[katello-devel] help wanted with mod_passenger
Miroslav Suchý
msuchy at redhat.com
Mon Nov 12 12:36:48 UTC 2012
On 11/09/2012 03:14 PM, Jim Jagielski wrote:
> OpenShift uses SELinux extensively...
May I ask you how you solved on RHEL6?:
type=AVC msg=audit(1352711492.217:511): avc: denied {
execute_no_trans } for pid=10086 comm="httpd"
path="/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog"
dev=dm-0 ino=1993512 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1352711492.436:512): avc: denied {
execute_no_trans } for pid=10090 comm="httpd"
path="/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog"
dev=dm-0 ino=1993512 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I find that this is discussed in:
https://bugzilla.redhat.com/show_bug.cgi?id=848939
But there is no solution for RHEL6.
So I tried to add to katello.fc:
/usr/lib64/gems/exts/passenger-.*/agents/PassengerLoggingAgent
gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib64/gems/exts/passenger-.*/agents/PassengerWatchdog
gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib64/gems/exts/passenger-.*/agents/apache2/PassengerHelperAgent
gen_context(system_u:object_r:passenger_exec_t,s0)
but it then lead to adding more rights to passanger_t like:
...
mount_exec(passenger_t)
mta_read_sendmail_bin(passenger_t)
netutils_exec_ping(passenger_t)
netutils_exec_traceroute(passenger_t)
plymouthd_exec_plymouth(passenger_t)
rpm_exec(passenger_t)
su_exec(passenger_t)
...
and end up with:
allow httpd_t passenger_tmp_t:dir { write add_name };
allow httpd_t passenger_tmp_t:file { write create open setattr };
allow httpd_t passenger_tmp_t:sock_file write;
Which is quite too much for me.
So how you address mod_passenger with selinux on RHEL6?
BTW I have selinux-policy-3.7.19-155.el6_3.6.noarch.
--
Miroslav Suchy
Red Hat Systems Management Engineering
More information about the katello-devel
mailing list