[CentOS] apache, passenger, and selinux

Thu Nov 29 17:47:48 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/2012 04:22 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 11/28/2012 03:18 PM, m.roth at 5-cent.us wrote:
>>> I seem to have quieted some, but I'm still getting noise from selinux. 
>>> Here's one that really puzzles me: my users have a ruby app with 
>>> passenger running. However, one of the sealerts gives me: sealert -l 
>>> 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod 
>>> from using the fowner capability.
>>> 
>>> *****  Plugin catchall_boolean (89.3 confidence) suggests 
>>> *******************
>>> 
>>> If you want to allow Apache to run in stickshift mode, not transition
>>> to passenger Then you must tell SELinux about this by enabling the 
>>> 'httpd_run_stickshift' boolean.You can read 'httpd_selinux' man page
>>> for more details. Do setsebool -P httpd_run_stickshift 1 <...>
>>> 
>>> Is there a boolean I'm missing, or are they doing something wrong?
>>> Clues for the poor appreciated.
>>> 
>> Have you turned on this boolean?  And did it quiet the AVC's.
> 
> I have not. The reason I'm asking is that I was thinking that it *did* want
> to transition to passenger, and was hoping for a clue as to why it was
> doing this, rather than make the transition. I've asked the lead developer,
> who had no clue.
> 
> The original lead developer left early this year, IIRC.
> 
> mark
> 
I am not sure.  Of course are the passenger programs properly labeled as
passenger_exec_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC3n8QACgkQrlYvE4MpobPcVACfV1U9HfKgkvXVuyVqDb3X5e70
WAEAoKk/6sb7D/1nYW2NE+IBGfvrlnZc
=1K6o
-----END PGP SIGNATURE-----