Ask Your Question
1

Passenger: selinux issues

asked 2013-07-18 06:50:35 -0500

ethrbunny gravatar image

updated 2013-07-19 12:14:45 -0500

Attempting to install Passenger with Puppet v3.2 on CentOS 6.4. Installation goes fine but apache won't start due to selinux errors as follows:

[Wed Jul 17 14:55:27 2013] [error] *** Passenger could not be initialized because
of this error: Unable to start the Phusion Passenger watchdog because it
encountered the following error during startup: Cannot change the directory
'/var/tmp/passenger/passenger.1.0.14081/generation-0/buffered_uploads' 
its UID to 48 and GID to 48: Operation not permitted (errno=1)

I fixed the first round of selinux issues (various permission denied) by using chcon but since ... (more)

edit retag flag offensive close merge delete

Comments

Please include the title of the page with the instructions that you used, and then we can Google it and post the link on your behalf.

GregLarkin gravatar imageGregLarkin ( 2013-07-18 15:37:17 -0500 )edit

"running-puppet-master-under-apache-and-passenger" from 'tokiwinter.com'

ethrbunny gravatar imageethrbunny ( 2013-07-18 16:42:57 -0500 )edit

Here is the direct link: http://www.tokiwinter.com/running-puppet-master-under-apache-and-passenger/ I don't know too much about selinux, but I'll have a look at that page tomorrow to see ...(more)

GregLarkin gravatar imageGregLarkin ( 2013-07-18 17:39:16 -0500 )edit

It wouldn't matter if you used a wildcard - passenger creates a new folder every time you (re)start apache.

ethrbunny gravatar imageethrbunny ( 2013-07-19 07:50:38 -0500 )edit

I meant if there was a way to whitelist a directory name that follows a pattern like /var/tmp/passenger/passenger.[\d].[\d].[\d]+/generation-0/buffered_uploads. I'll look at ...(more)

GregLarkin gravatar imageGregLarkin ( 2013-07-19 09:08:33 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted
2

answered 2013-07-21 09:02:46 -0500

riffraff169 gravatar image

You could even create a policy to allow what you want. Shutdown passenger, puppet, and stuff, setenforce 0, then start it. Everything should succeed. Then shutdown, and create a policy from the audit messages:

cat /var/log/audit/audit.log|audit2allow

Will show you what needs to be added. You can create your own module from there. Or, the easy way which may contain stuff you don't want, which is from them an page of audit2allow:

cat /var/log/audit/audit.log | audit2allow -M local
semodule -i local.pp

There are other ways of doing this that allow you ... (more)

edit flag offensive delete link more
1

answered 2013-07-19 09:28:49 -0500

GregLarkin gravatar image

I found some informtion on this SELinux documentation page describing the semanage fcontext command. In the section labeled "Changing a Directory and its Contents Types", there are examples of using the command to match a directory name specified by a regular expression.

As long as SELinux allows a policy to match file/directory names that haven't been created at the time the policy is created, I would expect that to work.

edit flag offensive delete link more

Comments

So far no luck. I did the two steps from the RedHat page and restarted apache but I'm still getting the error about UID/GID unable to set. I ...(more)

ethrbunny gravatar imageethrbunny ( 2013-07-19 10:07:55 -0500 )edit

Edited original question to include detail

ethrbunny gravatar imageethrbunny ( 2013-07-19 12:15:02 -0500 )edit
1

answered 2013-07-19 10:27:55 -0500

GregLarkin gravatar image

updated 2013-07-19 12:31:11 -0500

Can you post the output of "ls -laR /var/tmp/passenger"? I also found this (http://code.google.com/p/phusion-passenger/issues/detail?id=222#c23) which points to some problems caused by the tmpwatch cron job on RHEL/CentOS.

Also, please try these steps:

  • Shut down Apache
  • Run the commands:

    chown -R apache:apache /var/tmp/passenger

    chmod -R g+ws /var/tmp/passenger

  • Restart Apache and check for the same error message as before

I'm trying to figure out if the ownership/perms were somehow corrupted outside of the context of Apache/Passenger or if it happens ... (more)

edit flag offensive delete link more

Comments

[Wed Jul 17 13:24:10 2013] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/lib/ruby/gems/1.8 ...(more)

ethrbunny gravatar imageethrbunny ( 2013-07-19 16:05:02 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2013-07-18 06:50:35 -0500

Seen: 2,263 times

Last updated: Jul 21 '13