Bug #17093
closed
Passenger not transitioning to passenger_t with upstream packages
Added by Thomas Büter over 7 years ago.
Updated about 4 years ago.
Description
After installing theforeman and foreman-selinux, using foreman-selinux-relabel and foreman-selinux-enable, foreman crashes upon accessing the interface. When looking at the logs, errors like these will pop up:
Message from application: Permission denied @ rb_sysopen - /usr/share/foreman/tmp/cache/websockets_ssl_key20161024-6460-1hg9wr (Errno::EACCES)
This indicates that the correct selinux permissions haven't been granted to the tmp directory for the httpd-context, despite using the tools provided. I also tried a complete relabel with
$> touch /.autorelabel;reboot
but without any success.
I modified the policy and will be adding a PR soon, because it seems to be working.
Files
- Project changed from Foreman to SELinux
- Category changed from 56 to General Foreman
- Status changed from New to Need more information
This indicates that the correct selinux permissions haven't been granted to the tmp directory for the httpd-context
The application should be running in the passenger_t
context, not httpd_t
. This indicates something in the Passenger configuration isn't right, and it's not transitioning to the right process context.
A full ls -laZ
of all *passenger*
packages may help, as would the exact Passenger package list (and OS). Please also include logs of AVCs when filing bugs against the SELinux policy.
Operating system:
Red Hat Enterprise Linux - 7.2 (Maipo)
Passenger installed packages:
mod_passenger.x86_64 5.0.30-8.el7 @passenger
passenger.x86_64 5.0.30-8.el7 @passenger
passenger-devel.x86_64 5.0.30-8.el7 @passenger
Where would I find the passenger-packages though? I'm not super familiar with it, to be honest. I know where the gem is located, but I'm unsure what you mean with passenger packages.
- Subject changed from Foreman Interface crashing with selinux enabled to Passenger not transitioning to passenger_t with upstream packages
- Status changed from Need more information to New
mod_passenger.x86_64 5.0.30-8.el7 @passenger
These packages haven't been tested with Foreman, it's likely they're missing some labelling to correctly transition from httpd_t into passenger_t. The only ones we've tested with are EPEL7 and our own packages. I'd suggest downgrading to those if you can. I'll leave the ticket open to add support for those.
I can confirm that downgrading to the packages from epel to 4.0.53-4.el7 worked. Thanks for your help!
- Status changed from New to Resolved
- Status changed from Resolved to New
It's worth leaving this open to fix support for these packages, the issue in the title is still valid.
- Status changed from New to Rejected
I am doing a cleanup of old SELinux bug reports. We are removing puppetmaster policy based on passenger_t, most of these bugs were related to that.
Also available in: Atom
PDF