I just realised that the server is using a Ruby Enterprise edition installation. Which means that the ruby installation was downloaded as a .tar file and installed using an install script to the path /opt/ruby-enterprise-1.8.7-2010.02/
Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0
This includes $RUBY_HOME/bin/passenger. That explains why httpd is not running in the passenger domain.
Should I attempt to relabel these files myself?
This still doesn't explain the /proc access.
I've attempted to do look up the name of the process ID in the AVC denial messages but that process doesn't seem to show up using a `ps -ef` or looking for in in htop. It must be exiting quickly.
On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift domg472@gmail.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 08:34 PM, Frank Licea wrote:
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
- Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation
instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd
be
in a special passenger domain?
I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain.
- is passenger running some webapp that for some reason needs to read
the
state file in /proc of some process that runs in the unconfined_t
domain?
No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does..
- does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
See if it works when ignoring this.
- are you sure passenger and/or the passenger webapp is configured
correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though.
can you ls -alZ /path/to/passenger executable file?
It should be labelled type: passenger_exec_t
httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t)
seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either)
2010/12/28 Daniel J Walsh dwalsh@redhat.com
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t
process
Never thought of /proc. That explains why I found it weird to see a
file
labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP HzgAmwVLqTActXtAO1QAL3OcPMYEmryl =Dwxq
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux