864546 – SELinux prevents puppet master from running as passenger web app

Bug 864546 - SELinux prevents puppet master from running as passenger web app

Summary: SELinux prevents puppet master from running as passenger web app

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	848939
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-09 14:46 UTC by Orion Poplawski
Modified:	2013-02-21 08:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-168.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	848939
Environment:
Last Closed:	2013-02-21 08:31:07 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Orion Poplawski 2012-10-09 14:46:22 UTC

+++ This bug was initially created as a clone of Bug #848939 +++

Created attachment 605025 [details]
avc denials in permissive mode

Description of problem:

I'm migrating my puppet master from EL6 to Fedora 17 and using the passenger package under review (https://bugzilla.redhat.com/show_bug.cgi?id=470696) to run it as a passenger/rack application.  Some work on this was done previously for EL6 (https://bugzilla.redhat.com/show_bug.cgi?id=730837) but it was never complete.

The passenger package ships a rubygem_passenger selinux module:
------
policy_module(rubygem-passenger, 1.1)

require {
  type httpd_t, httpd_tmp_t;
  class capability sys_ptrace;
};


# This should use interface macros
allow httpd_t httpd_tmp_t:sock_file { create write unlink getattr setattr };
allow httpd_t self:capability { fowner sys_resource fsetid };

# These allow the watchdog to run ps, but also any other httpd_t
# process, too (CGI scripts run in httpd_sys_script_t, but PHP,
# mod_perl, etc run in httpd_t)
bool httpd_use_ps true;

if (httpd_use_ps) {
domain_ptrace_all_domains(httpd_t)
domain_dontaudit_search_all_domains_state(httpd_t)
}

#Used by Watchdog
allow httpd_t self:capability sys_ptrace;
-----

Don't know what effect that is having.


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-145.fc17.noarch

--- Additional comment from mgrepl@redhat.com on 2012-08-20 05:23:11 EDT ---

What does

# ps -efZ |grep httpd

--- Additional comment from orion@cora.nwra.com on 2012-08-20 11:06:48 EDT ---

system_u:system_r:httpd_t:s0    root     16180 17487  0 Aug19 ?        00:00:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root     16184 16180  0 Aug19 ?        00:00:00 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root     16187 16184  0 Aug19 ?        00:00:00 Passenger spawn server                                                                                                                                 
system_u:system_r:httpd_t:s0    nobody   16190 16180  0 Aug19 ?        00:00:00 PassengerLoggingAgent
system_u:system_r:httpd_t:s0    apache   16220 17487  0 Aug19 ?        00:00:00 /usr/sbin/httpd -k start

--- Additional comment from mgrepl@redhat.com on 2012-08-21 03:38:04 EDT ---

Which is wrong. Could you paste paths to PassengerWatchdog, PassengerHelperAgent, PassengerLoggingAgent with labels.

# ls -lZ PATHTO/PassengerWatchdog
# ls -lZ PATHTO/PassengerHelperAgent
# ls -lZ PATHTO/PassengerLoggingAgent

--- Additional comment from orion@cora.nwra.com on 2012-08-21 18:53:49 EDT ---

[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/
drwxr-xr-x. root root system_u:object_r:bin_t:s0       apache2
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerLoggingAgent
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerWatchdog
[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/apache2/
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerHelperAgent

/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.fc contains:

/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/ gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2 gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/prespawn gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server.spawnip gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server gen_context(system_u:object_r:bin_t,s0)

I take it it shouldn't ship that?   You might want to comment in the review, it would be helpful.

--- Additional comment from mgrepl@redhat.com on 2012-08-22 04:30:08 EDT ---

Yes, you got it. This is a problem. Could you try to disable this rubygem-passenger module?

# semodule -d rubygem-passenger
# restorecon -R -v /usr/share/gems

and restart all passenger services.

--- Additional comment from orion@cora.nwra.com on 2012-08-22 11:27:42 EDT ---

That reset the labels to usr_t, but now I get:

type=AVC msg=audit(1345649166.602:76): avc:  denied  { execute } for  pid=1333 comm="httpd" name="PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.602:76): avc:  denied  { execute_no_trans } for  pid=1333 comm="httpd" path="/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.694:77): avc:  denied  { sys_resource } for  pid=1333 comm="PassengerWatchd" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc:  denied  { fowner } for  pid=1381 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc:  denied  { fsetid } for  pid=1381 comm="chmod" capability=4  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649194.019:80): avc:  denied  { search } for  pid=1389 comm="ruby" name="puppet" dev="vda2" ino=392393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:80): avc:  denied  { getattr } for  pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc:  denied  { read } for  pid=1389 comm="ruby" name="modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc:  denied  { open } for  pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir

--- Additional comment from mgrepl@redhat.com on 2012-08-23 02:04:57 EDT ---

Ok, I see the labeling bug in F17.

execute

# chcon -t passenger_exec_t /usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog  /usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent /usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent

--- Additional comment from orion@cora.nwra.com on 2012-08-23 13:43:41 EDT ---

Created attachment 606667 [details]
avc denials in permissive mode

Not sufficient.  I got:

[ pid=3098 thr=140138351482688 file=ext/common/AgentBase.cpp:419 time=2012-08-23 11:34:51.747 ]: *** ERROR: Unexpected end-of-file encountered
     in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140)
     in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355)

[Thu Aug 23 11:34:51 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1

but no denials in audit.log.  Switched to permissive and it works and I see the attached denials

This may be further complicated because I moved the puppet rack config from /usr/share/puppet/rack to /var/lib/puppet/rack in the apache config, so from usr_t to puppet_var_lib_t.

