[CentOS] Puppet + Passenger SELinux issues

15 Jun 2012


      I recently setup my Puppetmaster server to run through Passenger via Apache
instead of on the default webrick web server.  SELinux made that not work
and I've found some documentation on making rules to allow it however mine
won't load.  This is the policy I found via this website,
http://sandcat.nl/~stijn/2012/01/20/selinux-passenger-and-puppet-oh-my/comme...
.
module puppet_passenger 1.7;
require {
    type bin_t;
    type devpts_t;
    type httpd_t;
    type passenger_t;
    type port_t;
    type proc_net_t;
class process { getattr siginh setexec sigchld noatsecure transition
rlimitinh };
    class unix_stream_socket { getattr accept read write };
    class capability { sys_resource sys_ptrace };
    class file { entrypoint open create relabelfrom relabelto getattr
setattr read write append ioctl lock rename link unlink };
    class lnk_file { getattr read };
    class udp_socket name_bind;
    class dir { getattr setattr add_name remove_name search open read write
ioctl lock };
}
#============= httpd_t ==============
allow httpd_t port_t:udp_socket name_bind;
allow httpd_t proc_net_t:file { read getattr open };
allow httpd_t bin_t:file entrypoint;
allow httpd_t passenger_t:process sigchld;
allow httpd_t passenger_t:unix_stream_socket { getattr accept read write };
optional_policy(`
        puppet_manage_lib(httpd_t)
        puppet_search_log(httpd_t)
        puppet_search_pid(httpd_t)
        allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto };
')
#============= passenger_t ==============
allow passenger_t devpts_t:dir search;
allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure
};
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t self:process setexec;
ps_process_pattern(passenger_t, httpd_t)
domain_read_all_domains_state(passenger_t)
Using the SELinux Make file works but when I try to add the new policy via
"semodule -i puppet_passenger.pp" I get the following
# semodule -i puppet_passenger.pp
libsepol.print_missing_requirements: puppet_passenger's global requirements
were not met: type/attribute passenger_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!
The blog I got the policy from mentioned disabling the rubygem_passenger
policy, is that where passenger_t is defined?  I've looked at the source of
selinux-policy and see the required type of passenger_t is working so
unsure why it doesn't work in my policy.
The policy from audit2allow generates this when using "grep -e
'httpd|passenger'" but it seems like too much allowance
module passenger 1.0;
require {
        type unconfined_t;
        type semanage_t;
        type init_t;
        type system_cronjob_t;
        type mysqld_t;
        type syslogd_t;
        type apmd_t;
        type initrc_t;
        type postfix_local_t;
        type puppet_etc_t;
        type setfiles_t;
        type rpm_t;
        type unlabeled_t;
        type var_run_t;
        type kernel_t;
        type puppet_var_run_t;
        type puppet_var_lib_t;
        type auditd_t;
        type httpd_t;
        type rpm_var_lib_t;
        type postfix_cleanup_t;
        type postfix_master_t;
        type inetd_t;
        type udev_t;
        type mysqld_safe_t;
        type postfix_pickup_t;
        type sshd_t;
        type crond_t;
        type getty_t;
        type postfix_qmgr_t;
        type ntpd_t;
        class sock_file { write unlink open };
        class capability { sys_resource sys_ptrace };
        class process setexec;
        class dir { write getattr read create search add_name };
        class file { execute read create execute_no_trans write open append
};
}
#============= httpd_t ==============
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t apmd_t:file { read open };
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t auditd_t:file { read open };
allow httpd_t crond_t:dir { getattr search };
allow httpd_t crond_t:file { read open };
allow httpd_t getty_t:dir { getattr search };
allow httpd_t getty_t:file { read open };
allow httpd_t inetd_t:dir { getattr search };
allow httpd_t inetd_t:file { read open };
allow httpd_t init_t:dir { getattr search };
allow httpd_t init_t:file { read open };
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_t:file { read open };
