Bug 870392 - Some AVC denial about PassengerHelper's prespawn is seen in audit.log on broker
Some AVC denial about PassengerHelper's prespawn is seen in audit.log on broker
Status: CLOSED NEXTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod (Show other bugs)
1.1.0
Unspecified Unspecified
urgent Severity high
: ---
: ---
Assigned To: Brenton Leanhardt
libra bugs
: Triaged
Depends On: 886619
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-26 07:11 EDT by Johnny Liu
Modified: 2017-03-08 12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 09:26:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Johnny Liu 2012-10-26 07:11:01 EDT
Description of problem:
The following error message is seen in broker http log file:
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Though these error was existing, it seem like does not affect to create app. App can be created successfully, but these error should be fixed.

Version-Release number of selected component (if applicable):
2012-10-25.1 puddle
selinux-policy-targeted-3.7.19-174.el6.noarch
selinux-policy-3.7.19-174.el6.noarch
mod_passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-libs-3.0.17-2.el6op.1.x86_64
# semodule -l|grep passen
passenger	1.0.0	



How reproducible:
Always

Steps to Reproduce:
1. Setup broker node.
2. tail -f /var/www/openshift/broker/httpd/logs/*
3. service openshift-broker restart
  
Actual results:
The output of step 2:
<--snip-->
[Fri Oct 26 07:06:11 2012] [notice] caught SIGTERM, shutting down
[Fri Oct 26 07:06:12 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Oct 26 07:06:12 2012] [notice] Apache/2.2.15 (Unix) Phusion_Passenger/3.0.17 configured -- resuming normal operations
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Check the /var/log/audit/audit.log, found the following AVC denial:
<--snip-->
type=AVC msg=audit(1351263758.126:15): avc:  denied  { execute } for  pid=1718 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1351263758.131:16): avc:  denied  { execute } for  pid=1719 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


Expected results:
There should no AVC denial is seen.

Additional info:
Comment 2 Brenton Leanhardt 2012-12-12 12:03:12 EST
I believe this has to be fixed in the selinux-policy package.
Comment 3 Brenton Leanhardt 2012-12-20 08:51:06 EST
This bug has been fixed in the upstream selinux-policy package.  It will ship with RHEL 6.4 (shortly after our 1.1 release).

I'm going to ask for a new target milestone to be created that will sync up with our RHEL6.4 release.  At that time this bug will be moved there.
Comment 4 RHEL Product and Program Management 2012-12-20 09:26:21 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 5 Brenton Leanhardt 2013-02-06 15:54:56 EST
This bug was closed in error.

Note You need to log in before you can comment on or make changes to this bug.