Bug 730837 - SELinux prevents puppet running as Passenger webapp
SELinux prevents puppet running as Passenger webapp
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-15 17:39 EDT by Orion Poplawski
Modified: 2011-12-06 05:13 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 05:13:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
httpd_t denials running passenger (1.11 MB, text/x-log)
2011-08-15 17:39 EDT, Orion Poplawski
no flags Details
denials running puppet under passenger (4.81 KB, text/plain)
2011-09-07 13:32 EDT, Orion Poplawski
no flags Details
denials running puppet under passenger (6.30 KB, text/plain)
2011-09-22 13:02 EDT, Orion Poplawski
no flags Details
denials running puppet under passenger (9.81 KB, text/plain)
2011-11-21 16:00 EST, Orion Poplawski
no flags Details
ps -feZ (77.10 KB, text/plain)
2011-11-22 11:25 EST, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2011-08-15 17:39:24 EDT
Created attachment 518348 [details]
httpd_t denials running passenger

Description of problem:

It's common to run the puppet server as a Passenger web application for scaling purposes.  However, the current policy prevent this.  This looks like a pretty tricky problem as it otherwise is simply a configuration of the standard httpd process.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-106.el6.noarch
Comment 2 Daniel Walsh 2011-08-16 08:50:50 EDT
Orion is there a script that httpd executes to start ruby?  Or does it execute ruby directly?
Comment 3 Orion Poplawski 2011-08-16 11:00:38 EDT
It's a rack/passenger based app:

LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8
PassengerRuby /usr/bin/ruby

<VirtualHost *:8140>
...
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /usr/share//puppet/rack/puppetmasterd/>

httpd spawns off:

root      8393     1  0 Aug15 ?        00:00:02 /usr/sbin/httpd
root      8395  8393  0 Aug15 ?        00:00:00 PassengerWatchdog
root      8398  8395  0 Aug15 ?        00:01:28 PassengerHelperAgent
root      8400  8398  0 Aug15 ?        00:00:47 Passenger spawn server

Which apparently has started:

unconfined_u:system_r:httpd_t:s0 puppet   25277     1  0 07:39 ?        00:00:13 Rack: /usr/share/puppet/rack/puppetmasterd

which is a ruby process.  So I'm guessing it is starting ruby directly with an argument pointing it to a directory containing the web app to serve.  It's this process that is serving the puppet files:

type=AVC msg=audit(1313506521.745:62657): avc:  denied  { write } for  pid=25277 comm="ruby" name="andrew.cora.nwra.com.yaml" dev=dm-4 ino=655824 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
Comment 4 Miroslav Grepl 2011-08-19 14:34:54 EDT
passenger shouldn't be running in the httpd domain. How are labeled passenger agents?


# ls -lZ /usr/lib/ruby/gems/1.8/passenger-.3.0.8/agents
Comment 5 Orion Poplawski 2011-08-19 14:50:17 EDT
# ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents
drwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   apache2
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   PassengerLoggingAgent
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   PassengerWatchdog
# restorecon -r -v /usr/lib/ruby/
restorecon reset /usr/lib/ruby/gems/1.8/gems/rake-0.9.2/bin context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/rake-0.9.2/bin/rake context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-config context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-status context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-make-enterprisey context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-memory-stats context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-install-nginx-module context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/bin/passenger-install-apache2-module context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/apache2/PassengerHelperAgent context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/PassengerLoggingAgent context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents/PassengerWatchdog context unconfined_u:object_r:lib_t:s0->system_u:object_r:passenger_exec_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts/prespawn context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/helper-scripts/passenger-spawn-server context unconfined_u:object_r:lib_t:s0->system_u:object_r:bin_t:s0
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -feZ | grep -Fi pass
unconfined_u:system_r:passenger_t:s0 root 20167 20165  0 12:46 ?       00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 20170 20167  0 12:46 ?       00:00:00 PassengerHelperAgent
unconfined_u:system_r:passenger_t:s0 root 20172 20170  1 12:46 ?       00:00:00 Passenger spawn server
unconfined_u:system_r:passenger_t:s0 nobody 20175 20167  0 12:46 ?     00:00:00 PassengerLoggingAgent


