Hide Forgot
+++ This bug was initially created as a clone of Bug #848939 +++ Created attachment 605025 [details] avc denials in permissive mode Description of problem: I'm migrating my puppet master from EL6 to Fedora 17 and using the passenger package under review (https://bugzilla.redhat.com/show_bug.cgi?id=470696) to run it as a passenger/rack application. Some work on this was done previously for EL6 (https://bugzilla.redhat.com/show_bug.cgi?id=730837) but it was never complete. The passenger package ships a rubygem_passenger selinux module: ------ policy_module(rubygem-passenger, 1.1) require { type httpd_t, httpd_tmp_t; class capability sys_ptrace; }; # This should use interface macros allow httpd_t httpd_tmp_t:sock_file { create write unlink getattr setattr }; allow httpd_t self:capability { fowner sys_resource fsetid }; # These allow the watchdog to run ps, but also any other httpd_t # process, too (CGI scripts run in httpd_sys_script_t, but PHP, # mod_perl, etc run in httpd_t) bool httpd_use_ps true; if (httpd_use_ps) { domain_ptrace_all_domains(httpd_t) domain_dontaudit_search_all_domains_state(httpd_t) } #Used by Watchdog allow httpd_t self:capability sys_ptrace; ----- Don't know what effect that is having. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-145.fc17.noarch --- Additional comment from mgrepl@redhat.com on 2012-08-20 05:23:11 EDT --- What does # ps -efZ |grep httpd --- Additional comment from orion@cora.nwra.com on 2012-08-20 11:06:48 EDT --- system_u:system_r:httpd_t:s0 root 16180 17487 0 Aug19 ? 00:00:00 PassengerWatchdog system_u:system_r:httpd_t:s0 root 16184 16180 0 Aug19 ? 00:00:00 PassengerHelperAgent system_u:system_r:httpd_t:s0 root 16187 16184 0 Aug19 ? 00:00:00 Passenger spawn server system_u:system_r:httpd_t:s0 nobody 16190 16180 0 Aug19 ? 00:00:00 PassengerLoggingAgent system_u:system_r:httpd_t:s0 apache 16220 17487 0 Aug19 ? 00:00:00 /usr/sbin/httpd -k start --- Additional comment from mgrepl@redhat.com on 2012-08-21 03:38:04 EDT --- Which is wrong. Could you paste paths to PassengerWatchdog, PassengerHelperAgent, PassengerLoggingAgent with labels. # ls -lZ PATHTO/PassengerWatchdog # ls -lZ PATHTO/PassengerHelperAgent # ls -lZ PATHTO/PassengerLoggingAgent --- Additional comment from orion@cora.nwra.com on 2012-08-21 18:53:49 EDT --- [root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/ drwxr-xr-x. root root system_u:object_r:bin_t:s0 apache2 -rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerLoggingAgent -rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerWatchdog [root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/apache2/ -rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerHelperAgent /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.fc contains: /usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog gen_context(system_u:object_r:httpd_exec_t,s0) /usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent gen_context(system_u:object_r:httpd_exec_t,s0) /usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent gen_context(system_u:object_r:httpd_exec_t,s0) /usr/share/gems/gems/passenger-3.0.14/ gen_context(system_u:object_r:bin_t,s0) /usr/share/gems/gems/passenger-3.0.14/agents gen_context(system_u:object_r:bin_t,s0) /usr/share/gems/gems/passenger-3.0.14/agents/apache2 gen_context(system_u:object_r:bin_t,s0) /usr/share/gems/gems/passenger-3.0.14/helper-scripts/prespawn gen_context(system_u:object_r:bin_t,s0) /usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server.spawnip gen_context(system_u:object_r:bin_t,s0) /usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server gen_context(system_u:object_r:bin_t,s0) I take it it shouldn't ship that? You might want to comment in the review, it would be helpful. --- Additional comment from mgrepl@redhat.com on 2012-08-22 04:30:08 EDT --- Yes, you got it. This is a problem. Could you try to disable this rubygem-passenger module? # semodule -d rubygem-passenger # restorecon -R -v /usr/share/gems and restart all passenger services. --- Additional comment from orion@cora.nwra.com on 2012-08-22 11:27:42 EDT --- That reset the labels to usr_t, but now I get: type=AVC msg=audit(1345649166.602:76): avc: denied { execute } for pid=1333 comm="httpd" name="PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1345649166.602:76): avc: denied { execute_no_trans } for pid=1333 comm="httpd" path="/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1345649166.694:77): avc: denied { sys_resource } for pid=1333 comm="PassengerWatchd" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1345649174.040:79): avc: denied { fowner } for pid=1381 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1345649174.040:79): avc: denied { fsetid } for pid=1381 comm="chmod" capability=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1345649194.019:80): avc: denied { search } for pid=1389 comm="ruby" name="puppet" dev="vda2" ino=392393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=AVC msg=audit(1345649194.019:80): avc: denied { getattr } for pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=AVC msg=audit(1345649194.019:81): avc: denied { read } for pid=1389 comm="ruby" name="modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=AVC msg=audit(1345649194.019:81): avc: denied { open } for pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir --- Additional comment from mgrepl@redhat.com on 2012-08-23 02:04:57 EDT --- Ok, I see the labeling bug in F17. execute # chcon -t passenger_exec_t /usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog /usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent /usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent --- Additional comment from orion@cora.nwra.com on 2012-08-23 13:43:41 EDT --- Created attachment 606667 [details] avc denials in permissive mode Not sufficient. I got: [ pid=3098 thr=140138351482688 file=ext/common/AgentBase.cpp:419 time=2012-08-23 11:34:51.747 ]: *** ERROR: Unexpected end-of-file encountered in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140) in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355) [Thu Aug 23 11:34:51 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1 but