Problems with passenger selinux policy from rpm installation in CentOS7

[Veli-Pekka Kestilä]

Hi,

I had do some fixing to get the policy from rpm file working, but with following changes it seems to at least start and do some simple serving.

Changes to passenger.te:
Remove:
 - filetrans_pattern(unconfined_t, passenger_instance_content_t, passenger_instance_httpd_socket_t, { sock_file }, "server")
Add:
 - filetrans_pattern(unconfined_t, passenger_instance_content_t, passenger_instance_httpd_socket_t, { sock_file }, "core")
 - filetrans_pattern(unconfined_t, passenger_instance_content_t, passenger_instance_httpd_socket_t, { lnk_file }, "server")
 - allow httpd_t unconfined_t:unix_stream_socket connectto;

Changes to passenger.fc:
Remove:
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/agents.s/server       -s   gen_context(system_u:object_r:passenger_instance_httpd_socket_t,s0)
Add:
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/agents.s/core   -s   gen_context(system_u:object_r:passenger_instance_httpd_socket_t,s0)
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/agents.s/server -l   gen_context(system_u:object_r:passenger_instance_httpd_socket_t,s0)


Also following lines don’t do anything and should be probably removed:
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/config_files\.txt     --   gen_context(system_u:object_r:passenger_instance_httpd_file_t,s0)
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/control_process\.pid  --   gen_context(system_u:object_r:passenger_instance_httpd_file_t,s0)
 - /var/run/passenger-instreg/[a-zA-Z0-9\-\.]+/web_server\.txt       --   gen_context(system_u:object_r:passenger_instance_httpd_file_t,s0)

Important thing was to allow the httpd_t to connect unconfined socket as the connection tests against the label of creating process and not the label of socket. (Which is mildly annoying.)
And also there has been change to move socket in file named core and make server as logical link to it so file contexts need to be fixed to reflect this.

Bigger change would be to make PassengerAgent to run in passenger_t and only transfer to unconfined_t or to passenger_app_t when launching application. Now means quite many allow statements as PassengerAgent seems to open multiple different files and directories all over the place.

Hope this helps someone wanting to use selinux with passenger. The policy should also work with gem passenger if extracted from rpm and given correct path to the PassengerAgent and with adding configuration to instance registry or fixing the policy paths to use private tmp in CentOS7/newer fedoras.

Greetings,
-vpk

[Hongli Lai]

Thank you for reporting this. We'll fix this in the RPMs as soon as possible.

Unfortunately, due to limitations in our CI process, this problem was
not caught earlier. :(

> --
> You received this message because you are subscribed to the Google Groups
> "Phusion Passenger Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to phusion-passen...@googlegroups.com.
> To post to this group, send email to phusion-...@googlegroups.com.
> Visit this group at http://groups.google.com/group/phusion-passenger.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/phusion-passenger/75e42d7f-05e6-4ed2-b6e8-0f06bed6b59b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Phusion B.V. | Web Application deployment, scaling, and monitoring solutions

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 63501007 (The Netherlands)

[Veli-Pekka Kestilä]

On Tuesday, June 30, 2015 at 1:09:13 PM UTC+3, Hongli Lai wrote:

Thank you for reporting this. We'll fix this in the RPMs as soon as possible.

Unfortunately, due to limitations in our CI process, this problem was
not caught earlier. :(

Not a problem. Just decided to report after I got it working. As I mentioned I am not totally happy that the PassengerAgent is run as unconfined, but it seems to touch a lot of places which makes it harder to make clean policy for it. Maybe I will take crack at it later. Is there easy way to run PassengerAgent with strace on?

-vpk 

[Hongli Lai]

On Wed, Jul 1, 2015 at 5:56 AM, Veli-Pekka Kestilä <vpke...@gmail.com> wrote:
> Not a problem. Just decided to report after I got it working. As I mentioned

> I am totally happy that the PassengerAgent is run as unconfined, but it

> seems to touch a lot of places which makes it harder to make clean policy
> for it.

That would be a bit hard. One of PassengerAgent's job is to spawn
application processes as arbitrary users
(https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html#user_switching).
So I'm not sure whether confining PassengerAgent in its current state
is useful. A true confinement would require an architectural change,
e.g. splitting the spawning responsibility to its own process that
runs in its own domain. But that would open up new security
challenges, such as how to prevent a hijacked PassengerAgent from
telling the spawner to run an arbitrary command.

> Maybe I will take crack at it later. Is there easy way to run
> PassengerAgent with strace on?

You can run PassengerAgent standalone. Run it with --help to learn how.

But I've found using setroubleshoot and reading the AVC logs to be an
easier way of finding out how to write a policy.

By the way, the issue has been fixed in Git. We'll release asap.

[john prewitt]

On Tuesday, June 30, 2015 at 5:19:42 AM UTC-4, Veli-Pekka Kestilä wrote:

Hope this helps someone wanting to use selinux with passenger. The policy should also work with gem passenger if extracted from rpm and given correct path to the PassengerAgent and with adding configuration to instance registry or fixing the policy paths to use private tmp in CentOS7/newer fedoras.

Is it possible to get a quick outline of how to install the policy if you installed passenger via gem?  I extracted the .te and .fc file from github, but am having some issues compiling the policy:

> checkmodule -m -M passenger.te -o passenger.mod

passenger.te:1:ERROR 'Building a policy module, but no module specification found.

' at token 'policy_module' on line 1:

I'm on Red Hat Enterprise Linux Server release 7.1 (Maipo)

Thanks

[Hongli Lai]

On Fri, Aug 21, 2015 at 5:01 PM, john prewitt <jpre...@gmail.com> wrote:
> Is it possible to get a quick outline of how to install the policy if you
> installed passenger via gem? I extracted the .te and .fc file from github,
> but am having some issues compiling the policy:
>
>
>> checkmodule -m -M passenger.te -o passenger.mod
> passenger.te:1:ERROR 'Building a policy module, but no module specification
> found.
> ' at token 'policy_module' on line 1:
>
> I'm on Red Hat Enterprise Linux Server release 7.1 (Maipo)

No quick outline, but take a look at how we do it in the RPM:

https://github.com/phusion/passenger_rpm_automation/blob/0e8a8c0ad6902b9c7be5b71d7c0dfbcd1515cdda/specs/passenger/passenger.spec.erb#L230-L238
https://github.com/phusion/passenger_rpm_automation/blob/0e8a8c0ad6902b9c7be5b71d7c0dfbcd1515cdda/specs/passenger/passenger.spec.erb#L295-L300
https://github.com/phusion/passenger_rpm_automation/blob/0e8a8c0ad6902b9c7be5b71d7c0dfbcd1515cdda/specs/passenger/passenger.spec.erb#L329-L334