-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/28/2010 09:15 PM, Dominick Grift wrote: > On 12/28/2010 09:06 PM, Frank Licea wrote: >> I just realised that the server is using a Ruby Enterprise edition >> installation. Which means that >> the ruby installation was downloaded as a .tar file and installed using an >> install script to the path /opt/ruby-enterprise-1.8.7-2010.02/ > >> Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0 > > you could try labelling "ApplicationPoolServerExecutable" > passenger_exec_t but to be honest i do not think this will be enough ( i > dont think the policy supports the enterprise edition) This may also > explain the /proc issue. Who know what other "features" the enterprise > edition supports. > > So i guess you find yourself in a bit of a sticky situation here. > You could write policy for your enterprise edition yourself. After all > Selinux is a framework that allows you to do so, but you will have to > know a bit about the matter to be able to implement it, just like one > needs to know a bit about netfilter and iptables to open or forward some > network port. > > I want to help you implement a policy but it isnt easy for me either as > i havent much experience with ruby on rails and its files. > > Can you enclose a list with all the file locations included with you > passenger enterprise package? so i am just asking for a list of file locations and *not* for the package. <rant> ive written policy for the default passenger over and over again, now that thats finally supported in Fedora 14, the enterprise version comes along. I think these guy's at passenger should (have) collaborate with the selinux community to make sure their "shed" works with enterprise linux.... </rant> >> This includes $RUBY_HOME/bin/passenger. That explains why httpd is not >> running in the passenger domain. > >> Should I attempt to relabel these files myself? > >> This still doesn't explain the /proc access. > >> I've attempted to do look up the name of the process ID in the AVC denial >> messages but that process doesn't seem to show up using a `ps -ef` or >> looking for in in htop. It must be exiting quickly. > > >> On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift <domg472@xxxxxxxxx> wrote: > >> On 12/28/2010 08:34 PM, Frank Licea wrote: >>>>> Daniel: >>>>> >>>>> I'm using Fedora 14. >>>>> >>>>> To answer Dominik's questions: >>>>> >>>>> 1) Why is passenger running in the httpd domain? >>>>> I don't know. I've only followed the passenger installation >> instructions >>>>> at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since >>>>> Fedora 14 is supposed to have passenger policies installed? Should httpd >> be >>>>> in a special passenger domain? > >> I think fedora 14 has a special passenger policy installed but it looks >> like its not working on your system (note looks) since it seems to still >> run in the httpd_t domain. > >>>>> 2) is passenger running some webapp that for some reason needs to read >> the >>>>> state file in /proc of some process that runs in the unconfined_t >> domain? >>>>> No I don't think so. At least I haven't written any code where I use >>>>> anything in /proc. >>>>> I suppose it is possible that a GEM library may be trying to. > >> Why would it? can you reproduce this issue. Does it only happen if you >> restart httpd manually? I guess it does.. > >>>>> 3) does this issue cause any loss of functionality in enforcing mode >>>>> I haven't checked yet. I will let you know soon. >>>>> > >> See if it works when ignoring this. > >>>>> 4. are you sure passenger and/or the passenger webapp is configured >>>>> correctly? >>>>> I have as far as following the instructions in the blog post above. I >>>>> wonder if there >>>>> is any relabelling I have to do? > >> I think this issue happens when the httpd server gets restarted manually >> (service httpd restart/stop/start etc) not sure though. > >> can you ls -alZ /path/to/passenger executable file? > >> It should be labelled type: passenger_exec_t > >> httpd should domain transition to the passenger_t domain when it runs >> the passenger executable file (files with type passenger_exec_t) > >> seem that doesnt happen but even if it did, passenger still wouldnt be >> able to read unconfined_t state files in /proc ( not sure why it would >> need to either) > > >>>>> >>>>> 2010/12/28 Daniel J Walsh <dwalsh@xxxxxxxxxx> >>>>> >>>>> On 12/26/2010 05:25 PM, Jorge Fábregas wrote: >>>>>>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote: >>>>>>>>> is trying to read the state files in /proc for some unconfined_t >>>>> process >>>>>>>> >>>>>>>> Never thought of /proc. That explains why I found it weird to see a >> file >>>>>>>> labeled as unconfined_t. >>>>>>>> >>>>>>>> Frank: disregard my previous suggetion >:) >>>>>>>> >>>>>>>> -- >>>>>>>> Jorge >>>>>>>> -- >>>>>>>> selinux mailing list >>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> What OS/Version are you seeing this in? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0aSVgACgkQMlxVo39jgT+RBQCfZOI7/Xgf6cOioIr+036GC1Xg x8MAn0JB0xdNqNWZy4gvhG/jxFhshLcc =SZPx -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
