+++ This bug was initially created as a clone of Bug #848939 +++
Created attachment 605025 [details]
avc denials in permissive mode
Description of problem:
I'm migrating my puppet master from EL6 to Fedora 17 and using the passenger package under review (https://bugzilla.redhat.com/show_bug.cgi?id=470696) to run it as a passenger/rack application. Some work on this was done previously for EL6 (https://bugzilla.redhat.com/show_bug.cgi?id=730837) but it was never complete.
The passenger package ships a rubygem_passenger selinux module:
------
policy_module(rubygem-passenger, 1.1)
require {
type httpd_t, httpd_tmp_t;
class capability sys_ptrace;
};
# This should use interface macros
allow httpd_t httpd_tmp_t:sock_file { create write unlink getattr setattr };
allow httpd_t self:capability { fowner sys_resource fsetid };
# These allow the watchdog to run ps, but also any other httpd_t
# process, too (CGI scripts run in httpd_sys_script_t, but PHP,
# mod_perl, etc run in httpd_t)
bool httpd_use_ps true;
if (httpd_use_ps) {
domain_ptrace_all_domains(httpd_t)
domain_dontaudit_search_all_domains_state(httpd_t)
}
#Used by Watchdog
allow httpd_t self:capability sys_ptrace;
-----
Don't know what effect that is having.
Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-145.fc17.noarch
--- Additional comment from mgrepl@redhat.com on 2012-08-20 05:23:11 EDT ---
What does
# ps -efZ |grep httpd
--- Additional comment from orion@cora.nwra.com on 2012-08-20 11:06:48 EDT ---
system_u:system_r:httpd_t:s0 root 16180 17487 0 Aug19 ? 00:00:00 PassengerWatchdog
system_u:system_r:httpd_t:s0 root 16184 16180 0 Aug19 ? 00:00:00 PassengerHelperAgent
system_u:system_r:httpd_t:s0 root 16187 16184 0 Aug19 ? 00:00:00 Passenger spawn server
system_u:system_r:httpd_t:s0 nobody 16190 16180 0 Aug19 ? 00:00:00 PassengerLoggingAgent
system_u:system_r:httpd_t:s0 apache 16220 17487 0 Aug19 ? 00:00:00 /usr/sbin/httpd -k start
--- Additional comment from mgrepl@redhat.com on 2012-08-21 03:38:04 EDT ---
Which is wrong. Could you paste paths to PassengerWatchdog, PassengerHelperAgent, PassengerLoggingAgent with labels.
# ls -lZ PATHTO/PassengerWatchdog
# ls -lZ PATHTO/PassengerHelperAgent
# ls -lZ PATHTO/PassengerLoggingAgent
--- Additional comment from orion@cora.nwra.com on 2012-08-21 18:53:49 EDT ---
[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/
drwxr-xr-x. root root system_u:object_r:bin_t:s0 apache2
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerLoggingAgent
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerWatchdog
[root@gepetto puppet]# ls -lZ /usr/share/gems/gems/passenger-3.0.14/agents/apache2/
-rwxrwxr-x. root root system_u:object_r:httpd_exec_t:s0 PassengerHelperAgent
/usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.fc contains:
/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/share/gems/gems/passenger-3.0.14/ gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/agents/apache2 gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/prespawn gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server.spawnip gen_context(system_u:object_r:bin_t,s0)
/usr/share/gems/gems/passenger-3.0.14/helper-scripts/passenger-spawn-server gen_context(system_u:object_r:bin_t,s0)
I take it it shouldn't ship that? You might want to comment in the review, it would be helpful.
--- Additional comment from mgrepl@redhat.com on 2012-08-22 04:30:08 EDT ---
Yes, you got it. This is a problem. Could you try to disable this rubygem-passenger module?
# semodule -d rubygem-passenger
# restorecon -R -v /usr/share/gems
and restart all passenger services.
--- Additional comment from orion@cora.nwra.com on 2012-08-22 11:27:42 EDT ---
That reset the labels to usr_t, but now I get:
type=AVC msg=audit(1345649166.602:76): avc: denied { execute } for pid=1333 comm="httpd" name="PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.602:76): avc: denied { execute_no_trans } for pid=1333 comm="httpd" path="/usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog" dev="vda2" ino=8646 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1345649166.694:77): avc: denied { sys_resource } for pid=1333 comm="PassengerWatchd" capability=24 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc: denied { fowner } for pid=1381 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649174.040:79): avc: denied { fsetid } for pid=1381 comm="chmod" capability=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1345649194.019:80): avc: denied { search } for pid=1389 comm="ruby" name="puppet" dev="vda2" ino=392393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:80): avc: denied { getattr } for pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc: denied { read } for pid=1389 comm="ruby" name="modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1345649194.019:81): avc: denied { open } for pid=1389 comm="ruby" path="/etc/puppet/modules" dev="vda2" ino=393326 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
--- Additional comment from mgrepl@redhat.com on 2012-08-23 02:04:57 EDT ---
Ok, I see the labeling bug in F17.
execute
# chcon -t passenger_exec_t /usr/share/gems/gems/passenger-3.0.14/agents/PassengerWatchdog /usr/share/gems/gems/passenger-3.0.14/agents/apache2/PassengerHelperAgent /usr/share/gems/gems/passenger-3.0.14/agents/PassengerLoggingAgent
--- Additional comment from orion@cora.nwra.com on 2012-08-23 13:43:41 EDT ---
Created attachment 606667 [details]
avc denials in permissive mode
Not sufficient. I got:
[ pid=3098 thr=140138351482688 file=ext/common/AgentBase.cpp:419 time=2012-08-23 11:34:51.747 ]: *** ERROR: Unexpected end-of-file encountered
in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140)
in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355)
[Thu Aug 23 11:34:51 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1
but no denials in audit.log. Switched to permissive and it works and I see the attached denials
This may be further complicated because I moved the puppet rack config from /usr/share/puppet/rack to /var/lib/puppet/rack in the apache config, so from usr_t to puppet_var_lib_t.