Still get some denials though:
type=AVC msg=audit(1313779737.516:108290): avc:  denied  { write } for  pid=20183 comm="httpd" name="ruby.xPKq5mGg6wTGqD4U2UO0waCletpkXzHjq8PPT6T279HnPjaTNfTIRUu" dev=tmpfs ino=242803 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779738.846:108294): avc:  denied  { getattr } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108295): avc:  denied  { read } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108295): avc:  denied  { open } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.847:108296): avc:  denied  { lock } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779738.867:108297): avc:  denied  { write } for  pid=20318 comm="ruby" name="orca.cora.nwra.com.yaml" dev=dm-4 ino=655842 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779739.042:108298): avc:  denied  { sendto } for  pid=20318 comm="ruby" path="/dev/log" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1313779741.363:108299): avc:  denied  { lock } for  pid=20318 comm="ruby" path="/var/lib/puppet/yaml/node/draco.cora.nwra.com.yaml" dev=dm-4 ino=655832 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779741.376:108300): avc:  denied  { write } for  pid=20318 comm="ruby" name="draco.cora.nwra.com.yaml" dev=dm-4 ino=655832 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1313779750.215:108312): avc:  denied  { write } for  pid=20377 comm="PassengerHelper" name="socket.20170.38116192" dev=tmpfs ino=238056 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { write } for  pid=20379 comm="ruby" name="backends" dev=tmpfs ino=238025 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { add_name } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1313779750.221:108313): avc:  denied  { create } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1313779750.221:108314): avc:  denied  { setattr } for  pid=20379 comm="ruby" name="ruby.AMF7eLiulPuSnotcRyUOlWwlLlCVaAItHONAaxyPKI0cz10nr5GEwhf" dev=tmpfs ino=248295 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
Comment 6 Miroslav Grepl 2011-08-22 06:51:06 EDT
I am adding fixes which Dan added to Fedora.
Comment 7 Miroslav Grepl 2011-08-22 06:52:44 EDT
Also could you use 

/var/run/passenger 

directory instead of /tmp directory.
Comment 8 Orion Poplawski 2011-08-22 10:15:13 EDT
Thanks.  I have no idea how to use /var/run/passenger instead of /tmp though.
Comment 9 Orion Poplawski 2011-08-23 13:28:24 EDT
Okay, set PassengerTempDir in the puppetmaster.conf apache config file.
Comment 10 Miroslav Grepl 2011-08-24 11:32:02 EDT
Fixed in selinux-policy-3.7.19-108.el6
Comment 11 Orion Poplawski 2011-08-30 12:13:50 EDT
The puppet certs are kept in /var/lib/puppet/ssl/certs/ and need to be read by httpd via the puppetmaster.conf file:

        SSLCertificateFile      /var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/saga.cora.nwra.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem

However this is denied, along with binding to the puppet port.

type=AVC msg=audit(1314720716.796:861667): avc:  denied  { search } for  pid=23939 comm="httpd" name="puppet" dev=dm-4 ino=524342 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1314720716.796:861667): avc:  denied  { getattr } for  pid=23939 comm="httpd" path="/var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720716.898:861668): avc:  denied  { name_bind } for  pid=23939 comm="httpd" src=8140 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1314720717.243:861669): avc:  denied  { sys_resource } for  pid=23940 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1314720717.664:861670): avc:  denied  { getattr } for  pid=23939 comm="httpd" path="/var/lib/puppet/ssl/certs/saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720717.664:861671): avc:  denied  { read } for  pid=23939 comm="httpd" name="saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1314720717.664:861671): avc:  denied  { open } for  pid=23939 comm="httpd" name="saga.cora.nwra.com.pem" dev=dm-4 ino=655781 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
Comment 13 Miroslav Grepl 2011-09-05 03:55:25 EDT
Orion, 
what does

