Bug #17093
closedPassenger not transitioning to passenger_t with upstream packages
Description
After installing theforeman and foreman-selinux, using foreman-selinux-relabel and foreman-selinux-enable, foreman crashes upon accessing the interface. When looking at the logs, errors like these will pop up:
Message from application: Permission denied @ rb_sysopen - /usr/share/foreman/tmp/cache/websockets_ssl_key20161024-6460-1hg9wr (Errno::EACCES)
This indicates that the correct selinux permissions haven't been granted to the tmp directory for the httpd-context, despite using the tools provided. I also tried a complete relabel with $> touch /.autorelabel;reboot
but without any success.
I modified the policy and will be adding a PR soon, because it seems to be working.
Files
Updated by Dominic Cleal over 7 years ago
- Project changed from Foreman to SELinux
- Category changed from 56 to General Foreman
- Status changed from New to Need more information
This indicates that the correct selinux permissions haven't been granted to the tmp directory for the httpd-context
The application should be running in the passenger_t
context, not httpd_t
. This indicates something in the Passenger configuration isn't right, and it's not transitioning to the right process context.
A full ls -laZ
of all *passenger*
packages may help, as would the exact Passenger package list (and OS). Please also include logs of AVCs when filing bugs against the SELinux policy.
Updated by Thomas Büter over 7 years ago
- File foreman_audit.log foreman_audit.log added
Updated by Thomas Büter over 7 years ago
Operating system:
Red Hat Enterprise Linux - 7.2 (Maipo)
Passenger installed packages:
mod_passenger.x86_64 5.0.30-8.el7 @passenger
passenger.x86_64 5.0.30-8.el7 @passenger
passenger-devel.x86_64 5.0.30-8.el7 @passenger
Where would I find the passenger-packages though? I'm not super familiar with it, to be honest. I know where the gem is located, but I'm unsure what you mean with passenger packages.
Updated by Dominic Cleal over 7 years ago
- Subject changed from Foreman Interface crashing with selinux enabled to Passenger not transitioning to passenger_t with upstream packages
- Status changed from Need more information to New
mod_passenger.x86_64 5.0.30-8.el7 @passenger
These packages haven't been tested with Foreman, it's likely they're missing some labelling to correctly transition from httpd_t into passenger_t. The only ones we've tested with are EPEL7 and our own packages. I'd suggest downgrading to those if you can. I'll leave the ticket open to add support for those.
Updated by Thomas Büter over 7 years ago
I can confirm that downgrading to the packages from epel to 4.0.53-4.el7 worked. Thanks for your help!
Updated by Dominic Cleal over 7 years ago
- Status changed from Resolved to New
It's worth leaving this open to fix support for these packages, the issue in the title is still valid.
Updated by Lukas Zapletal almost 4 years ago
- Status changed from New to Rejected
I am doing a cleanup of old SELinux bug reports. We are removing puppetmaster policy based on passenger_t, most of these bugs were related to that.