Bug 865082 - ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the normal passenger selinux policy
ruby193-rubygem-passenger's rubygem_passenger selinux policy stomps on the no...
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Rob Millner
libra bugs
Depends On:
  Show dependency treegraph
Reported: 2012-10-10 15:11 EDT by Thomas Wiest
Modified: 2015-05-14 19:00 EDT (History)
3 users (show)

See Also:
Fixed In Version: rubygem-passenger-3.0.4-15.el6_3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-06 13:49:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thomas Wiest 2012-10-10 15:11:51 EDT
Description of problem:
Both rubygem-passenger-native and ruby193-rubygem-passenger-native are trying to load a policy called rubygem-passenger.pp (listed as rubygem_passenger when doing semanage -l). This means that whichever package is installed last will have thier policy loaded.

When we create new hosts in INT and PROD, some get the policy from rubygem-passenger-native and others get the policy from ruby193-rubygem-passenger-native. This is a problem as the policies aren't identical and therefore we have inconsistent fcontext and other rules.

This causes quite a few issues for us. Right now I'm having to manually sync up the policies using the manual fix described below.

Proposed fix:
ruby193-rubygem-passenger-native's selinux policy should really be named something like: 

This would prevent it from stomping on the other rubygem_passenger policy.

Manual fix:
1) Get them all on the rubygem_passenger 1.1 module:
   semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp

2) Add the missing lines to the rubygem_passenger 1.1 module:
semanage fcontext -a --seuser system_u --type httpd_log_t '/var/log/passenger-analytics'
semanage fcontext -a --seuser system_u --type httpd_exec_t '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.4/agents/((apache2|nginx)/)?Passenger.*'

Here are the paths to the two policy files laid down by the rpms:

Version-Release number of selected component (if applicable):

How reproducible:
It's random because it's based on which rpm gets installed last, but happens frequently when building new nodes. Not sure why this isn't a problem in the devenvs.

Steps to Reproduce:
1. To see the problem with the modules overriding each other, load one then the other:
2. semodule -i /opt/rh/ruby193/root/usr/share/selinux/packages/ruby193-rubygem-passenger/rubygem-passenger.pp
3. semodule -l|grep rubygem_passenger
4. Notice that rubygem_passenger 1.1 is loaded
5. semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
6. semodule -l|grep rubygem_passenger
7. Notice that rubygem_passenger 1.0 is now loaded

Actual results:
The two policies are stomping on each other when loaded into selinux.

Expected results:
The two policies should both be able to be loaded and should coexist.
Comment 1 Rob Millner 2012-10-18 20:50:03 EDT
Was able to eliminate everything in the SELinux policies except two lines in the file policy which makes each package re-use the existing passenger module's file contexts.  They no longer conflict.
Comment 2 Rob Millner 2012-10-19 16:36:02 EDT
The updated packages have been built:

Comment 3 Jianwei Hou 2012-10-22 01:14:16 EDT
Verified on devenv_2360(for INT and PROD, QE does not have access)

1. [root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
2. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3	
3. [root@domU-12-31-39-0F-CA-66 ~]# semodule -i /usr/share/selinux/packages/rubygem-passenger.pp
[root@domU-12-31-39-0F-CA-66 ~]# semodule -l|grep rubygem-passenger
ruby193-rubygem-passenger	1.3	
rubygem-passenger	1.3

Note You need to log in before you can comment on or make changes to this bug.