# ps -efZ |grep passenger
Comment 14 Orion Poplawski 2011-09-06 12:24:02 EDT
# ps -efZ | grep -Fi passenger
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 14393 3083  1 10:22 pts/0 00:00:00 grep -Fi passenger
system_u:system_r:httpd_t:s0    root     18141 10488  0 Sep04 ?        00:00:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root     18149 18141  0 Sep04 ?        00:05:21 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root     18165 18149  0 Sep04 ?        00:01:18 Passenger spawn server                                                                                                                                       
system_u:system_r:httpd_t:s0    nobody   18168 18141  0 Sep04 ?        00:00:00 PassengerLoggingAgent

[root@saga tmp]# restorecon -r -v /usr/lib/ruby/gems/1.8/gems
[root@saga tmp]#
Comment 15 Miroslav Grepl 2011-09-07 08:17:38 EDT
Strange, could add labels of these agents?

ls -Z PATHO/PassengerWatchdog 

..
..
..
Comment 16 Orion Poplawski 2011-09-07 10:34:41 EDT
ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.8/agents
drwxr-xr-x. root root system_u:object_r:bin_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       PassengerWatchdog
Comment 17 Miroslav Grepl 2011-09-07 11:16:52 EDT
I have found a bug.

Please execute 

# chcon -t passenger_exec_t PATHO/PassengerWatchdog PATHO/PassengerLoggingAgent PATHTO/apache2/PassengerHelperAgent
Comment 18 Orion Poplawski 2011-09-07 13:32:03 EDT
Created attachment 521953 [details]
denials running puppet under passenger

Well, that does change things.  But it still looks like the main httpd process loads the certificates.
Comment 19 Orion Poplawski 2011-09-15 12:09:14 EDT
Also, the rack puppetmasterd process is still running in httpd_t:

# ps -Zfe | grep 10976
system_u:system_r:httpd_t:s0    puppet   10976     1  0 07:39 ?        00:00:31 Rack: /usr/share/puppet/rack/puppetmasterd
Comment 21 Orion Poplawski 2011-09-22 13:02:43 EDT
Created attachment 524454 [details]
denials running puppet under passenger

Still not working for me under enforcing.  Here are updated denials running in permissive mode with selinux-policy-3.7.19-113.el6.noarch.  Still seeing:

unconfined_u:system_r:httpd_t:s0 puppet  32313     1  2 10:58 ?        00:00:00 Rack: /usr/share/puppet/rack/puppetmasterd
Comment 22 Miroslav Grepl 2011-09-22 14:12:57 EDT
Orion, 
we don't have httpd_passenger_helper_t type in RHEL6. You use a policy which I created for passenger3 but RHEL6 has for passenger services only passenger_t domain type.

Also is puppet really executed by httpd or is executed by passsenger which is wrongly running in httpd domain?

I would like to see your labels for all passenger agents.
Comment 23 Orion Poplawski 2011-09-22 15:34:52 EDT
# restorecon -r -v /usr/lib/ruby/gems/1.8/gems
# ls -lZ /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/*
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2:
-rwxrwxr-x. root root system_u:object_r:httpd_passenger_helper_exec_t:s0 PassengerHelperAgent
# ps -feZ | grep -Fi pass
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17623 459  0 13:30 pts/1 00:00:00 grep -Fi pass
unconfined_u:system_r:httpd_t:s0 root    32692 32690  0 11:01 ?        00:00:00 PassengerWatchdog
unconfined_u:system_r:httpd_passenger_helper_t:s0 root 32695 32692  0 11:01 ? 00:00:16 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root    32697 32695  0 11:01 ?        00:00:05 Passenger spawn server                                                                                                                                       
unconfined_u:system_r:httpd_t:s0 nobody  32700 32692  0 11:01 ?        00:00:00 PassengerLoggingAgent
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# ps -feZ | grep -Fi pass
unconfined_u:system_r:passenger_t:s0 root 17729 17727  0 13:31 ?       00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 17732 17729  0 13:31 ?       00:00:00 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root    17734 17732  0 13:31 ?        00:00:00 Passenger spawn server                                                                                                                                       
unconfined_u:system_r:passenger_t:s0 nobody 17737 17729  0 13:31 ?     00:00:00 PassengerLoggingAgent

I didn't know what label the PassengerHelperAgent file should have.  Still not able to run in enforcing mode.
Comment 24 Miroslav Grepl 2011-09-23 01:45:22 EDT
on my RHEL6 machine with the latest policy

#matchpathcon /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
/usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent	system_u:object_r:passenger_exec_t:s0

#matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog	system_u:object_r:passenger_exec_t:s0

#matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent	system_u:object_r:passenger_exec_t:s0


What does 

# rpm -q selinux-policy
Comment 25 Brett Lentz 2011-09-23 10:19:25 EDT
I'm also working on getting puppetmasterd working under passenger on el6, with selinux enforcing.

