864546 – SELinux prevents puppet master from running as passenger web app

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 864546 - SELinux prevents puppet master from running as passenger web app

Summary: SELinux prevents puppet master from running as passenger web app

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	848939
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-09 14:46 UTC by Orion Poplawski
Modified:	2013-02-21 08:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-168.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	848939
Environment:
Last Closed:	2013-02-21 08:31:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Orion Poplawski 2012-10-09 14:46:22 UTC

+++ This bug was initially created as a clone of Bug #848939 +++

Created attachment 605025 [details]
avc denials in permissive mode

Description of problem:

I'm migrating my puppet master from EL6 to Fedora 17 and using the passenger package under review (https://bugzilla.redhat.com/show_bug.cgi?id=470696) to run it as a passenger/rack application.  Some work on this was done previously for EL6 (https://bugzilla.redhat.com/show_bug.cgi?id=730837) but it was never complete.

The passenger package ships a rubygem_passenger selinux module:
------
policy_module(rubygem-passenger, 1.1)

require {
  type httpd_t, httpd_tmp_t;
  class capability sys_ptrace;
};


# This should use interface macros
allow httpd_t httpd_tmp_t:sock_file { create write unlink getattr setattr };
allow httpd_t self:capability { fowner sys_resource fsetid };

# These allow the watchdog to run ps, but also any other httpd_t
# process, too (CGI scripts run in httpd_sys_script_t, but PHP,
# mod_perl, etc run in httpd_t)
bool httpd_use_ps true;

if (httpd_use_ps) {
domain_ptrace_all_domains(httpd_t)
domain_dontaudit_search_all_domains_state(httpd_t)
}

#Used by Watchdog
allow httpd_t self:capability sys_ptrace;
-----

Don't know what effect that is having.


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-145.fc17.noarch

--- Additional comment from mgrepl on 2012-08-20 05:23:11 EDT ---

What does

# ps -efZ |grep httpd

--- Additional comment from orion.com on 2012-08-20 11:06:48 EDT ---

system_u:system_r:httpd_t:s0    root     16180 17487  0 Aug19 ?        00:00:00 PassengerWatchdog
system_u:system_r:httpd_t:s0    root     16184 16180  0 Aug19 ?        00:00:00 PassengerHelperAgent
system_u:system_r:httpd_t:s0    root     16187 16184  0 Aug19 ?        00:00:00 Passenger spawn server                                                                                                                                 
system_u:system_r:httpd_t:s0    nobody   16190 16180  0 Aug19 ?        00:00:00 PassengerLoggingAgent
system_u:system_r:httpd_t:s0    apache   16220 17487  0 Aug19 ?        00:00:00 /usr/sbin/httpd -k start

--- Additional comment from mgrepl on 2012-08-21 03:38:04 EDT ---

Which is wrong. Could you paste paths to PassengerWatchdog, PassengerHelperAgent, PassengerLoggingAgent with labels.

# ls -lZ PATHTO/PassengerWatchdog
# ls -lZ PATHTO/PassengerHelperAgent
# ls -lZ PATHTO/PassengerLoggingAgent

--- Additional comment from orion.com on 2012-08-21 18:53:49 EDT ---

[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/
drwxr-xr-x. root root system_u:object_r:bin_t:s0       apache2
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerLoggingAgent
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerWatchdog
[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/apache2/
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerHelperAgent

/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.fc contains:

/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/ gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2 gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/prespawn gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server.spawnip gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server gen_context(system_u:object_r:bin_t,s0)

I take it it shouldn't ship that?   You might want to comment in the review, it would be helpful.

--- Additional comment from mgrepl on 2012-08-22 04:30:08 EDT ---

Yes, you got it. This is a problem. Could you try to disable this rubygem-passenger module?

# semodule -d rubygem-passenger
# restorecon -R -v /usr/share/gems

and restart all passenger services.

--- Additional comment from orion.com on 2012-08-22 11:27:42 EDT ---

That reset the labels to usr_t, but now I get:

type=AVC msg=audit(1345649166.602:76): avc:  denied  { execute } for  pid=1333 comm="httpd" name="PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.602:76): avc:  denied  { execute_no_trans } for  pid=1333 comm="httpd" path="/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.694:77): avc:  denied  { sys_resource } for  pid=1333 comm="PassengerWatchd" capability=24  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc:  denied  { fowner } for  pid=1381 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc:  denied  { fsetid } for  pid=1381 comm="chmod" capability=4  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649194.019:80): avc:  denied  { search } for  pid=1389 comm="ruby" name="puppet" dev="vda2" ino=392393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:80): avc:  denied  { getattr } for  pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc:  denied  { read } for  pid=1389 comm="ruby" name="modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc:  denied  { open } for  pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir

--- Additional comment from mgrepl on 2012-08-23 02:04:57 EDT ---

Ok, I see the labeling bug in F17.

execute

# chcon -t passenger_exec_t /usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog  /usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent /usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent

--- Additional comment from orion.com on 2012-08-23 13:43:41 EDT ---

Created attachment 606667 [details]
avc denials in permissive mode

Not sufficient.  I got:

[ pid=3098 thr=140138351482688 file=ext/common/AgentBase.cpp:419 time=2012-08-23 11:34:51.747 ]: *** ERROR: Unexpected end-of-file encountered
     in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140)
     in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355)

[Thu Aug 23 11:34:51 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1

but no denials in audit.log.  Switched to permissive and it works and I see the attached denials

This may be further complicated because I moved the puppet rack config from /usr/share/puppet/rack to /var/lib/puppet/rack in the apache config, so from usr_t to puppet_var_lib_t.

