Description of problem: The following error message is seen in broker http log file: Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13) Though these error was existing, it seem like does not affect to create app. App can be created successfully, but these error should be fixed. Version-Release number of selected component (if applicable): 2012-10-25.1 puddle selinux-policy-targeted-3.7.19-174.el6.noarch selinux-policy-3.7.19-174.el6.noarch mod_passenger-3.0.17-2.el6op.1.x86_64 rubygem-passenger-3.0.17-2.el6op.1.x86_64 rubygem-passenger-native-3.0.17-2.el6op.1.x86_64 rubygem-passenger-native-libs-3.0.17-2.el6op.1.x86_64 # semodule -l|grep passen passenger 1.0.0 How reproducible: Always Steps to Reproduce: 1. Setup broker node. 2. tail -f /var/www/openshift/broker/httpd/logs/* 3. service openshift-broker restart Actual results: The output of step 2: <--snip--> [Fri Oct 26 07:06:11 2012] [notice] caught SIGTERM, shutting down [Fri Oct 26 07:06:12 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Fri Oct 26 07:06:12 2012] [notice] Apache/2.2.15 (Unix) Phusion_Passenger/3.0.17 configured -- resuming normal operations Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13) Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13) Check the /var/log/audit/audit.log, found the following AVC denial: <--snip--> type=AVC msg=audit(1351263758.126:15): avc: denied { execute } for pid=1718 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1351263758.131:16): avc: denied { execute } for pid=1719 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Expected results: There should no AVC denial is seen. Additional info:
I believe this has to be fixed in the selinux-policy package.
This bug has been fixed in the upstream selinux-policy package. It will ship with RHEL 6.4 (shortly after our 1.1 release). I'm going to ask for a new target milestone to be created that will sync up with our RHEL6.4 release. At that time this bug will be moved there.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
This bug was closed in error.