With this policy version:

[root@ip-10-32-35-198 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-113.el6.noarch

I'm now getting this message when a client connects to retrieve its catalog:

type=AVC msg=audit(1316786783.223:879448): avc:  denied  { write } for  pid=14981 comm="ruby" name="ip-10-32-35-198.ec2.internal.yaml" dev=xvda1 ino=276598 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1316786800.149:879681): avc:  denied  { write } for  pid=14981 comm="ruby" name="ip-10-32-35-198.ec2.internal.yaml" dev=xvda1 ino=276598 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file


The puppetmasterd process needs to be able to write to /var/lib/puppet/yaml.

Here's my current labelling: 

[root@ip-10-32-35-198 ~]# ls -Z /var/lib/puppet/
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 bucket
-rw-r--r--. root   root   system_u:object_r:puppet_var_lib_t:s0 classes.txt
drwxr-x---. root   root   system_u:object_r:puppet_var_lib_t:s0 clientbucket
drwxr-x---. root   root   system_u:object_r:puppet_var_lib_t:s0 client_yaml
drwxr-xr-x. root   root   system_u:object_r:puppet_var_lib_t:s0 facts
drwxrwxr-x. root   root   system_u:object_r:puppet_var_lib_t:s0 lib
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 reports
drwxr-xr-x. puppet puppet system_u:object_r:puppet_var_lib_t:s0 rrd
drwxrwx--x. puppet root   system_u:object_r:puppet_var_lib_t:s0 ssl
drwxr-xr-t. root   root   system_u:object_r:puppet_var_lib_t:s0 state
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 yaml

[root@ip-10-32-35-198 ~]# ps auxZ | grep -e http -e puppet
system_u:system_r:httpd_t:s0    root       979  0.0  0.0 206536  6044 ?        Ss   10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    root       981  0.0  0.0 213664  1824 ?        Ssl  10:13   0:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root       987  0.0  0.0 290092  2108 ?        Sl   10:13   0:00 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root       990  0.0  0.1  52928  9384 ?        Sl   10:13   0:00 Passenger spawn server                                                                                                                                       
system_u:system_r:httpd_t:s0    nobody     993  0.0  0.0 147788  3736 ?        Sl   10:13   0:00 PassengerLoggingAgent
system_u:system_r:httpd_t:s0    apache    1004  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1005  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1006  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1008  0.0  0.0 206536  3396 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1009  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1010  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1011  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
system_u:system_r:httpd_t:s0    apache    1012  0.0  0.0 206536  3392 ?        S    10:13   0:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1085 0.0  0.0 103224 896 pts/0 S+ 10:17   0:00 grep -e http -e puppet
Comment 26 Orion Poplawski 2011-09-23 11:01:16 EDT
(In reply to comment #24)
> on my RHEL6 machine with the latest policy
> 
> #matchpathcon
> /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
> /usr/lib/ruby/gems/1.8/passenger-3.0.9/agents/apache2/PassengerHelperAgent
> system_u:object_r:passenger_exec_t:s0

Different path on my machine:
# matchpathcon /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog    system_u:object_r:httpd_exec_t:s0

From mod_passenger-3.0.9-1.el6.x86_64 from http://passenger.stealthymonkeys.com/rhel/6

> #matchpathcon
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
> system_u:object_r:passenger_exec_t:s0

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog    system_u:object_r:httpd_exec_t:s0

> #matchpathcon
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
> system_u:object_r:passenger_exec_t:s0

/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent        system_u:object_r:httpd_exec_t:s0

> # rpm -q selinux-policy
selinux-policy-3.7.19-113.el6.noarch
Comment 27 Orion Poplawski 2011-09-23 11:02:57 EDT
semodule -l shows:
passanger       1.0.0
rubygem_passenger       1.5
puppet  1.0.0

Should that be "passenger" instead of "passanger"?
Comment 28 Miroslav Grepl 2011-09-29 06:58:40 EDT
Well, I guess the problem is "rubygem_passenger"  module. I would like to know what this module contains.

