843638 – SELinux is prevent PassengerWatchdog from loading

Bug 843638 - SELinux is prevent PassengerWatchdog from loading

Summary: SELinux is prevent PassengerWatchdog from loading

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-26 20:22 UTC by W Hibdon
Modified:	2012-08-01 18:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-08-01 18:21:54 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description W Hibdon 2012-07-26 20:22:13 UTC

[15:24] <wahibdon> so I was schooled in here a week or two ago with some useful information.  I was told to use semanage fcontext -a -t [context] [file] and restorecon [file] to make a file play nicely with selinux, specifically passenger.so.  However, I have ran into another hang up as (and I have checked the premissions already) PassengerWatchdog is being denied when setenforce 1 and not with setenforce 0 and I tried the semanage.  Any thoughts?
[15:26] <wahibdon> Now, everything I have found people have just disabled selinux but I don't want to HAVE to do that.
[15:26] <grift> show the avc denials youre getting
[15:28] <wahibdon> okay, one moment.
[15:30] <wahibdon> grift: http://fpaste.org/d9DA/
[15:31] <grift> and your distro is?
[15:31] <wahibdon> 17
[15:31] <grift> hold on , ill have a look
[15:32] <grift> k try this:
[15:33] <grift> find /usr -inum 665184
[15:33] <grift> what does it return
[15:34] <grift> please show that location
[15:34] <grift> i want to know the full path
[15:34] <wahibdon> it is /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog
[15:34] <grift> ok now do this:
[15:35] <grift> matchpathcon /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog
[15:35] <grift> what does it return
[15:36] <wahibdon> it returns the path then system_u:object_r:usr_t:s0
[15:36] <grift> ok this is a bug in policy
[15:36] <wahibdon> is it a fixed bug?
[15:36] <grift> you can fix it by labelling it passenger_exec_t:
[15:36] <wahibdon> instead of user_t ?
[15:36] <grift> chcon -t passenger_exec_t /usr/local/share/gems/gems/passenger-3.0.13/agents/PassengerWatchdog]
[15:37] <grift> do the same for:
[15:37] <grift> PassengerLoggingAgent
[15:38] <grift> apache2/PassengerHelperAgent
[15:38] <grift> ext/apache2/ApplicationPoolServerExecutable
[15:38] <grift> bugzilla.redhat.com
[15:38] <grift> the current file context spec isnt catching that location
[15:45] <wahibdon> watchdog is now crashing on startup for "some reason" exit code 1
[15:46] <grift> see avc denials
[15:47] <wahibdon> http://fpaste.org/uMOr/
[15:49] <grift> echo "avc:  denied  { sys_resource } for  pid=738 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -M mypassenger; sudo semodule -i mypassenger.pp
[15:49] <grift> looks like passenger poplicy is as buggy as ever
[15:55] <wahibdon> mypassenger.te:6:ERROR 'syntax error' at token '' on line 6:
[15:55] <grift> grrr
[15:55] <wahibdon> : /usr/bin/checkmodule: errors encountered while parsing configuration
[15:55] <grift> yes there have been some stupid changes in audit2allow
[15:56] <grift> hold on
[15:56] <grift> try:
[15:56] <grift> echo "avc:  denied  { sys_resource } for  pid=738 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=capability" | audit2allow -r -M mypassenger; sudo semodule -i mypassenger.pp
[16:01] <wahibdon> still failed, same error.
[16:05] <grift> mkdir ~/mypassenger; cd ~/mypassenger; echo "policy_module(mypassenger, 1.0.0) optional_policy(\` gen_require(\` type passenger_t; ') allow passenger_t self:capability sys_reqource; ')" > mypassenger.te; make -f /usr/share/selinux/devel/Makefile mypassenger.pp; sudo semodule -i mypassenger.pp

that last try also did not work

Comment 1 Miroslav Grepl 2012-07-27 07:36:12 UTC

Ok the problem is labeling. We have defined labels for the following path

/usr/lib/ruby/gems

so I am adding also support for /usr/local

What is your policy version?

I see

sesearch -A -s passenger_t -t passenger_t -c capability -p sys_resource
Found 1 semantic av rules:
   allow passenger_t passenger_t : capability { chown dac_override fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource } ;

Comment 2 Fedora Update System 2012-07-27 15:34:37 UTC

selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17

Comment 3 Fedora Update System 2012-07-28 01:24:24 UTC

Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-08-01 18:21:54 UTC

selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.