Red Hat Bugzilla – Bug 865082
ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the normal passenger selinux policy
Last modified: 2015-05-14 19:00:36 EDT
Description of problem: Both rubygem-passenger-native and ruby193-rubygem-passenger-native are trying to load a policy called rubygem-passenger.pp (listed as rubygem_passenger when doing semanage -l). This means that whichever package is installed last will have thier policy loaded. When we create new hosts in INT and PROD, some get the policy from rubygem-passenger-native and others get the policy from ruby193-rubygem-passenger-native. This is a problem as the policies aren't identical and therefore we have inconsistent fcontext and other rules. This causes quite a few issues for us. Right now I'm having to manually sync up the policies using the manual fix described below. Proposed fix: ruby193-rubygem-passenger-native's selinux policy should really be named something like: ruby193_rubygem_passenger This would prevent it from stomping on the other rubygem_passenger policy. Manual fix: 1) Get them all on the rubygem_passenger 1.1 module: semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp 2) Add the missing lines to the rubygem_passenger 1.1 module: semanage fcontext -a --seuser system_u --type httpd_log_t '/var/log/passenger-analytics' semanage fcontext -a --seuser system_u --type httpd_exec_t '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.4/agents/((apache2|nginx)/)?Passenger.*' Here are the paths to the two policy files laid down by the rpms: /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp Version-Release number of selected component (if applicable): rubygem-passenger-native-3.0.4-12.el6_3.x86_64 ruby193-rubygem-passenger-native-3.0.12-16.el6_3.x86_64 How reproducible: It's random because it's based on which rpm gets installed last, but happens frequently when building new nodes. Not sure why this isn't a problem in the devenvs. Steps to Reproduce: 1. To see the problem with the modules overriding each other, load one then the other: 2. semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp 3. semodule -l|grep rubygem_passenger 4. Notice that rubygem_passenger 1.1 is loaded 5. semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp 6. semodule -l|grep rubygem_passenger 7. Notice that rubygem_passenger 1.0 is now loaded Actual results: The two policies are stomping on each other when loaded into selinux. Expected results: The two policies should both be able to be loaded and should coexist.
Was able to eliminate everything in the SELinux policies except two lines in the file policy which makes each package re-use the existing passenger module's file contexts. They no longer conflict.
The updated packages have been built: rubygem-passenger-3.0.4-15.el6_3 ruby193-rubygem-passenger-3.0.12-19.el6_3
Verified on devenv_2360(for INT and PROD, QE does not have access) ruby193-rubygem-passenger-native-3.0.12-19.el6_3.x86_64 rubygem-passenger-native-3.0.4-15.el6_3.x86_64 Steps: 1. [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger ruby193-rubygem-passenger 1.3 rubygem-passenger 1.3 2. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger ruby193-rubygem-passenger 1.3 rubygem-passenger 1.3 3. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger.pp [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger ruby193-rubygem-passenger 1.3 rubygem-passenger 1.3