spawn server                                                                                                                                       
system_u:system_r:httpd_t:s0    nobody   18168 18141  0 Sep04 ?        00:00:00 PassengerLoggingAgent

[root@saga tmp]# restorecon -r -v /usr/lib/ruby/gems/1.8/gems
[root@saga tmp]#

Comment 15 Miroslav Grepl 2011-09-07 12:17:38 UTC
Strange, could add labels of these agents?

ls -Z PATHO/PassengerWatchdog 

..
..
..

Comment 16 Orion Poplawski 2011-09-07 14:34:41 UTC
ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents
drwxr-xr-x. root root system_u:object_r:bin_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerWatchdog

Comment 17 Miroslav Grepl 2011-09-07 15:16:52 UTC
I have found a bug.

Please execute 

# chcon -t passenger_exec_t PATHO/PassengerWatchdog PATHO/PassengerLoggingAgent PATHTO/apache2/PassengerHelperAgent

Comment 18 Orion Poplawski 2011-09-07 17:32:03 UTC
Created attachment 521953 [details]
denials running puppet under passenger

Well, that does change things.  But it still looks like the main httpd process loads the certificates.

Comment 19 Orion Poplawski 2011-09-15 16:09:14 UTC
Also, the rack puppetmasterd process is still running in httpd_t:

# ps -Zfe | grep 10976
system_u:system_r:httpd_t:s0    puppet   10976     1  0 07:39 ?        00:00:31 Rack: /usr/share/puppet/rack/puppetmasterd

Comment 21 Orion Poplawski 2011-09-22 17:02:43 UTC
Created attachment 524454 [details]
denials running puppet under passenger

Still not working for me under enforcing.  Here are updated denials running in permissive mode with selinux-policy-3.7.19-113.el6.noarch.  Still seeing:

unconfined_u:system_r:httpd_t:s0 puppet  32313     1  2 10:58 ?        00:00:00 Rack: /usr/share/puppet/rack/puppetmasterd

Comment 22 Miroslav Grepl 2011-09-22 18:12:57 UTC
Orion, 
we don't have httpd_passenger_helper_t type in RHEL6. You use a policy which I created for passenger3 but RHEL6 has for passenger services only passenger_t domain type.

Also is puppet really executed by httpd or is executed by passsenger which is wrongly running in httpd domain?

I would like to see your labels for all passenger agents.

Comment 23 Orion Poplawski 2011-09-22 19:34:52 UTC
# restorecon -r -v /usr/lib/ruby/gems/1.8/gems
# ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/*
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2:
-rwxrwxr-x. root root system_u:object_r:httpd_passenger_helper_exec_t:s0 PassengerHelperAgent
# ps -feZ | grep -Fi pass
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17623 459  0 13:30 pts/1 00:00:00 grep -Fi pass
unconfined_u:system_r:httpd_t:s0 root    32692 32690  0 11:01 ?        00:00:00 PassengerWatchdog
unconfined_u:system_r:httpd_passenger_helper_t:s0 root 32695 32692  0 11:01 ? 00:00:16 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root    32697 32695  0 11:01 ?        00:00:05 Passenger spawn server                                                                                                                                       
unconfined_u:system_r:httpd_t:s0 nobody  32700 32692  0 11:01 ?        00:00:00 PassengerLoggingAgent
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -feZ | grep -Fi pass
unconfined_u:system_r:passenger_t:s0 root 17729 17727  0 13:31 ?       00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 17732 17729  0 13:31 ?       00:00:00 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root    17734 17732  0 13:31 ?        00:00:00 Passenger spawn server                                                                                                                                       
unconfined_u:system_r:passenger_t:s0 nobody 17737 17729  0 13:31 ?     00:00:00 PassengerLoggingAgent

I didn't know what label the PassengerHelperAgent file should have.  Still not able to run in enforcing mode.

Comment 24 Miroslav Grepl 2011-09-23 05:45:22 UTC
on my RHEL6 machine with the latest policy

#matchpathcon /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
/usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent	system_u:object_r:passenger_exec_t:s0

#matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog	system_u:object_r:passenger_exec_t:s0

#matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent	system_u:object_r:passenger_exec_t:s0


What does 

# rpm -q selinux-policy

Comment 25 Brett Lentz 2011-09-23 14:19:25 UTC
I'm also working on getting puppetmasterd working under passenger on el6, with selinux enforcing.

With this policy version:

[root@ip-10-32-35-198 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-113.el6.noarch

I'm now getting this message when a client connects to retrieve its catalog:

type=AVC msg=audit(1316786783.223:879448): avc:  denied  { write } for  pid=14981 comm="ruby" name="ip-10-32-35-198.ec2.internal.yaml" dev=xvda1 ino=276598 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1316786800.149:879681): avc:  denied  { write } for  pid=14981 comm="ruby" name="ip-10-32-35-198.ec2.internal.yaml" dev=xvda1 ino=276598 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file


The puppetmasterd process needs to be able to write to /var/lib/puppet/yaml.

