I just realised that the server is using a Ruby Enterprise edition installation. Which means that<br>the ruby installation was downloaded as a .tar file and installed using an install script to the path /opt/ruby-enterprise-1.8.7-2010.02/<br>
<br>Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0 <br>This includes $RUBY_HOME/bin/passenger. That explains why httpd is not running in the passenger domain. <br><br>Should I attempt to relabel these files myself? <br>
<br>This still doesn't explain the /proc access. <br><br>I've attempted to do look up the name of the process ID in the AVC denial messages but that process doesn't seem to show up using a `ps -ef` or looking for in in htop. It must be exiting quickly. <br>
<br><br><div class="gmail_quote">On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div class="im">On 12/28/2010 08:34 PM, Frank Licea wrote:<br>
> Daniel:<br>
><br>
> I'm using Fedora 14.<br>
><br>
> To answer Dominik's questions:<br>
><br>
> 1) Why is passenger running in the httpd domain?<br>
> I don't know. I've only followed the passenger installation instructions<br>
> at <a href="http://mifo.sk/posts/passenger-selinux-for-fedora/" target="_blank">http://mifo.sk/posts/passenger-selinux-for-fedora/</a> minus step 5 since<br>
> Fedora 14 is supposed to have passenger policies installed? Should httpd be<br>
> in a special passenger domain?<br>
<br>
</div>I think fedora 14 has a special passenger policy installed but it looks<br>
like its not working on your system (note looks) since it seems to still<br>
run in the httpd_t domain.<br>
<div class="im"><br>
> 2) is passenger running some webapp that for some reason needs to read the<br>
> state file in /proc of some process that runs in the unconfined_t domain?<br>
> No I don't think so. At least I haven't written any code where I use<br>
> anything in /proc.<br>
> I suppose it is possible that a GEM library may be trying to.<br>
<br>
</div>Why would it? can you reproduce this issue. Does it only happen if you<br>
restart httpd manually? I guess it does..<br>
<div class="im"><br>
> 3) does this issue cause any loss of functionality in enforcing mode<br>
> I haven't checked yet. I will let you know soon.<br>
><br>
<br>
</div>See if it works when ignoring this.<br>
<div class="im"><br>
> 4. are you sure passenger and/or the passenger webapp is configured<br>
> correctly?<br>
> I have as far as following the instructions in the blog post above. I<br>
> wonder if there<br>
> is any relabelling I have to do?<br>
<br>
</div>I think this issue happens when the httpd server gets restarted manually<br>
(service httpd restart/stop/start etc) not sure though.<br>
<br>
can you ls -alZ /path/to/passenger executable file?<br>
<br>
It should be labelled type: passenger_exec_t<br>
<br>
httpd should domain transition to the passenger_t domain when it runs<br>
the passenger executable file (files with type passenger_exec_t)<br>
<br>
seem that doesnt happen but even if it did, passenger still wouldnt be<br>
able to read unconfined_t state files in /proc ( not sure why it would<br>
need to either)<br>
<div class="im"><br>
<br>
><br>
> 2010/12/28 Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>><br>
><br>
</div><div class="im">> On 12/26/2010 05:25 PM, Jorge Fábregas wrote:<br>
>>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:<br>
>>>>> is trying to read the state files in /proc for some unconfined_t<br>
> process<br>
>>>><br>
>>>> Never thought of /proc. That explains why I found it weird to see a file<br>
>>>> labeled as unconfined_t.<br>
>>>><br>
>>>> Frank: disregard my previous suggetion >:)<br>
>>>><br>
>>>> --<br>
>>>> Jorge<br>
>>>> --<br>
>>>> selinux mailing list<br>
>>>> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
>>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
> What OS/Version are you seeing this in?<br>
- --<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
>><br>
<br>
> --<br>
> selinux mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
</div>Version: GnuPG v2.0.16 (GNU/Linux)<br>
<div class="im">Comment: Using GnuPG with Fedora - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP<br>
HzgAmwVLqTActXtAO1QAL3OcPMYEmryl<br>
=Dwxq<br>
<div><div></div><div class="h5">-----END PGP SIGNATURE-----<br>
--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
</div></div></blockquote></div><br>