I'm on a fresh install of Fedora 14 and using phusion passenger. I currently have SELinux in permissive mode.
When I checked my /var/log/audit/audit.log file I noticed three denial messages and I can't figure out why they are there. Has anyone encountered anything similar before?
========================== type=AVC msg=audit(1293393237.358:102): avc: denied { search } for pid=3451 comm="ps" name="3279" dev=proc ino=9320 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1293393237.358:102): avc: denied { read } for pid=3451 comm="ps" name="stat" dev=proc ino=9816 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1293393237.358:102): avc: denied { open } for pid=3451 comm="ps" name="stat" dev=proc ino=9816 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access. ==========================
On Sunday, December 26, 2010 04:00:56 pm Frank Licea wrote:
I'm on a fresh install of Fedora 14 and using phusion passenger. I currently have SELinux in permissive mode.
When I checked my /var/log/audit/audit.log file I noticed three denial messages and I can't figure out why they are there. Has anyone encountered anything similar before?
It seems Apache (httpd_t) is trying to open/read some files that are labeled incorrectly.
Apache (httpd_d) usually can only read files labeled as httpd_sys_content_t. In your case, the files are labeled as "unconfined_t".
Usually you don't have this problem if you serve your pages from anywhere within the standard location (/var/www/html). If you're serving from other non-standard location you must tell SELinux about it. For example, if you're using /srv/myweb
You'll need to register this location with:
semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
and then apply the labels:
restorecon -R /srv/myweb
HTH, Jorge
On Sun, Dec 26, 2010 at 01:00:56PM -0700, Frank Licea wrote:
I'm on a fresh install of Fedora 14 and using phusion passenger. I currently have SELinux in permissive mode.
I am not passenger expert but looks from the denials that httpd_t (probably passenger or a passenger app?) is trying to read the state files in /proc for some unconfined_t process ( which in this instance was probably pid 3279.
Theres a few question that i have.
1. why is passenger running in the httpd_t domain? (i though fedora implemented a passenger domain for passenger to run in) 2. is passenger running some webapp that for some reason needs to read the state file in /proc of some process that runs in the unconfined_t domain 3. does this issue cause any loss of functionality in enforcing mode 4. are you sure passenger and/or the passenger webapp is configured correctly.
again, i am not ruby user. but i am guessing its some interpreter thingy? if thats the case then i guess it could be the code its interpeting that causes this? maybe that codes somehow depends on a user application or somehow interacts with an user application?
When I checked my /var/log/audit/audit.log file I noticed three denial messages and I can't figure out why they are there. Has anyone encountered anything similar before?
========================== type=AVC msg=audit(1293393237.358:102): avc: denied { search } for pid=3451 comm="ps" name="3279" dev=proc ino=9320 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { read } for pid=3451 comm="ps" name="stat" dev=proc ino=9816 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1293393237.358:102): avc: denied { open } for pid=3451 comm="ps" name="stat" dev=proc ino=9816 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this
access.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
1) Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation instructions at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd be in a special passenger domain?
2) is passenger running some webapp that for some reason needs to read the state file in /proc of some process that runs in the unconfined_t domain? No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
3) does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
4. are you sure passenger and/or the passenger webapp is configured correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
2010/12/28 Daniel J Walsh dwalsh@redhat.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t
process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0ZzdQACgkQrlYvE4MpobMKjgCghMqiQe3BOjMVkqNZGx80/r5r IK4AoKkfMNux+kp/0TraQ2wWLMck7Ph4 =Rq12
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 08:34 PM, Frank Licea wrote:
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
- Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd be in a special passenger domain?
I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain.
- is passenger running some webapp that for some reason needs to read the
state file in /proc of some process that runs in the unconfined_t domain? No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does..
- does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
See if it works when ignoring this.
- are you sure passenger and/or the passenger webapp is configured
correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though.
can you ls -alZ /path/to/passenger executable file?
It should be labelled type: passenger_exec_t
httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t)
seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either)
2010/12/28 Daniel J Walsh dwalsh@redhat.com
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t
process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just realised that the server is using a Ruby Enterprise edition installation. Which means that the ruby installation was downloaded as a .tar file and installed using an install script to the path /opt/ruby-enterprise-1.8.7-2010.02/
Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0
This includes $RUBY_HOME/bin/passenger. That explains why httpd is not running in the passenger domain.
Should I attempt to relabel these files myself?
This still doesn't explain the /proc access.
I've attempted to do look up the name of the process ID in the AVC denial messages but that process doesn't seem to show up using a `ps -ef` or looking for in in htop. It must be exiting quickly.
