[15:24] <wahibdon> so I was schooled in here a week or two ago with some useful information. I was told to use semanage fcontext -a -t [context] [file] and restorecon [file] to make a file play nicely with selinux, specifically passenger.so. However, I have ran into another hang up as (and I have checked the premissions already) PassengerWatchdog is being denied when setenforce 1 and not with setenforce 0 and I tried the semanage. Any thoughts? [15:26] <wahibdon> Now, everything I have found people have just disabled selinux but I don't want to HAVE to do that. [15:26] <grift> show the avc denials youre getting [15:28] <wahibdon> okay, one moment. [15:30] <wahibdon> grift: http://fpaste.org/d9DA/ [15:31] <grift> and your distro is? [15:31] <wahibdon> 17 [15:31] <grift> hold on , ill have a look [15:32] <grift> k try this: [15:33] <grift> find /usr -inum 665184 [15:33] <grift> what does it return [15:34] <grift> please show that location [15:34] <grift> i want to know the full path [15:34] <wahibdon> it is /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog [15:34] <grift> ok now do this: [15:35] <grift> matchpathcon /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog [15:35] <grift> what does it return [15:36] <wahibdon> it returns the path then system_u:object_r:usr_t:s0 [15:36] <grift> ok this is a bug in policy [15:36] <wahibdon> is it a fixed bug? [15:36] <grift> you can fix it by labelling it passenger_exec_t: [15:36] <wahibdon> instead of user_t ? [15:36] <grift> chcon -t passenger_exec_t /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog] [15:37] <grift> do the same for: [15:37] <grift> PassengerLoggingAgent [15:38] <grift> apache2/PassengerHelperAgent [15:38] <grift> ext/apache2/ApplicationPoolServerExecutable [15:38] <grift> bugzilla.redhat.com [15:38] <grift> the current file context spec isnt catching that location [15:45] <wahibdon> watchdog is now crashing on startup for "some reason" exit code 1 [15:46] <grift> see avc denials [15:47] <wahibdon> http://fpaste.org/uMOr/ [15:49] <grift> echo "avc: denied { sys_resource } for pid=738 comm="PassengerWatchd" capability=24 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -M mypassenger; sudo semodule -i mypassenger.pp [15:49] <grift> looks like passenger poplicy is as buggy as ever [15:55] <wahibdon> mypassenger.te:6:ERROR 'syntax error' at token '' on line 6: [15:55] <grift> grrr [15:55] <wahibdon> : /usr/bin/checkmodule: errors encountered while parsing configuration [15:55] <grift> yes there have been some stupid changes in audit2allow [15:56] <grift> hold on [15:56] <grift> try: [15:56] <grift> echo "avc: denied { sys_resource } for pid=738 comm="PassengerWatchd" capability=24 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -r -M mypassenger; sudo semodule -i mypassenger.pp [16:01] <wahibdon> still failed, same error. [16:05] <grift> mkdir ~/mypassenger; cd ~/mypassenger; echo "policy_module(mypassenger, 1.0.0) optional_policy(\` gen_require(\` type passenger_t; ') allow passenger_t self:capability sys_reqource; ')" > mypassenger.te; make -f /usr/share/selinux/devel/Makefile mypassenger.pp; sudo semodule -i mypassenger.pp that last try also did not work
Ok the problem is labeling. We have defined labels for the following path /usr/lib/ruby/gems so I am adding also support for /usr/local What is your policy version? I see sesearch -A -s passenger_t -t passenger_t -c capability -p sys_resource Found 1 semantic av rules: allow passenger_t passenger_t : capability { chown dac_override fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource } ;
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Package selinux-policy-3.10.0-142.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.