--- Additional comment from mgrepl on 2012-08-24 04:47:42 EDT ---

I am adding fixes for passenger policy to F18 and will backport passenger policy to F17.

--- Additional comment from orion.com on 2012-08-24 09:58:05 EDT ---

Note that the final install location for the agents is not yet set.  Hopefully today though we'll get it.  They don't belong in /usr/share though since they are binaries.

--- Additional comment from orion.com on 2012-08-29 12:13:32 EDT ---

New install path will be in %{_libdir}:

/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog
/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerHelperAgent

--- Additional comment from mgrepl on 2012-09-03 02:39:56 EDT ---

Thanks. Added.

--- Additional comment from updates on 2012-09-17 08:12:28 EDT ---

selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17

--- Additional comment from updates on 2012-09-18 22:54:10 EDT ---

Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).

--- Additional comment from orion.com on 2012-09-19 16:37:18 EDT ---

The new paths don't have the proper contexts with this change:

selinux-policy-3.10.0-149.fc17.noarch
[root@gepetto ~]# ls -lZR /usr/lib64/gems/exts/passenger-3.0.14/agents/
/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog

/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerHelperAgent

So this update doesn't fix this bug.

--- Additional comment from misc on 2012-09-19 17:08:08 EDT ---

The bug also exist on F18. Testing openshift, i have noticed a high cpu usage due to the number of avc triggered by passenger ( since it run ps to check the process, see ./ext/common/Utils/ProcessMetricsCollector.h function ProcessMetricsCollector::collect ).

And same issue of label :
# ls -lZ /usr/lib/gems/exts/passenger-3.0.17/agents
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog
# rpm -q selinux-policy
selinux-policy-3.11.1-21.fc18.noarch

--- Additional comment from dwalsh on 2012-09-19 20:43:37 EDT ---

I just added the following labeling to F18.

/usr/share/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)

Could you try this label for your machine.


semanage fcontext -a -t passenger_exec_t -f -- '/usr/share/gems/.*/Passenger.*'

--- Additional comment from mgrepl on 2012-09-20 09:18:06 EDT ---

Added also labeling for ApplicationPoolServerExecutable

--- Additional comment from orion.com on 2012-09-20 11:07:22 EDT ---

That labelling gets the agents.  I have no idea what ApplicationPoolServerExecutable refers to.

In permissive mode I see:

type=AVC msg=audit(1348153395.886:44666): avc:  denied  { getattr } for  pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153395.889:44667): avc:  denied  { ioctl } for  pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153396.159:44668): avc:  denied  { write } for  pid=32409 comm="httpd" name="socket" dev="tmpfs" ino=5797081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1348153434.513:44670): avc:  denied  { listen } for  pid=32517 comm="ruby" laddr=127.0.0.1 lport=48117 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=tcp_socket
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { execute } for  pid=32715 comm="ruby" name="ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { read open } for  pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc:  denied  { execute_no_trans } for  pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44672): avc:  denied  { read } for  pid=32715 comm="ifconfig" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44673): avc:  denied  { search } for  pid=32715 comm="ifconfig" name="net" dev="proc" ino=9067 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1348153436.850:44674): avc:  denied  { open } for  pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.850:44675): avc:  denied  { getattr } for  pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153447.092:44678): avc:  denied  { create } for  pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.116:44679): avc:  denied  { rmdir } for  pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" dev="vda2" ino=146896 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.233:44680): avc:  denied  { write } for  pid=32445 comm="httpd" name="ruby.TgTGzwVFCSt9ptj29VZSFz5LJDWhpaZIw08mfdJDoCzDABxghVlyMHo" dev="tmpfs" ino=5797297 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file

--- Additional comment from updates on 2012-09-21 19:58:21 EDT ---

selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 2 Miroslav Grepl 2012-10-09 19:11:10 UTC

passenger policy has been backported to RHEL6.4

Comment 6 Steve Snodgrass 2012-10-26 02:22:44 UTC

Is there somewhere I can download a beta/test policy for RHEL6.3?  I'm using the mod_passenger package from EPEL and running into problems before I even try puppet.  Passenger won't start because the agents aren't labeled:

[Thu Oct 25 22:07:05 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog): Permission denied (13)

[root@bootstrap httpd]# ls -Z /usr/lib64/gems/exts/passenger-3.0.17/agents/
drwxr-xr-x. root root system_u:object_r:lib_t:s0       apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       PassengerWatchdog

Running restorecon doesn't change anything under selinux-policy-3.7.19-155.el6_3.4.

Thanks!

Comment 7 Miroslav Grepl 2012-10-26 11:03:32 UTC

You can download it from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Comment 9 errata-xmlrpc 2013-02-21 08:31:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.