Phusion Passenger on selinux
Pete Stieber
pstieber at gmail.com
Fri Jun 15 21:00:37 UTC 2012
I am struggling to get redmine 2.0.2 (http://www.redmine.org/) working
on a Fedora 17 box with selinux turned on. I know there is a
long-standing review request for rubygem-passenger
(https://bugzilla.redhat.com/show_bug.cgi?id=470696), but it is hung up
over a licensing issue. Is there a selinux package policy available
from that request?
I notice a passenger policy on my Fedora 17 box
/etc/selinux/targeted/modules/active/modules/passenger.pp
It came from...
rpm -qf /etc/selinux/targeted/modules/active/modules/passenger.pp
selinux-policy-targeted-3.10.0-128.fc17.noarch
Is it active? Should it be helping me with my non-yum installed version
of passenger?
Can I get it to help me with my non-Fedora installed version of passenger?
I have appended the result of
audit2allow < /var/log/audit/audit.log
Hoping Dan Walsh can help me out ;-)
Pete
#============= avahi_t ==============
#!!!! This avc is allowed in the current policy
allow avahi_t httpd_t:dbus send_msg;
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t passenger_t:unix_stream_socket connectto;
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# systemd_passwd_var_run_t, squirrelmail_spool_t, dirsrvadmin_config_t,
var_lock_t, tmpfs_t, tmp_t, var_t, abrt_retrace_spool_t, jetty_log_t,
httpd_tmp_t, httpd_log_t, jetty_cache_t, dirsrv_config_t,
dirsrvadmin_tmp_t, httpd_squirrelmail_t, httpd_cache_t, httpd_tmpfs_t,
var_log_t, var_lib_t, var_run_t, dirsrv_var_run_t, dirsrv_var_log_t,
zarafa_var_lib_t, httpd_var_lib_t, httpd_var_run_t, jetty_var_lib_t,
jetty_var_run_t, httpd_nutups_cgi_ra_content_t,
httpd_nutups_cgi_rw_content_t, httpd_dspam_ra_content_t,
httpd_dspam_rw_content_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, root_t, passenger_var_run_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_man2html_ra_content_t, httpd_man2html_rw_content_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t,
httpd_collectd_ra_content_t, httpd_collectd_rw_content_t,
httpd_zoneminder_ra_content_t, httpd_zoneminder_rw_content_t,
httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t
allow httpd_t passenger_tmp_t:dir { write search getattr add_name };
#!!!! The source type 'httpd_t' can write to a 'file' of the following
types:
# systemd_passwd_var_run_t, squirrelmail_spool_t, dirsrvadmin_config_t,
abrt_retrace_spool_t, jetty_log_t, httpd_tmp_t, httpd_lock_t,
jetty_cache_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t,
httpd_cache_t, httpd_tmpfs_t, dirsrv_var_run_t, dirsrv_var_log_t,
zarafa_var_lib_t, httpd_var_lib_t, httpd_var_run_t, jetty_var_lib_t,
jetty_var_run_t, httpd_nutups_cgi_rw_content_t,
httpd_dspam_rw_content_t, httpd_prewikka_rw_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, root_t,
passenger_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_man2html_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_collectd_rw_content_t,
httpd_zoneminder_rw_content_t, httpd_user_rw_content_t,
httpd_awstats_rw_content_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_mojomojo_rw_content_t,
httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_nagios_rw_content_t
allow httpd_t passenger_tmp_t:file { write create open setattr };
allow httpd_t passenger_tmp_t:sock_file write;
#!!!! This avc can be allowed using one of the these booleans:
# httpd_run_stickshift, httpd_setrlimit
allow httpd_t self:capability { fowner sys_resource fsetid };
allow httpd_t usr_t:file { execute execute_no_trans };
#============= passenger_t ==============
allow passenger_t NetworkManager_t:dir { getattr search };
allow passenger_t NetworkManager_t:file { read open };
allow passenger_t audisp_t:dir { getattr search };
allow passenger_t audisp_t:file { read open };
allow passenger_t auditd_t:dir { getattr search };
allow passenger_t auditd_t:file { read open };
allow passenger_t avahi_t:dir { getattr search };
