Foreman » SELinux

As reported here:

type=AVC msg=audit(1411818342.258:1286): avc: denied { getattr } for pid=5360 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=403231 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1411818342.266:1287): avc: denied { getcap } for pid=8868 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1411818342.266:1288): avc: denied { setcap } for pid=8868 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1411818342.266:1289): avc: denied { execute } for pid=8868 comm="ruby" name="ssh" dev=dm-0 ino=403231 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1411818342.266:1289): avc: denied { read open } for pid=8868 comm="ruby" name="ssh" dev=dm-0 ino=403231 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1411818342.266:1289): avc: denied { execute_no_trans } for pid=8868 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=403231 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1411818376.883:1290): avc: denied { name_bind } for pid=5382 comm="ruby" src=12276 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

I think we need to define our own ssh domain from policy/modules/services/ssh.if: ssh_basic_client_template and backport this for RHEL6 where there is no such an interface (I suppose).