Phusion Passenger on selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am struggling to get redmine 2.0.2 (http://www.redmine.org/) working on a Fedora 17 box with selinux turned on. I know there is a long-standing review request for rubygem-passenger (https://bugzilla.redhat.com/show_bug.cgi?id=470696), but it is hung up over a licensing issue. Is there a selinux package policy available from that request? 

I notice a passenger policy on my Fedora 17 box

/etc/selinux/targeted/modules/active/modules/passenger.pp

It came from...

rpm -qf /etc/selinux/targeted/modules/active/modules/passenger.pp
selinux-policy-targeted-3.10.0-128.fc17.noarch
Is it active? Should it be helping me with my non-yum installed version of passenger? 

Can I get it to help me with my non-Fedora installed version of passenger?

I have appended the result of

audit2allow < /var/log/audit/audit.log

Hoping Dan Walsh can help me out ;-)

Pete

#============= avahi_t ==============
#!!!! This avc is allowed in the current policy

allow avahi_t httpd_t:dbus send_msg;

#============= httpd_t ==============
#!!!! This avc is allowed in the current policy

allow httpd_t avahi_t:dbus send_msg;
allow httpd_t passenger_t:unix_stream_socket connectto;
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# systemd_passwd_var_run_t, squirrelmail_spool_t, dirsrvadmin_config_t, var_lock_t, tmpfs_t, tmp_t, var_t, abrt_retrace_spool_t, jetty_log_t, httpd_tmp_t, httpd_log_t, jetty_cache_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, httpd_cache_t, httpd_tmpfs_t, var_log_t, var_lib_t, var_run_t, dirsrv_var_run_t, dirsrv_var_log_t, zarafa_var_lib_t, httpd_var_lib_t, httpd_var_run_t, jetty_var_lib_t, jetty_var_run_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, root_t, passenger_var_run_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_man2html_ra_content_t, httpd_man2html_rw_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_zoneminder_ra_content_t, httpd_zoneminder_rw_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t 

allow httpd_t passenger_tmp_t:dir { write search getattr add_name };
#!!!! The source type 'httpd_t' can write to a 'file' of the following types: # systemd_passwd_var_run_t, squirrelmail_spool_t, dirsrvadmin_config_t, abrt_retrace_spool_t, jetty_log_t, httpd_tmp_t, httpd_lock_t, jetty_cache_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, httpd_cache_t, httpd_tmpfs_t, dirsrv_var_run_t, dirsrv_var_log_t, zarafa_var_lib_t, httpd_var_lib_t, httpd_var_run_t, jetty_var_lib_t, jetty_var_run_t, httpd_nutups_cgi_rw_content_t, httpd_dspam_rw_content_t, httpd_prewikka_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, root_t, passenger_var_run_t, httpd_smokeping_cgi_rw_content_t, httpd_man2html_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_collectd_rw_content_t, httpd_zoneminder_rw_content_t, httpd_user_rw_content_t, httpd_awstats_rw_content_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_mojomojo_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nagios_rw_content_t 

allow httpd_t passenger_tmp_t:file { write create open setattr };
allow httpd_t passenger_tmp_t:sock_file write;
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_run_stickshift, httpd_setrlimit

allow httpd_t self:capability { fowner sys_resource fsetid };
allow httpd_t usr_t:file { execute execute_no_trans };

#============= passenger_t ==============
allow passenger_t NetworkManager_t:dir { getattr search };
allow passenger_t NetworkManager_t:file { read open };
allow passenger_t audisp_t:dir { getattr search };
allow passenger_t audisp_t:file { read open };
allow passenger_t auditd_t:dir { getattr search };
allow passenger_t auditd_t:file { read open };
allow passenger_t avahi_t:dir { getattr search };
allow passenger_t avahi_t:file { read open };
allow passenger_t bluetooth_t:dir { getattr search };
allow passenger_t bluetooth_t:file { read open };
allow passenger_t consolekit_t:dir { getattr search };
allow passenger_t consolekit_t:file { read open };
allow passenger_t crond_t:dir { getattr search };
allow passenger_t crond_t:file { read open };
allow passenger_t dhcpc_t:dir { getattr search };
allow passenger_t dhcpc_t:file { read open };
allow passenger_t getty_t:dir { getattr search };
allow passenger_t getty_t:file { read open };
allow passenger_t gpm_t:dir { getattr search };
allow passenger_t gpm_t:file { read open };
allow passenger_t home_root_t:dir getattr;
allow passenger_t httpd_t:dir { getattr search };
allow passenger_t httpd_t:file { read open };
#!!!! The source type 'passenger_t' can write to a 'dir' of the following types: 
# passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t
allow passenger_t httpd_tmpfs_t:dir { setattr read create write getattr rmdir remove_name open add_name }; #!!!! The source type 'passenger_t' can write to a 'file' of the following types: # puppet_var_lib_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t
allow passenger_t httpd_tmpfs_t:file { write getattr setattr create unlink open }; allow passenger_t httpd_tmpfs_t:sock_file { write create unlink getattr setattr }; 
allow passenger_t init_t:dir { getattr search };
allow passenger_t init_t:file { read open };
allow passenger_t init_t:unix_stream_socket { getattr ioctl };
allow passenger_t irqbalance_t:dir { getattr search };
allow passenger_t irqbalance_t:file { read open };
allow passenger_t kernel_t:dir { getattr search };
allow passenger_t kernel_t:file { read open };
allow passenger_t mcelog_t:dir { getattr search };
allow passenger_t mcelog_t:file { read open };
allow passenger_t mdadm_t:dir { getattr search };
allow passenger_t mdadm_t:file { read open };
allow passenger_t modemmanager_t:dir { getattr search };
allow passenger_t modemmanager_t:file { read open };
allow passenger_t mysqld_t:dir { getattr search };
allow passenger_t mysqld_t:file { read open };
allow passenger_t mysqld_t:unix_stream_socket connectto;
allow passenger_t mysqld_var_run_t:sock_file write;
allow passenger_t nfsd_t:dir { getattr search };
allow passenger_t nfsd_t:file { read open };
allow passenger_t ntpd_t:dir { getattr search };
allow passenger_t ntpd_t:file { read open };
allow passenger_t passenger_tmp_t:sock_file { write create unlink getattr setattr }; 
allow passenger_t policykit_t:dir { getattr search };
allow passenger_t policykit_t:file { read open };
allow passenger_t rpcbind_t:dir { getattr search };
allow passenger_t rpcbind_t:file { read open };
allow passenger_t rpcd_t:dir { getattr search };
allow passenger_t rpcd_t:file { read open };
allow passenger_t self:capability { sys_resource sys_ptrace };
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow passenger_t self:tcp_socket listen;
allow passenger_t sendmail_t:dir { getattr search };
allow passenger_t sendmail_t:file { read open };
allow passenger_t setroubleshootd_t:dir { getattr search };
allow passenger_t setroubleshootd_t:file { read open };
allow passenger_t sshd_t:dir { getattr search };
allow passenger_t sshd_t:file { read open };
allow passenger_t syslogd_t:dir { getattr search };
allow passenger_t syslogd_t:file { read open };
allow passenger_t system_dbusd_t:dir { getattr search };
allow passenger_t system_dbusd_t:file { read open };
allow passenger_t systemd_logind_t:dir { getattr search };
allow passenger_t systemd_logind_t:file { read open };
allow passenger_t udev_t:dir { getattr search };
allow passenger_t udev_t:file { read open };
allow passenger_t unconfined_t:dir { getattr search };
allow passenger_t unconfined_t:file { read open };
allow passenger_t usr_t:file { execute execute_no_trans };
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux