Issues with Apache + Passenger + SELinux on RedHat 5 Entreprise
82 views
Skip to first unread message
esox_ch
Aug 18, 2009, 4:49:26 PM8/18/09
to Phusion Passenger Discussions
Hello,
I am currently trying to get Passenger work on RH5 and it seems that
Passenger does weird stuff on startup. Therefor I can only start
Apache with SELinux turned off (which I do not want to do).
There are several minimal issues with the status.socket created into /
tmp/ which cannot be accessed (usually Apache shouldn't do it). This
can safely be resolved with PassengerTempDir parameter. By mean of
that params one can define a new temp dir ( for instance /var/www/
passenger/tmp ) owned by Passenger's user and used only by Passenger.
It would then be (from my point of view) safe to then authorize Apache
to access the sockets in this new directory.
Anyway ... The more serious issues comes from an access Passenger is
trying to do as root. Here is the report I'm getting :
----
Summary:
SELinux is preventing the http daemon from reading users' home
directories.
Detailed Description:
SELinux has denied the http daemon access to users' home directories.
Someone is
attempting to access your home directories via your http daemon. If
you have not
setup httpd to share home directories, this probably signals a
intrusion
attempt.
Allowing Access:
If you want the http daemon to share home directories you need to turn
on the
httpd_enable_homedirs boolean: "setsebool -P httpd_enable_homedirs=1"
---
The following command will allow this access:
setsebool -P httpd_enable_homedirs=1
Additional Information:
Source Context user_u:system_r:httpd_t
Target Context root:object_r:user_home_dir_t
Target Objects ./root [ dir ]
Source mkdir
Source Path /bin/mkdir
Port <Unknown>
Host localhost.localdomain
Source RPM Packages coreutils-5.97-19.el5
Target RPM Packages filesystem-2.4.0-2
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_enable_homedirs
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 5
First Seen Tue 18 Aug 2009 10:29:11 PM CEST
Last Seen Tue 18 Aug 2009 10:29:11 PM CEST
Local ID e468b763-b1d1-4e32-905e-0beb5e506745
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1250627351.583:3008):
avc: denied { read } for pid=20857 comm="mkdir" name="root"
dev=dm-0 ino=2271361 scontext=user_u:system_r:httpd_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit
(1250627351.583:3008): arch=40000003 syscall=5 success=no exit=-13
a0=804d8ce a1=8000 a2=0 a3=8000 items=0 ppid=20852 pid=20857 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2
comm="mkdir" exe="/bin/mkdir" subj=user_u:system_r:httpd_t:s0 key=
(null)
Of course it would be possible to use "setsebool -P
httpd_enable_homedirs=1" command, but this would be unsafe for obvious
reasons.
Does anybody know if there is a way to keep SELinux in charge and make
Passenger work? Or at least is it a known issue ? Because it's a pity
not to be able to use Passenger because of a security concern :(
Thanks a lot for your help
Best regards
I am currently trying to get Passenger work on RH5 and it seems that
Passenger does weird stuff on startup. Therefor I can only start
Apache with SELinux turned off (which I do not want to do).
There are several minimal issues with the status.socket created into /
tmp/ which cannot be accessed (usually Apache shouldn't do it). This
can safely be resolved with PassengerTempDir parameter. By mean of
that params one can define a new temp dir ( for instance /var/www/
passenger/tmp ) owned by Passenger's user and used only by Passenger.
It would then be (from my point of view) safe to then authorize Apache
to access the sockets in this new directory.
Anyway ... The more serious issues comes from an access Passenger is
trying to do as root. Here is the report I'm getting :
----
Summary:
SELinux is preventing the http daemon from reading users' home
directories.
Detailed Description:
SELinux has denied the http daemon access to users' home directories.
Someone is
attempting to access your home directories via your http daemon. If
you have not
setup httpd to share home directories, this probably signals a
intrusion
attempt.
Allowing Access:
If you want the http daemon to share home directories you need to turn
on the
httpd_enable_homedirs boolean: "setsebool -P httpd_enable_homedirs=1"
---
The following command will allow this access:
setsebool -P httpd_enable_homedirs=1
Additional Information:
Source Context user_u:system_r:httpd_t
Target Context root:object_r:user_home_dir_t
Target Objects ./root [ dir ]
Source mkdir
Source Path /bin/mkdir
Port <Unknown>
Host localhost.localdomain
Source RPM Packages coreutils-5.97-19.el5
Target RPM Packages filesystem-2.4.0-2
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_enable_homedirs
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 5
First Seen Tue 18 Aug 2009 10:29:11 PM CEST
Last Seen Tue 18 Aug 2009 10:29:11 PM CEST
Local ID e468b763-b1d1-4e32-905e-0beb5e506745
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1250627351.583:3008):
avc: denied { read } for pid=20857 comm="mkdir" name="root"
dev=dm-0 ino=2271361 scontext=user_u:system_r:httpd_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit
(1250627351.583:3008): arch=40000003 syscall=5 success=no exit=-13
a0=804d8ce a1=8000 a2=0 a3=8000 items=0 ppid=20852 pid=20857 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2
comm="mkdir" exe="/bin/mkdir" subj=user_u:system_r:httpd_t:s0 key=
(null)
Of course it would be possible to use "setsebool -P
httpd_enable_homedirs=1" command, but this would be unsafe for obvious
reasons.
Does anybody know if there is a way to keep SELinux in charge and make
Passenger work? Or at least is it a known issue ? Because it's a pity
not to be able to use Passenger because of a security concern :(
Thanks a lot for your help
Best regards
Hongli Lai
Aug 18, 2009, 7:39:52 PM8/18/09
to phusion-...@googlegroups.com
On Tue, Aug 18, 2009 at 10:49 PM, esox_ch<stefano...@gmail.com> wrote:
> Does anybody know if there is a way to keep SELinux in charge and make
> Passenger work? Or at least is it a known issue ? Because it's a pity
> not to be able to use Passenger because of a security concern :(
> Does anybody know if there is a way to keep SELinux in charge and make
> Passenger work? Or at least is it a known issue ? Because it's a pity
> not to be able to use Passenger because of a security concern :(
It's not really a security problem. It's more like a conflict with the
SELinux policies.
Unfortunately SELinux is so incredibly complex that few people
understand it. If anybody can contribute proper SELinux support or
tell me what Phusion Passenger is supposed to do to make it play nice
with the default policies, then that would be greatly appreciated.
--
Phusion | The Computer Science Company
Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 08173483 (The Netherlands)
Steven Jenkins
Aug 18, 2009, 8:59:16 PM8/18/09
to phusion-...@googlegroups.com
Hongli Lai wrote:
> On Tue, Aug 18, 2009 at 10:49 PM, esox_ch<stefano...@gmail.com> wrote:
>> Does anybody know if there is a way to keep SELinux in charge and make
>> Passenger work? Or at least is it a known issue ? Because it's a pity
>> not to be able to use Passenger because of a security concern :(
>
> It's not really a security problem. It's more like a conflict with the
> SELinux policies.
>
> Unfortunately SELinux is so incredibly complex that few people
> understand it. If anybody can contribute proper SELinux support or
> tell me what Phusion Passenger is supposed to do to make it play nice
> with the default policies, then that would be greatly appreciated.
>
> On Tue, Aug 18, 2009 at 10:49 PM, esox_ch<stefano...@gmail.com> wrote:
>> Does anybody know if there is a way to keep SELinux in charge and make
>> Passenger work? Or at least is it a known issue ? Because it's a pity
>> not to be able to use Passenger because of a security concern :(
>
> It's not really a security problem. It's more like a conflict with the
> SELinux policies.
>
> Unfortunately SELinux is so incredibly complex that few people
> understand it. If anybody can contribute proper SELinux support or
> tell me what Phusion Passenger is supposed to do to make it play nice
> with the default policies, then that would be greatly appreciated.
>
I'll see if one of our engineers can give some suggestions. We regularly run
Passenger + SELinux.
Steven Jenkins
End Point Corporation
esox_ch
Aug 19, 2009, 3:29:28 AM8/19/09
to Phusion Passenger Discussions
On Aug 19, 1:39 am, Hongli Lai <hon...@phusion.nl> wrote:
> It's not really a security problem. It's more like a conflict with the
> SELinux policies.
>
Hello, I'm not really sure about that. Correct me if I'm wrong but the
> It's not really a security problem. It's more like a conflict with the
> SELinux policies.
>
fact that SELinux blocks Passenger's access to /root is not due to
SELinux's mis-configuration. Passenger shouldn't try to access such
folder as there is nothing it could need in it.
I'm not sure but perhaps that access is caused by the fact suEXEC is
used (at least it's what I guess looking at the logs).. Anyway if
someone here has more experience with SElinux than I do (shouldn't be
too hard :D ), please tell me where I'm wrong.
Thanks a lot
Hongli Lai
Aug 19, 2009, 6:43:15 AM8/19/09
to phusion-...@googlegroups.com
On Wed, Aug 19, 2009 at 9:29 AM, esox_ch<stefano...@gmail.com> wrote:
> Hello, I'm not really sure about that. Correct me if I'm wrong but the
> fact that SELinux blocks Passenger's access to /root is not due to
> SELinux's mis-configuration. Passenger shouldn't try to access such
> folder as there is nothing it could need in it.
> Hello, I'm not really sure about that. Correct me if I'm wrong but the
> fact that SELinux blocks Passenger's access to /root is not due to
> SELinux's mis-configuration. Passenger shouldn't try to access such
> folder as there is nothing it could need in it.
Phusion Passenger doesn't access /root by default. Do you have any
configuration options which reference /root?
esox_ch
Aug 19, 2009, 11:52:25 AM8/19/09
to Phusion Passenger Discussions
On Aug 19, 12:43 pm, Hongli Lai <hon...@phusion.nl> wrote:
> Phusion Passenger doesn't access /root by default. Do you have any
> configuration options which reference /root?
No, I just have the default config> Phusion Passenger doesn't access /root by default. Do you have any
> configuration options which reference /root?
esox_ch
Aug 19, 2009, 7:21:57 PM8/19/09
to Phusion Passenger Discussions
Hello
I may have figured it out because now it's working.In order to be able
to exactly describe what's the configuration, I'd like to reset all
the policies and other SELinux stuff to their default ( I tried so
many different things I'm not sure which config is now running), is it
enough to just relabel the system or do I need to do anything else?
Thanks a lot
I may have figured it out because now it's working.In order to be able
to exactly describe what's the configuration, I'd like to reset all
the policies and other SELinux stuff to their default ( I tried so
many different things I'm not sure which config is now running), is it
enough to just relabel the system or do I need to do anything else?
Thanks a lot
Reply all
Reply to author
Forward
0 new messages