They need to add labeling for passenger apps.

> Should that be "passenger" instead of "passanger"?
I am fixing this.
Comment 29 Orion Poplawski 2011-09-29 10:59:16 EDT
# rpm -ql mod_passenger
/etc/httpd/conf.d/passenger.conf
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/apache2/PassengerHelperAgent
/usr/lib64/httpd/modules/mod_passenger.so
/usr/share/doc/mod_passenger-3.0.9
/usr/share/doc/mod_passenger-3.0.9/Users guide Apache.html
/usr/share/doc/mod_passenger-3.0.9/Users guide Apache.txt

Support link for it is here: https://github.com/erikogan/passenger/issues

Looks like there is an issue open there for SELinux issues.
Comment 30 Miroslav Grepl 2011-09-29 11:02:38 EDT
What does

grep -r ruby /etc/selinux/targeted/contexts/files/
Comment 31 Orion Poplawski 2011-09-29 11:06:05 EDT
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/agents(/.*)?   system_u:object_r:bin_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog  --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent      --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent       --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable       --      system_u:object_r:passenger_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/Passenger.*       system_u:object_r:httpd_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/(apache2|nginx)/PassengerHelperAgent      system_u:object_r:httpd_passenger_helper_exec_t:s0
Comment 32 Miroslav Grepl 2011-09-29 11:17:06 EDT
please, execute

# semodule -d rubygem_passenger  
# restorecon -R -v /usr/lib/ruby/gems
Comment 33 Orion Poplawski 2011-09-29 12:05:49 EDT
Ah, gotcha, selinux module.  That's coming from:

# rpm -qf /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
rubygem-passenger-native-3.0.9-1.el6.x86_64

which also comes from the stealthmonkey passenger repo.

# rpm -ql rubygem-passenger-native
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerLoggingAgent
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.9/agents/PassengerWatchdog
/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
/var/log/passenger-analytics
/var/run/passenger
Comment 34 Orion Poplawski 2011-11-21 13:58:53 EST
So, where do we stand on this?
Comment 35 Miroslav Grepl 2011-11-21 14:07:45 EST
Does it work without rubygem-passenger.pp module for you?
Comment 36 Orion Poplawski 2011-11-21 16:00:56 EST
Created attachment 534857 [details]
denials running puppet under passenger

No, still lots of denials.

# semodule -l | grep pass
passenger       1.0.0
rubygem_passenger       1.5     Disabled

selinux-policy-3.7.19-130.el6.noarch

unconfined_u:system_r:passenger_t:s0 root 6645  6643  0 13:20 ?        00:00:00 PassengerWatchdog
unconfined_u:system_r:passenger_t:s0 root 6648  6645  0 13:20 ?        00:00:09 PassengerHelperAgent
unconfined_u:system_r:httpd_t:s0 root     6650  6648  0 13:20 ?        00:00:02 Passenger spawn server                                       
unconfined_u:system_r:passenger_t:s0 nobody 6653 6645  0 13:20 ?       00:00:00 PassengerLoggingAgent
unconfined_u:system_r:httpd_t:s0 puppet   6698     1  0 13:21 ?        00:00:13 Rack: /usr/share/puppet/rack/puppetmasterd            
unconfined_u:system_r:httpd_t:s0 puppet   7529     1  0 13:23 ?        00:00:03 Rack: /usr/share/puppet/rack/puppetmasterd
Comment 37 Miroslav Grepl 2011-11-22 05:45:40 EST
Could you add me this output using

# ps -efZ


Thank you.
Comment 38 Orion Poplawski 2011-11-22 11:25:55 EST
Created attachment 535103 [details]
ps -feZ
Comment 40 errata-xmlrpc 2011-12-06 05:13:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.