Project

General

Profile

Bug #6013

Updated by Dominic Cleal over 10 years ago

foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch 
 redhat-release-server-7.0-0.5.el7.x86_64 
 selinux-policy-3.12.1-153.el7.noarch 
 selinux-policy-targeted-3.12.1-153.el7.noarch 

 This seems to block Passenger from starting at all: 

 <pre> 
 type=AVC msg=audit(1401722952.037:191): avc:    denied    { getattr } for    pid=6721 comm="rm" name="/" dev="vda1" ino=128 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
 type=SYSCALL msg=audit(1401722952.037:191): arch=c000003e syscall=138 success=no exit=-13 a0=5 a1=7fff87ae31d0 a2=78e730 a3=7fff87ae2f80 items=0 ppid=6390 pid=6721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=system_u:system_r:passenger_t:s0 key=(null) 
 </pre> 

 <pre> 
 require { 
	 type passenger_t; 
 } 

 #============= passenger_t ============== 
 fs_getattr_xattr_fs(passenger_t) 
 </pre> 

 or without macros... 

 <pre> 
 require { 
	 type passenger_t; 
	 type fs_t; 
	 class filesystem getattr; 
 } 

 #============= passenger_t ============== 
 allow passenger_t fs_t:filesystem getattr; 
 </pre> 

 <pre> 
 type=AVC msg=audit(1401722832.531:183): avc:    denied    { block_suspend } for    pid=6402 comm="PassengerHelper" capability=36    scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2 
 type=SYSCALL msg=audit(1401722832.531:183): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=100000014 a3=1701950 items=0 ppid=6390 pid=6402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null) 
 type=AVC msg=audit(1401722832.531:183): avc:    denied    { block_suspend } for    pid=6402 comm="PassengerHelper" capability=36    scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2 
 type=SYSCALL msg=audit(1401722832.531:183): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=100000014 a3=1701950 items=0 ppid=6390 pid=6402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null) 
 </pre> 

 <pre> 
 require { 
	 type passenger_t; 
	 class capability2 block_suspend; 
 } 

 #============= passenger_t ============== 
 allow passenger_t self:capability2 block_suspend; 
 </pre>

Back