Bug 865082 - ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the normal passenger selinux policy
Summary: ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the no...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Rob Millner
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-10 19:11 UTC by Thomas Wiest
Modified: 2015-05-14 23:00 UTC (History)
3 users (show)

Fixed In Version: rubygem-passenger-3.0.4-15.el6_3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-06 18:49:13 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Thomas Wiest 2012-10-10 19:11:51 UTC
Description of problem:
Both rubygem-passenger-native and ruby193-rubygem-passenger-native are trying to load a policy called rubygem-passenger.pp (listed as rubygem_passenger when doing semanage -l). This means that whichever package is installed last will have thier policy loaded.

When we create new hosts in INT and PROD, some get the policy from rubygem-passenger-native and others get the policy from ruby193-rubygem-passenger-native. This is a problem as the policies aren't identical and therefore we have inconsistent fcontext and other rules.

This causes quite a few issues for us. Right now I'm having to manually sync up the policies using the manual fix described below.


Proposed fix:
ruby193-rubygem-passenger-native's selinux policy should really be named something like: 
ruby193_rubygem_passenger

This would prevent it from stomping on the other rubygem_passenger policy.


Manual fix:
1) Get them all on the rubygem_passenger 1.1 module:
   semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp

2) Add the missing lines to the rubygem_passenger 1.1 module:
semanage fcontext -a --seuser system_u --type httpd_log_t '/var/log/passenger-analytics'
semanage fcontext -a --seuser system_u --type httpd_exec_t '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.4/agents/((apache2|nginx)/)?Passenger.*'


Here are the paths to the two policy files laid down by the rpms:
/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
/opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp


Version-Release number of selected component (if applicable):
rubygem-passenger-native-3.0.4-12.el6_3.x86_64
ruby193-rubygem-passenger-native-3.0.12-16.el6_3.x86_64


How reproducible:
It's random because it's based on which rpm gets installed last, but happens frequently when building new nodes. Not sure why this isn't a problem in the devenvs.


Steps to Reproduce:
1. To see the problem with the modules overriding each other, load one then the other:
2. semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp
3. semodule -l|grep rubygem_passenger
4. Notice that rubygem_passenger 1.1 is loaded
5. semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
6. semodule -l|grep rubygem_passenger
7. Notice that rubygem_passenger 1.0 is now loaded


Actual results:
The two policies are stomping on each other when loaded into selinux.


Expected results:
The two policies should both be able to be loaded and should coexist.

Comment 1 Rob Millner 2012-10-19 00:50:03 UTC
Was able to eliminate everything in the SELinux policies except two lines in the file policy which makes each package re-use the existing passenger module's file contexts.  They no longer conflict.

Comment 2 Rob Millner 2012-10-19 20:36:02 UTC
The updated packages have been built:

rubygem-passenger-3.0.4-15.el6_3
ruby193-rubygem-passenger-3.0.12-19.el6_3

Comment 3 Jianwei Hou 2012-10-22 05:14:16 UTC
Verified on devenv_2360(for INT and PROD, QE does not have access)
ruby193-rubygem-passenger-native-3.0.12-19.el6_3.x86_64
rubygem-passenger-native-3.0.4-15.el6_3.x86_64

Steps:
1. [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
2. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
3. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3


Note You need to log in before you can comment on or make changes to this bug.