--- Additional comment from mgrepl@redhat.com on 2012-08-24 04:47:42 EDT ---
I am adding fixes for passenger policy to F18 and will backport passenger policy to F17.
--- Additional comment from orion@cora.nwra.com on 2012-08-24 09:58:05 EDT ---
Note that the final install location for the agents is not yet set. Hopefully today though we'll get it. They don't belong in /usr/share though since they are binaries.
--- Additional comment from orion@cora.nwra.com on 2012-08-29 12:13:32 EDT ---
New install path will be in %{_libdir}:
/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
--- Additional comment from mgrepl@redhat.com on 2012-09-03 02:39:56 EDT ---
Thanks. Added.
--- Additional comment from updates@fedoraproject.org on 2012-09-17 08:12:28 EDT ---
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
--- Additional comment from updates@fedoraproject.org on 2012-09-18 22:54:10 EDT ---
Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).
--- Additional comment from orion@cora.nwra.com on 2012-09-19 16:37:18 EDT ---
The new paths don't have the proper contexts with this change:
selinux-policy-3.10.0-149.fc17.noarch
[root@gepetto ~]# ls -lZR /usr/lib64/gems/exts/passenger-3.0.14/agents/
/usr/lib64/gems/exts/passenger-3.0.14/agents/:
drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
/usr/lib64/gems/exts/passenger-3.0.14/agents/apache2:
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
So this update doesn't fix this bug.
--- Additional comment from misc@zarb.org on 2012-09-19 17:08:08 EDT ---
The bug also exist on F18. Testing openshift, i have noticed a high cpu usage due to the number of avc triggered by passenger ( since it run ps to check the process, see ./ext/common/Utils/ProcessMetricsCollector.h function ProcessMetricsCollector::collect ).
And same issue of label :
# ls -lZ /usr/lib/gems/exts/passenger-3.0.17/agents
drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
# rpm -q selinux-policy
selinux-policy-3.11.1-21.fc18.noarch
--- Additional comment from dwalsh@redhat.com on 2012-09-19 20:43:37 EDT ---
I just added the following labeling to F18.
/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
Could you try this label for your machine.
semanage fcontext -a -t passenger_exec_t -f -- '/usr/share/gems/.*/Passenger.*'
--- Additional comment from mgrepl@redhat.com on 2012-09-20 09:18:06 EDT ---
Added also labeling for ApplicationPoolServerExecutable
--- Additional comment from orion@cora.nwra.com on 2012-09-20 11:07:22 EDT ---
That labelling gets the agents. I have no idea what ApplicationPoolServerExecutable refers to.
In permissive mode I see:
type=AVC msg=audit(1348153395.886:44666): avc: denied { getattr } for pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153395.889:44667): avc: denied { ioctl } for pid=32415 comm="ruby" path="socket:[5796223]" dev="sockfs" ino=5796223 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1348153396.159:44668): avc: denied { write } for pid=32409 comm="httpd" name="socket" dev="tmpfs" ino=5797081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1348153434.513:44670): avc: denied { listen } for pid=32517 comm="ruby" laddr=127.0.0.1 lport=48117 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=tcp_socket
type=AVC msg=audit(1348153436.846:44671): avc: denied { execute } for pid=32715 comm="ruby" name="ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc: denied { read open } for pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.846:44671): avc: denied { execute_no_trans } for pid=32715 comm="ruby" path="/usr/sbin/ifconfig" dev="vda2" ino=261296 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44672): avc: denied { read } for pid=32715 comm="ifconfig" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.849:44673): avc: denied { search } for pid=32715 comm="ifconfig" name="net" dev="proc" ino=9067 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1348153436.850:44674): avc: denied { open } for pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153436.850:44675): avc: denied { getattr } for pid=32715 comm="ifconfig" path="/proc/32715/net/dev" dev="proc" ino=4026531972 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1348153447.092:44678): avc: denied { create } for pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.116:44679): avc: denied { rmdir } for pid=32517 comm="ruby" name="201209201504.yaml20120920-32517-125jb7a.lock" dev="vda2" ino=146896 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1348153447.233:44680): avc: denied { write } for pid=32445 comm="httpd" name="ruby.TgTGzwVFCSt9ptj29VZSFz5LJDWhpaZIw08mfdJDoCzDABxghVlyMHo" dev="tmpfs" ino=5797297 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file
--- Additional comment from updates@fedoraproject.org on 2012-09-21 19:58:21 EDT ---
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Is there somewhere I can download a beta/test policy for RHEL6.3? I'm using the mod_passenger package from EPEL and running into problems before I even try puppet. Passenger won't start because the agents aren't labeled:
[Thu Oct 25 22:07:05 2012] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/lib64/gems/exts/passenger-3.0.17/agents/PassengerWatchdog): Permission denied (13)
[root@bootstrap httpd]# ls -Z /usr/lib64/gems/exts/passenger-3.0.17/agents/
drwxr-xr-x. root root system_u:object_r:lib_t:s0 apache2
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
Running restorecon doesn't change anything under selinux-policy-3.7.19-155.el6_3.4.
Thanks!
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2013-0314.html