[CentOS] apache, passenger, and selinux

Thu Nov 29 19:00:14 UTC 2012
m.roth at 5-cent.us <m.roth at 5-cent.us>

Daniel J Walsh wrote:
> On 11/28/2012 04:22 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 11/28/2012 03:18 PM, m.roth at 5-cent.us wrote:
>>>> I seem to have quieted some, but I'm still getting noise from selinux.
>>>> Here's one that really puzzles me: my users have a ruby app with
>>>> passenger running. However, one of the sealerts gives me: sealert -l
>>>> 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod
>>>> from using the fowner capability.
>>>>
>>>> *****  Plugin catchall_boolean (89.3 confidence) suggests
>>>> *******************
>>>>
>>>> If you want to allow Apache to run in stickshift mode, not transition
>>>> to passenger Then you must tell SELinux about this by enabling the
>>>> 'httpd_run_stickshift' boolean.You can read 'httpd_selinux' man page
>>>> for more details. Do setsebool -P httpd_run_stickshift 1 <...>
>>>>
>>>> Is there a boolean I'm missing, or are they doing something wrong?
>>>> Clues for the poor appreciated.
>>>>
>>> Have you turned on this boolean?  And did it quiet the AVC's.
>>
>> I have not. The reason I'm asking is that I was thinking that it *did*
>> want to transition to passenger, and was hoping for a clue as to why it
was
>> doing this, rather than make the transition. I've asked the lead
>> developer, who had no clue.
>>
>> The original lead developer left early this year, IIRC.
>>
> I am not sure.  Of course are the passenger programs properly labeled as
> passenger_exec_t?

I just tried. I'm on CentOS 6.3, and get
semanage fcontext -a -t passenger_exec_t
"/opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/*"
libsepol.context_from_record: type passenger_exec_t is not defined (No
such file or directory).
libsepol.context_from_record: could not create context structure (Invalid
argument).
libsemanage.validate_handler: invalid context
system_u:object_r:passenger_exec_t:s0 specified for
/opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/* [all files]
(Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid
argument).
/usr/sbin/semanage: Could not commit semanage transaction

      mark