Bug 870392 - Some AVC denial about PassengerHelper's prespawn is seen in audit.log on broker
Summary: Some AVC denial about PassengerHelper's prespawn is seen in audit.log on broker
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 1.1.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: ---
Assignee: Brenton Leanhardt
QA Contact: libra bugs
URL:
Whiteboard:
Depends On: 886619
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-26 11:11 UTC by Johnny Liu
Modified: 2017-03-08 17:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 14:26:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Johnny Liu 2012-10-26 11:11:01 UTC
Description of problem:
The following error message is seen in broker http log file:
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Though these error was existing, it seem like does not affect to create app. App can be created successfully, but these error should be fixed.

Version-Release number of selected component (if applicable):
2012-10-25.1 puddle
selinux-policy-targeted-3.7.19-174.el6.noarch
selinux-policy-3.7.19-174.el6.noarch
mod_passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-3.0.17-2.el6op.1.x86_64
rubygem-passenger-native-libs-3.0.17-2.el6op.1.x86_64
# semodule -l|grep passen
passenger	1.0.0	



How reproducible:
Always

Steps to Reproduce:
1. Setup broker node.
2. tail -f /var/www/openshift/broker/httpd/logs/*
3. service openshift-broker restart
  
Actual results:
The output of step 2:
<--snip-->
[Fri Oct 26 07:06:11 2012] [notice] caught SIGTERM, shutting down
[Fri Oct 26 07:06:12 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Oct 26 07:06:12 2012] [notice] Apache/2.2.15 (Unix) Phusion_Passenger/3.0.17 configured -- resuming normal operations
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)
Cannot execute '/usr/share/rubygems/gems/passenger-3.0.17/helper-scripts/prespawn http://127.0.0.1:8080/': Permission denied (13)

Check the /var/log/audit/audit.log, found the following AVC denial:
<--snip-->
type=AVC msg=audit(1351263758.126:15): avc:  denied  { execute } for  pid=1718 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1351263758.131:16): avc:  denied  { execute } for  pid=1719 comm="PassengerHelper" name="prespawn" dev=dm-0 ino=13616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


Expected results:
There should no AVC denial is seen.

Additional info:

Comment 2 Brenton Leanhardt 2012-12-12 17:03:12 UTC
I believe this has to be fixed in the selinux-policy package.

Comment 3 Brenton Leanhardt 2012-12-20 13:51:06 UTC
This bug has been fixed in the upstream selinux-policy package.  It will ship with RHEL 6.4 (shortly after our 1.1 release).

I'm going to ask for a new target milestone to be created that will sync up with our RHEL6.4 release.  At that time this bug will be moved there.

Comment 4 RHEL Program Management 2012-12-20 14:26:21 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Comment 5 Brenton Leanhardt 2013-02-06 20:54:56 UTC
This bug was closed in error.


Note You need to log in before you can comment on or make changes to this bug.