On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift domg472@gmail.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 08:34 PM, Frank Licea wrote:
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
- Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation
instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd
be
in a special passenger domain?
I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain.
- is passenger running some webapp that for some reason needs to read
the
state file in /proc of some process that runs in the unconfined_t
domain?
No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does..
- does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
See if it works when ignoring this.
- are you sure passenger and/or the passenger webapp is configured
correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though.
can you ls -alZ /path/to/passenger executable file?
It should be labelled type: passenger_exec_t
httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t)
seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either)
2010/12/28 Daniel J Walsh dwalsh@redhat.com
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t
process
Never thought of /proc. That explains why I found it weird to see a
file
labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP HzgAmwVLqTActXtAO1QAL3OcPMYEmryl =Dwxq
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 09:06 PM, Frank Licea wrote:
I just realised that the server is using a Ruby Enterprise edition installation. Which means that the ruby installation was downloaded as a .tar file and installed using an install script to the path /opt/ruby-enterprise-1.8.7-2010.02/
Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0
you could try labelling "ApplicationPoolServerExecutable" passenger_exec_t but to be honest i do not think this will be enough ( i dont think the policy supports the enterprise edition) This may also explain the /proc issue. Who know what other "features" the enterprise edition supports.
So i guess you find yourself in a bit of a sticky situation here. You could write policy for your enterprise edition yourself. After all Selinux is a framework that allows you to do so, but you will have to know a bit about the matter to be able to implement it, just like one needs to know a bit about netfilter and iptables to open or forward some network port.
I want to help you implement a policy but it isnt easy for me either as i havent much experience with ruby on rails and its files.
Can you enclose a list with all the file locations included with you passenger enterprise package?
This includes $RUBY_HOME/bin/passenger. That explains why httpd is not running in the passenger domain.
Should I attempt to relabel these files myself?
This still doesn't explain the /proc access.
I've attempted to do look up the name of the process ID in the AVC denial messages but that process doesn't seem to show up using a `ps -ef` or looking for in in htop. It must be exiting quickly.
On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift domg472@gmail.com wrote:
On 12/28/2010 08:34 PM, Frank Licea wrote:
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
- Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation
instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd
be
in a special passenger domain?
I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain.
- is passenger running some webapp that for some reason needs to read
the
state file in /proc of some process that runs in the unconfined_t
domain?
No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does..
- does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
See if it works when ignoring this.
- are you sure passenger and/or the passenger webapp is configured
correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though.
can you ls -alZ /path/to/passenger executable file?
It should be labelled type: passenger_exec_t
httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t)
seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either)
2010/12/28 Daniel J Walsh dwalsh@redhat.com
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote: >> is trying to read the state files in /proc for some unconfined_t
process
> > Never thought of /proc. That explains why I found it weird to see a
file
> labeled as unconfined_t. > > Frank: disregard my previous suggetion >:) > > -- > Jorge > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 09:15 PM, Dominick Grift wrote:
On 12/28/2010 09:06 PM, Frank Licea wrote:
I just realised that the server is using a Ruby Enterprise edition installation. Which means that the ruby installation was downloaded as a .tar file and installed using an install script to the path /opt/ruby-enterprise-1.8.7-2010.02/
Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0
you could try labelling "ApplicationPoolServerExecutable" passenger_exec_t but to be honest i do not think this will be enough ( i dont think the policy supports the enterprise edition) This may also explain the /proc issue. Who know what other "features" the enterprise edition supports.
So i guess you find yourself in a bit of a sticky situation here. You could write policy for your enterprise edition yourself. After all Selinux is a framework that allows you to do so, but you will have to know a bit about the matter to be able to implement it, just like one needs to know a bit about netfilter and iptables to open or forward some network port.
I want to help you implement a policy but it isnt easy for me either as i havent much experience with ruby on rails and its files.
Can you enclose a list with all the file locations included with you passenger enterprise package?
so i am just asking for a list of file locations and *not* for the package.
<rant> ive written policy for the default passenger over and over again, now that thats finally supported in Fedora 14, the enterprise version comes along. I think these guy's at passenger should (have) collaborate with the selinux community to make sure their "shed" works with enterprise linux.... </rant>
This includes $RUBY_HOME/bin/passenger. That explains why httpd is not running in the passenger domain.
Should I attempt to relabel these files myself?
This still doesn't explain the /proc access.
I've attempted to do look up the name of the process ID in the AVC denial messages but that process doesn't seem to show up using a `ps -ef` or looking for in in htop. It must be exiting quickly.