no denials in audit.log. Switched to permissive and it works and I see the attached denials This may be further complicated because I moved the puppet rack config from /usr/share/puppet/rack to /var/lib/puppet/rack in the apache config, so from usr_t to puppet_var_lib_t. --- Additional comment from mgrepl@redhat.com on 2012-08-24 04:47:42 EDT --- I am adding fixes for passenger policy to F18 and will backport passenger policy to F17. --- Additional comment from orion@cora.nwra.com on 2012-08-24 09:58:05 EDT --- Note that the final install location for the agents is not yet set. Hopefully today though we'll get it. They don't belong in /usr/share though since they are binaries. --- Additional comment from orion@cora.nwra.com on 2012-08-29 12:13:32 EDT --- New install path will be in %{_libdir}: /usr/lib64/gems/exts/passenger-3.0.14/agents/: drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2 -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog /usr/lib64/gems/exts/passenger-3.0.14/agents/apache2: -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent --- Additional comment from mgrepl@redhat.com on 2012-09-03 02:39:56 EDT --- Thanks. Added. --- Additional comment from updates@fedoraproject.org on 2012-09-17 08:12:28 EDT --- selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17 --- Additional comment from updates@fedoraproject.org on 2012-09-18 22:54:10 EDT --- Package selinux-policy-3.10.0-149.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17 then log in and leave karma (feedback). --- Additional comment from orion@cora.nwra.com on 2012-09-19 16:37:18 EDT --- The new paths don't have the proper contexts with this change: selinux-policy-3.10.0-149.fc17.noarch [root@gepetto ~]# ls -lZR /usr/lib64/gems/exts/passenger-3.0.14/agents/ /usr/lib64/gems/exts/passenger-3.0.14/agents/: drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2 -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog /usr/lib64/gems/exts/passenger-3.0.14/agents/apache2: -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent So this update doesn't fix this bug. --- Additional comment from misc@zarb.org on 2012-09-19 17:08:08 EDT --- The bug also exist on F18. Testing openshift, i have noticed a high cpu usage due to the number of avc triggered by passenger ( since it run ps to check the process, see ./ext/common/Utils/ProcessMetricsCollector.h function ProcessMetricsCollector::collect ). And same issue of label : # ls -lZ /usr/lib/gems/exts/passenger-3.0.17/agents drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2 -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog # rpm -q selinux-policy selinux-policy-3.11.1-21.fc18.noarch --- Additional comment from dwalsh@redhat.com on 2012-09-19 20:43:37 EDT --- I just added the following labeling to F18. /usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) /usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) Could you try this label for your machine. semanage fcontext -a -t passenger_exec_t -f -- '/usr/share/gems/.*/Passenger.*' --- Additional comment from mgrepl@redhat.com on 2012-09-20 09:18:06 EDT --- Added also labeling for ApplicationPoolServerExecutable --- Additional comment from orion@cora.nwra.com on 2012-09-20 11:07:22 EDT --- That labelling gets the agents. I have no idea what ApplicationPoolServerExecutable refers to. In permissive mode I see: type=AVC msg=audit(1348153395.886:44666): avc: denied { getattr } for pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1348153395.889:44667): avc: denied { ioctl } for pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1348153396.159:44668): avc: denied { write } for pid=32409 comm="httpd" name="socket" dev="tmpfs" ino=5797081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1348153434.513:44670): avc: denied { listen } for pid=32517 comm="ruby" laddr=127.0.0.1 lport=48117 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=tcp_socket type=AVC msg=audit(1348153436.846:44671): avc: denied { execute } for pid=32715 comm="ruby" name="ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1348153436.846:44671): avc: denied { read open } for pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1348153436.846:44671): avc: denied { execute_no_trans } for pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1348153436.849:44672): avc: denied { read } for pid=32715 comm="ifconfig" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1348153436.849:44673): avc: denied { search } for pid=32715 comm="ifconfig" name="net" dev="proc" ino=9067 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1348153436.850:44674): avc: denied { open } for pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1348153436.850:44675): avc: denied { getattr } for pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1348153447.092:44678): avc: denied { create } for pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=AVC msg=audit(1348153447.116:44679): avc: denied { rmdir } for pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" dev="vda2" ino=146896 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=AVC msg=audit(1348153447.233:44680): avc: denied { write } for pid=32445 comm="httpd" name="ruby.TgTGzwVFCSt9ptj29VZSFz5LJDWhpaZIw08mfdJDoCzDABxghVlyMHo" dev="tmpfs" ino=5797297 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file --- Additional comment from updates@fedoraproject.org on 2012-09-21 19:58:21 EDT --- selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
passenger policy has been backported to RHEL6.4
Is there somewhere I can download a beta/test policy for RHEL6.3? I'm using the mod_passenger package from EPEL and running into problems before I even try puppet. Passenger won't start because the agents aren't labeled: [Thu Oct 25 22:07:05 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog): Permission denied (13) [root@bootstrap httpd]# ls -Z /usr/lib64/gems/exts/passenger-3.0.17/agents/ drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2 -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog Running restorecon doesn't change anything under selinux-policy-3.7.19-155.el6_3.4. Thanks!
You can download it from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html