allow passenger_t avahi_t:file { read open };
allow passenger_t bluetooth_t:dir { getattr search };
allow passenger_t bluetooth_t:file { read open };
allow passenger_t consolekit_t:dir { getattr search };
allow passenger_t consolekit_t:file { read open };
allow passenger_t crond_t:dir { getattr search };
allow passenger_t crond_t:file { read open };
allow passenger_t dhcpc_t:dir { getattr search };
allow passenger_t dhcpc_t:file { read open };
allow passenger_t getty_t:dir { getattr search };
allow passenger_t getty_t:file { read open };
allow passenger_t gpm_t:dir { getattr search };
allow passenger_t gpm_t:file { read open };
allow passenger_t home_root_t:dir getattr;
allow passenger_t httpd_t:dir { getattr search };
allow passenger_t httpd_t:file { read open };
#!!!! The source type 'passenger_t' can write to a 'dir' of the
following types:
# passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t
allow passenger_t httpd_tmpfs_t:dir { setattr read create write getattr
rmdir remove_name open add_name };
#!!!! The source type 'passenger_t' can write to a 'file' of the
following types:
# puppet_var_lib_t, passenger_log_t, passenger_tmp_t,
passenger_var_lib_t, passenger_var_run_t
allow passenger_t httpd_tmpfs_t:file { write getattr setattr create
unlink open };
allow passenger_t httpd_tmpfs_t:sock_file { write create unlink getattr
setattr };
allow passenger_t init_t:dir { getattr search };
allow passenger_t init_t:file { read open };
allow passenger_t init_t:unix_stream_socket { getattr ioctl };
allow passenger_t irqbalance_t:dir { getattr search };
allow passenger_t irqbalance_t:file { read open };
allow passenger_t kernel_t:dir { getattr search };
allow passenger_t kernel_t:file { read open };
allow passenger_t mcelog_t:dir { getattr search };
allow passenger_t mcelog_t:file { read open };
allow passenger_t mdadm_t:dir { getattr search };
allow passenger_t mdadm_t:file { read open };
allow passenger_t modemmanager_t:dir { getattr search };
allow passenger_t modemmanager_t:file { read open };
allow passenger_t mysqld_t:dir { getattr search };
allow passenger_t mysqld_t:file { read open };
allow passenger_t mysqld_t:unix_stream_socket connectto;
allow passenger_t mysqld_var_run_t:sock_file write;
allow passenger_t nfsd_t:dir { getattr search };
allow passenger_t nfsd_t:file { read open };
allow passenger_t ntpd_t:dir { getattr search };
allow passenger_t ntpd_t:file { read open };
allow passenger_t passenger_tmp_t:sock_file { write create unlink
getattr setattr };
allow passenger_t policykit_t:dir { getattr search };
allow passenger_t policykit_t:file { read open };
allow passenger_t rpcbind_t:dir { getattr search };
allow passenger_t rpcbind_t:file { read open };
allow passenger_t rpcd_t:dir { getattr search };
allow passenger_t rpcd_t:file { read open };
allow passenger_t self:capability { sys_resource sys_ptrace };
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow passenger_t self:tcp_socket listen;
allow passenger_t sendmail_t:dir { getattr search };
allow passenger_t sendmail_t:file { read open };
allow passenger_t setroubleshootd_t:dir { getattr search };
allow passenger_t setroubleshootd_t:file { read open };
allow passenger_t sshd_t:dir { getattr search };
allow passenger_t sshd_t:file { read open };
allow passenger_t syslogd_t:dir { getattr search };
allow passenger_t syslogd_t:file { read open };
allow passenger_t system_dbusd_t:dir { getattr search };
allow passenger_t system_dbusd_t:file { read open };
allow passenger_t systemd_logind_t:dir { getattr search };
allow passenger_t systemd_logind_t:file { read open };
allow passenger_t udev_t:dir { getattr search };
allow passenger_t udev_t:file { read open };
allow passenger_t unconfined_t:dir { getattr search };
allow passenger_t unconfined_t:file { read open };
allow passenger_t usr_t:file { execute execute_no_trans };
More information about the users
mailing list