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t kernel_t:file { read open };
allow httpd_t mysqld_safe_t:dir { getattr search };
allow httpd_t mysqld_safe_t:file { read open };
allow httpd_t mysqld_t:dir { getattr search };
allow httpd_t mysqld_t:file { read open };
allow httpd_t ntpd_t:dir { getattr search };
allow httpd_t ntpd_t:file { read open };
allow httpd_t postfix_cleanup_t:dir { getattr search };
allow httpd_t postfix_cleanup_t:file { read open };
allow httpd_t postfix_local_t:dir { getattr search };
allow httpd_t postfix_local_t:file { read open };
allow httpd_t postfix_master_t:dir { getattr search };
allow httpd_t postfix_master_t:file { read open };
allow httpd_t postfix_pickup_t:dir { getattr search };
allow httpd_t postfix_pickup_t:file { read open };
allow httpd_t postfix_qmgr_t:dir { getattr search };
allow httpd_t postfix_qmgr_t:file { read open };
allow httpd_t puppet_etc_t:file { execute execute_no_trans };
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# squirrelmail_spool_t, dirsrv_config_t, httpd_tmp_t, httpd_cache_t,
httpd_tmpfs_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, dirsrv_var_log_t,
zarafa_var_lib_t, dirsrv_var_run_t, httpd_var_run_t, dirsrvadmin_config_t,
httpd_dirsrvadmin_rw_content_t, httpd_prewikka_rw_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_rw_content_t,
httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t,
httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t,
httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_mediawiki_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_squid_rw_content_t,
httpd_smokeping_cgi_rw_content_t
allow httpd_t puppet_var_lib_t:dir { read write create add_name };
allow httpd_t puppet_var_lib_t:file { write create append };
allow httpd_t puppet_var_run_t:dir { search getattr };
allow httpd_t rpm_t:dir { getattr search };
allow httpd_t rpm_t:file { read open };
allow httpd_t rpm_var_lib_t:dir { search getattr };
allow httpd_t rpm_var_lib_t:file open;
#!!!! This avc can be allowed using the boolean 'httpd_setrlimit'
allow httpd_t self:capability sys_resource;
allow httpd_t self:capability sys_ptrace;
allow httpd_t self:process setexec;
allow httpd_t semanage_t:dir { getattr search };
allow httpd_t semanage_t:file { read open };
allow httpd_t setfiles_t:dir { getattr search };
allow httpd_t setfiles_t:file { read open };
allow httpd_t sshd_t:dir { getattr search };
allow httpd_t sshd_t:file { read open };
allow httpd_t syslogd_t:dir { getattr search };
allow httpd_t syslogd_t:file { read open };
allow httpd_t system_cronjob_t:dir { getattr search };
allow httpd_t system_cronjob_t:file { read open };
allow httpd_t udev_t:dir { getattr search };
allow httpd_t udev_t:file { read open };
allow httpd_t unconfined_t:dir { getattr search };
allow httpd_t unconfined_t:file { read open };
allow httpd_t unlabeled_t:file { read execute open execute_no_trans };
#!!!! The source type 'httpd_t' can write to a 'file' of the following
types:
# squirrelmail_spool_t, httpd_lock_t, dirsrv_config_t, httpd_tmp_t,
httpd_cache_t, httpd_tmpfs_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t,
dirsrv_var_log_t, zarafa_var_lib_t, dirsrv_var_run_t, httpd_var_lib_t,
httpd_var_run_t, dirsrvadmin_config_t, httpd_dirsrvadmin_rw_content_t,
httpd_prewikka_rw_content_t, root_t, httpd_w3c_validator_rw_content_t,
httpd_awstats_rw_content_t, httpd_user_rw_content_t, httpdcontent,
httpd_cobbler_rw_content_t, httpd_munin_rw_content_t,
httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t,
httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t,
httpd_mediawiki_rw_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t
allow httpd_t var_run_t:file { write open };
#!!!! The source type 'httpd_t' can write to a 'sock_file' of the following
types:
# httpd_tmp_t, httpd_tmpfs_t, dirsrv_var_run_t, httpd_var_run_t
allow httpd_t var_run_t:sock_file { write unlink open };
Here's my version of selinux-policy
selinux-policy.noarch
                 3.7.19-126.el6_2.10
selinux-policy-targeted.noarch
              3.7.19-126.el6_2.10
Any advice or pointers of how to get puppetmasterd to run through passenger
WITH SELinux would be great.
Thanks
- Trey

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[CentOS] Puppet + Passenger SELinux issues