Here's my current labelling: 

[root@ip-10-32-35-198 ~]# ls -Z /var/lib/puppet/
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 bucket
-rw-r--r--. root   root   system_u:object_r:puppet_var_lib_t:s0 classes.txt
drwxr-x---. root   root   system_u:object_r:puppet_var_lib_t:s0 clientbucket
drwxr-x---. root   root   system_u:object_r:puppet_var_lib_t:s0 client_yaml
drwxr-xr-x. root   root   system_u:object_r:puppet_var_lib_t:s0 facts
drwxrwxr-x. root   root   system_u:object_r:puppet_var_lib_t:s0 lib
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 reports
drwxr-xr-x. puppet puppet system_u:object_r:puppet_var_lib_t:s0 rrd
drwxrwx--x. puppet root   system_u:object_r:puppet_var_lib_t:s0 ssl
drwxr-xr-t. root   root   system_u:object_r:puppet_var_lib_t:s0 state
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 yaml

[root@ip-10-32-35-198 ~]# ps auxZ | grep -e http -e puppet
system_u:system_r:httpd_t:s0    root       979  0.0  0.0 206536  6044 ?        Ss   10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    root       981  0.0  0.0 213664  1824 ?        Ssl  10:13   0:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root       987  0.0  0.0 290092  2108 ?        Sl   10:13   0:00 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root       990  0.0  0.1  52928  9384 ?        Sl   10:13   0:00 Passenger spawn server                                                                                                                                       
system_u:system_r:httpd_t:s0    nobody     993  0.0  0.0 147788  3736 ?        Sl   10:13   0:00 PassengerLoggingAgent
system_u:system_r:httpd_t:s0    apache    1004  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1005  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1006  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1008  0.0  0.0 206536  3396 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1009  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1010  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1011  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1012  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1085 0.0  0.0 103224 896 pts/0 S+ 10:17   0:00 grep -e http -e puppet

Comment 26 Orion Poplawski 2011-09-23 15:01:16 UTC
(In reply to comment #24)
> on my RHEL6 machine with the latest policy
> 
> #matchpathcon
> /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
> /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
> system_u:object_r:passenger_exec_t:s0

Different path on my machine:
# matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog    system_u:object_r:httpd_exec_t:s0

From mod_passenger-3.0.9-1.el6.x86_64 from http://passenger.stealthymonkeys.com/rhel/6

> #matchpathcon
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
> system_u:object_r:passenger_exec_t:s0

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog    system_u:object_r:httpd_exec_t:s0

> #matchpathcon
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
> system_u:object_r:passenger_exec_t:s0

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent        system_u:object_r:httpd_exec_t:s0

> # rpm -q selinux-policy
selinux-policy-3.7.19-113.el6.noarch

Comment 27 Orion Poplawski 2011-09-23 15:02:57 UTC
semodule -l shows:
passanger       1.0.0
rubygem_passenger       1.5
puppet  1.0.0

Should that be "passenger" instead of "passanger"?

Comment 28 Miroslav Grepl 2011-09-29 10:58:40 UTC
Well, I guess the problem is "rubygem_passenger"  module. I would like to know what this module contains.

They need to add labeling for passenger apps.

> Should that be "passenger" instead of "passanger"?
I am fixing this.

Comment 29 Orion Poplawski 2011-09-29 14:59:16 UTC
# rpm -ql mod_passenger
/etc/httpd/conf.d/passenger.conf
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2/PassengerHelperAgent
/usr/lib64/httpd/modules/mod_passenger.so
/usr/share/doc/mod_passenger-3.0.9
/usr/share/doc/mod_passenger-3.0.9/Users guide Apache.html
/usr/share/doc/mod_passenger-3.0.9/Users guide Apache.txt

Support link for it is here: https://github.com/erikogan/passenger/issues

Looks like there is an issue open there for SELinux issues.

Comment 30 Miroslav Grepl 2011-09-29 15:02:38 UTC
What does

grep -r ruby /etc/selinux/targeted/contexts/files/

Comment 31 Orion Poplawski 2011-09-29 15:06:05 UTC
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/agents(/.*)?   system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog  --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent      --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent       --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable       --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/Passenger.*       system_u:object_r:httpd_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/(apache2|nginx)/PassengerHelperAgent      system_u:object_r:httpd_passenger_helper_exec_t:s0

Comment 32 Miroslav Grepl 2011-09-29 15:17:06 UTC
please, execute

# semodule -d rubygem_passenger  
# restorecon -R -v /usr/lib/ruby/gems

Comment 33 Orion Poplawski 2011-09-29 16:05:49 UTC
Ah, gotcha, selinux module.  That's coming from:

# rpm -qf /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
rubygem-passenger-native-3.0.9-1.el6.x86_64

which also comes from the stealthmonkey passenger repo.

# rpm -ql rubygem-passenger-native
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
/var/log/passenger-analytics
/var/run/passenger

Comment 34 Orion Poplawski 2011-11-21 18:58:53 UTC
So, where do we stand on this?

Comment 35 Miroslav Grepl 2011-11-21 19:07:45 UTC
Does it work without rubygem-passenger.pp module for you?

Comment 36 Orion Poplawski 2011-11-21 21:00:56 UTC
Created attachment 534857 [details]
denials running puppet under passenger

No, still lots of denials.

# semodule -l | grep pass
passenger       1.0.0
rubygem_passenger       1.5     Disabled

selinux-policy-3.7.19-130.el6.noarch

unconfined_u:system_r:passenger_t:s0 root 6645  6643  0 13:20 ?        00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 6648  6645  0 13:20 ?        00:00:09 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root     6650  6648  0 13:20 ?        00:00:02 Passenger spawn server                                       
unconfined_u:system_r:passenger_t:s0 nobody 6653 6645  0 13:20 ?       00:00:00 PassengerLoggingAgent
unconfined_u:system_r:httpd_t:s0 puppet   6698     1  0 13:21 ?        00:00:13 Rack: /usr/share/puppet/rack/puppetmasterd            
unconfined_u:system_r:httpd_t:s0 puppet   7529     1  0 13:23 ?        00:00:03 Rack: /usr/share/puppet/rack/puppetmasterd

Comment 37 Miroslav Grepl 2011-11-22 10:45:40 UTC
Could you add me this output using

# ps -efZ


Thank you.

Comment 38 Orion Poplawski 2011-11-22 16:25:55 UTC
Created attachment 535103 [details]
ps -feZ

Comment 40 errata-xmlrpc 2011-12-06 10:13:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.