[CentOS] apache, passenger, and selinux

Thu Nov 29 21:11:25 UTC 2012
m.roth at 5-cent.us <m.roth at 5-cent.us>

Miroslav Grepl wrote:
> On 11/29/2012 08:00 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 11/28/2012 04:22 PM, m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 11/28/2012 03:18 PM, m.roth at 5-cent.us wrote:
>>>>>> I seem to have quieted some, but I'm still getting noise from
>>>>>> selinux. Here's one that really puzzles me: my users have a ruby
app with
>>>>>> passenger running. However, one of the sealerts gives me: sealert -l
>>>>>> 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing
>>>>>> /bin/chmod from using the fowner capability.
>>>>>>
>>>>>> *****  Plugin catchall_boolean (89.3 confidence) suggests
>>>>>> *******************
>>>>>>
>>>>>> If you want to allow Apache to run in stickshift mode, not
>>>>>> transition
>>>>>> to passenger Then you must tell SELinux about this by enabling the
>>>>>> 'httpd_run_stickshift' boolean.You can read 'httpd_selinux' man page
>>>>>> for more details. Do setsebool -P httpd_run_stickshift 1 <...>
>>>>>>
>>>>>> Is there a boolean I'm missing, or are they doing something wrong?
>>>>>> Clues for the poor appreciated.
>>>>>>
>>>>> Have you turned on this boolean?  And did it quiet the AVC's.
>>>> I have not. The reason I'm asking is that I was thinking that it *did*
>>>> want to transition to passenger, and was hoping for a clue as to why
>>>> it was doing this, rather than make the transition. I've asked the lead
>>>> developer, who had no clue.
>>>>
>>>> The original lead developer left early this year, IIRC.
>>>>
>>> I am not sure.  Of course are the passenger programs properly labeled
>>> as
>>> passenger_exec_t?
>> I just tried. I'm on CentOS 6.3, and get
>> semanage fcontext -a -t passenger_exec_t
>> "/opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/*"
>> libsepol.context_from_record: type passenger_exec_t is not defined (No
>> such file or directory).
>> libsepol.context_from_record: could not create context structure
>> (Invalid
>> argument).
>> libsemanage.validate_handler: invalid context
>> system_u:object_r:passenger_exec_t:s0 specified for
>> /opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/* [all files]
>> (Invalid argument).
>> libsemanage.dbase_llist_iterate: could not iterate over records (Invalid
>> argument).
>> /usr/sbin/semanage: Could not commit semanage transaction
>>
> What does
>
> # rpm -q selinux-policy

selinux-policy-3.7.19-155.el6_3.8.noarch
>
> # seinfo -t |grep passenger
>
Nothing.

      mark