--- Additional comment from mgrepl@redhat.com on 2012-08-24 04:47:42 EDT ---

I am adding fixes for passenger policy to F18 and will backport passenger policy to F17.

--- Additional comment from orion@cora.nwra.com on 2012-08-24 09:58:05 EDT ---

Note that the final install location for the agents is not yet set.  Hopefully today though we'll get it.  They don't belong in /usr/share though since they are binaries.

--- Additional comment from orion@cora.nwra.com on 2012-08-29 12:13:32 EDT ---

New install path will be in %{_libdir}:

/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog
/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerHelperAgent

--- Additional comment from mgrepl@redhat.com on 2012-09-03 02:39:56 EDT ---

Thanks. Added.

--- Additional comment from updates@fedoraproject.org on 2012-09-17 08:12:28 EDT ---

selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17

--- Additional comment from updates@fedoraproject.org on 2012-09-18 22:54:10 EDT ---

Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).

--- Additional comment from orion@cora.nwra.com on 2012-09-19 16:37:18 EDT ---

The new paths don't have the proper contexts with this change:

selinux-policy-3.10.0-149.fc17.noarch
[root@gepetto ~]# ls -lZR /usr/lib64/gems/exts/passenger-3.0.14/agents/
/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog

/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerHelperAgent

So this update doesn't fix this bug.

--- Additional comment from misc@zarb.org on 2012-09-19 17:08:08 EDT ---

The bug also exist on F18. Testing openshift, i have noticed a high cpu usage due to the number of avc triggered by passenger ( since it run ps to check the process, see ./ext/common/Utils/ProcessMetricsCollector.h function ProcessMetricsCollector::collect ).

And same issue of label :
# ls -lZ /usr/lib/gems/exts/passenger-3.0.17/agents
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog
# rpm -q selinux-policy
selinux-policy-3.11.1-21.fc18.noarch

--- Additional comment from dwalsh@redhat.com on 2012-09-19 20:43:37 EDT ---

I just added the following labeling to F18.

/usr/share/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)

Could you try this label for your machine.


semanage fcontext -a -t passenger_exec_t -f -- '/usr/share/gems/.*/Passenger.*'

--- Additional comment from mgrepl@redhat.com on 2012-09-20 09:18:06 EDT ---

Added also labeling for ApplicationPoolServerExecutable

--- Additional comment from orion@cora.nwra.com on 2012-09-20 11:07:22 EDT ---

That labelling gets the agents.  I have no idea what ApplicationPoolServerExecutable refers to.

In permissive mode I see:

type=AVC msg=audit(1348153395.886:44666): avc:  denied  { getattr } for  pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153395.889:44667): avc:  denied  { ioctl } for  pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153396.159:44668): avc:  denied  { write } for  pid=32409 comm="httpd" name="socket" dev="tmpfs" ino=5797081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1348153434.513:44670): avc:  denied  { listen } for  pid=32517 comm="ruby" laddr=127.0.0.1 lport=48117 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=tcp_socket
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { execute } for  pid=32715 comm="ruby" name="ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { read open } for  pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { execute_no_trans } for  pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44672): avc:  denied  { read } for  pid=32715 comm="ifconfig" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44673): avc:  denied  { search } for  pid=32715 comm="ifconfig" name="net" dev="proc" ino=9067 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1348153436.850:44674): avc:  denied  { open } for  pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.850:44675): avc:  denied  { getattr } for  pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153447.092:44678): avc:  denied  { create } for  pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.116:44679): avc:  denied  { rmdir } for  pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" dev="vda2" ino=146896 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.233:44680): avc:  denied  { write } for  pid=32445 comm="httpd" name="ruby.TgTGzwVFCSt9ptj29VZSFz5LJDWhpaZIw08mfdJDoCzDABxghVlyMHo" dev="tmpfs" ino=5797297 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file

--- Additional comment from updates@fedoraproject.org on 2012-09-21 19:58:21 EDT ---

selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 2 Miroslav Grepl 2012-10-09 19:11:10 UTC

passenger policy has been backported to RHEL6.4

Comment 6 Steve Snodgrass 2012-10-26 02:22:44 UTC

Is there somewhere I can download a beta/test policy for RHEL6.3?  I'm using the mod_passenger package from EPEL and running into problems before I even try puppet.  Passenger won't start because the agents aren't labeled:

[Thu Oct 25 22:07:05 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog): Permission denied (13)

[root@bootstrap httpd]# ls -Z /usr/lib64/gems/exts/passenger-3.0.17/agents/
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog

Running restorecon doesn't change anything under selinux-policy-3.7.19-155.el6_3.4.

Thanks!

Comment 7 Miroslav Grepl 2012-10-26 11:03:32 UTC

You can download it from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Comment 9 errata-xmlrpc 2013-02-21 08:31:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.