On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift domg472@gmail.com wrote:
On 12/28/2010 08:34 PM, Frank Licea wrote:
Daniel:
I'm using Fedora 14.
To answer Dominik's questions:
- Why is passenger running in the httpd domain? I don't know. I've only followed the passenger installation
instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since Fedora 14 is supposed to have passenger policies installed? Should httpd
be
in a special passenger domain?
I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain.
- is passenger running some webapp that for some reason needs to read
the
state file in /proc of some process that runs in the unconfined_t
domain?
No I don't think so. At least I haven't written any code where I use anything in /proc. I suppose it is possible that a GEM library may be trying to.
Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does..
- does this issue cause any loss of functionality in enforcing mode I haven't checked yet. I will let you know soon.
See if it works when ignoring this.
- are you sure passenger and/or the passenger webapp is configured
correctly? I have as far as following the instructions in the blog post above. I wonder if there is any relabelling I have to do?
I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though.
can you ls -alZ /path/to/passenger executable file?
It should be labelled type: passenger_exec_t
httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t)
seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either)
2010/12/28 Daniel J Walsh dwalsh@redhat.com
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote: >>> is trying to read the state files in /proc for some unconfined_t
process
>> >> Never thought of /proc. That explains why I found it weird to see a
file
>> labeled as unconfined_t. >> >> Frank: disregard my previous suggetion >:) >> >> -- >> Jorge >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 12:45 PM, Daniel J Walsh wrote:
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t.
Frank: disregard my previous suggetion >:)
-- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
dwalsh: looks like fedoras' passenger policy only works for passenger 2.*
recently it seems version 3.* was released which introduced some major changes, causing fedora policy for passenger to completely break.
i started work on a version 3 compatible policy but it is not advancing at all:
http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary
Also to miroslav: i noticed you have designed current policy for passenger with /var/lib/passenger as the webapp document root. I am of the opinion however that passenger/ror webapps should be labelled https_sys/user/*_script_exec_t just like any other webapp.
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 12/31/2010 10:36 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 12:45 PM, Daniel J Walsh wrote:
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t. Frank: disregard my previous suggetion>:) -- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
dwalsh: looks like fedoras' passenger policy only works for passenger 2.*
recently it seems version 3.* was released which introduced some major changes, causing fedora policy for passenger to completely break.
i started work on a version 3 compatible policy but it is not advancing at all:
http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary
I have already added some support for the version 3 to F13/RHEL6 policy. I will add it also to F14/F15 policy.
Generally I work with "passenger guys" on SELinux policy.
Also I am planning to talk with Michal Fojtik to update his blog.
Also to miroslav: i noticed you have designed current policy for passenger with /var/lib/passenger as the webapp document root. I am of the opinion however that passenger/ror webapps should be labelled https_sys/user/*_script_exec_t just like any other webapp.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0eWtIACgkQMlxVo39jgT+fCACcCCVcGCOTlUWGzhuL1JsEMvNU ubcAn1xXQAekYXr56w1RRdow4QZ/lSug =I+PL
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 01/03/2011 07:59 AM, Miroslav Grepl wrote:
On 12/31/2010 10:36 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 12:45 PM, Daniel J Walsh wrote:
On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
is trying to read the state files in /proc for some unconfined_t process
Never thought of /proc. That explains why I found it weird to see a file labeled as unconfined_t. Frank: disregard my previous suggetion>:) -- Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS/Version are you seeing this in?
dwalsh: looks like fedoras' passenger policy only works for passenger 2.*
recently it seems version 3.* was released which introduced some major changes, causing fedora policy for passenger to completely break.
i started work on a version 3 compatible policy but it is not advancing at all:
http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary
I have already added some support for the version 3 to F13/RHEL6 policy. I will add it also to F14/F15 policy.
Well, actually the fixes are already in the latest F14/F15 policy.
But I just treat all with passenger_t domain, I will look at your policy.
Generally I work with "passenger guys" on SELinux policy.
Also I am planning to talk with Michal Fojtik to update his blog.
Also to miroslav: i noticed you have designed current policy for passenger with /var/lib/passenger as the webapp document root. I am of the opinion however that passenger/ror webapps should be labelled https_sys/user/*_script_exec_t just like any other webapp.
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0eWtIACgkQMlxVo39jgT+fCACcCCVcGCOTlUWGzhuL1JsEMvNU ubcAn1xXQAekYXr56w1RRdow4QZ/lSug =I+PL
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org