CentOS 7 SELinux + Apache 2.4 + (RVM) Passenger 5.0.28: Cannot connect to Unix socket

[Lawrence Matacena]

I'm not great on SELinux To get passenger to work, I pulled the policy files from the source rpm, adjusted the paths, and installed it. The contexts are applied without issue to what I assume are the required locations. I cloned the server and installed it via rpm and it appears to work. I compared policies and file/directory contexts on and I can't seem to find any differences other than the location of the PassengerAgent. On the non working system, I noticed that the support-binaries directory is filled with files and the working system just has the PassengerAgent. I attempted to change the context of all the files to no avail. I'm sure it's something simple that I'm missing. Below are the errors along with the audit log and audit2allow parse. Can anyone point me in the right direction?

Thanks!

http/error_log

[ 2016-05-12 19:21:12.6305 6393/7f312ffe3840 apa/Hooks.cpp:703 ]: Unexpected error in mod_passenger: Cannot connect to Unix socket '/var/run/passenger-instreg/passenger.vSsitaI/agents.s/core': Permission denied (errno=13)
  Backtrace:
     in 'int Passenger::connectToServer(const Passenger::StaticString&, const char*, unsigned int)' (IOUtils.cpp:459)
     in 'Passenger::FileDescriptor Hooks::connectToCore()' (Hooks.cpp:273)
     in 'int Hooks::handleRequest(request_rec*)' (Hooks.cpp:574)

audit.log

type=AVC msg=audit(1463086165.859:1916): avc:  denied  { connectto } for  pid=2103 comm="httpd" path="/run/passenger-instreg/passenger.qmmDv0T/agents.s/core" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(1463086165.859:1916): arch=c000003e syscall=42 success=no exit=-13 a0=19 a1=7ffe28d726d0 a2=6e a3=6 items=1 ppid=2045 pid=2103 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SOCKADDR msg=audit(1463086165.859:1916): saddr=01002F7661722F72756E2F70617373656E6765722D696E73747265672F70617373656E6765722E716D6D447630542F6167656E74732E732F636F7265000000009027D728FE7F0000DDE564B91A7F00000027D728CB0100006028D728FE7F00006028D728FE7F0000DB02B2B91A7F
type=CWD msg=audit(1463086165.859:1916):  cwd="/"
type=PATH msg=audit(1463086165.859:1916): item=0 name="/var/run/passenger-instreg/passenger.qmmDv0T/agents.s/core" inode=25082 dev=00:14 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passenger_instance_httpd_socket_t:s0 nametype=NORMAL
type=PROCTITLE msg=audit(1463086165.859:1916): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44

audit2allow -R

require {
        type httpd_t;
}


#============= httpd_t ==============
unconfined_stream_connect(httpd_t)

[Daniel Knoppel]

Is there any specific reason why you don't want use the RPM install method on the server?

Did you see the RPM build tutorial in the Passenger RPM automation project?

- Daniel

[Lawrence Matacena]

I currently require multiple versions of ruby and RVM is what I'm using to manage that. The RPM method does not have the version(s) I need. I saw the Passenger RPM automation project but I didn't look too much into it. I think the same or similar issues would apply especially since the RPM packages would have strict dependencies. Am I mistaken?

[Daniel Knoppel]

I'm not sure I understand what you're saying. Passenger can use any Ruby install to run your apps if you configure the passenger_ruby option.

Passenger itself has a lightweight internal dependency on Ruby, which is why the packaging probably refers to it, but that doesn't have anything to do with what you want your apps to be on other than being the default if you don't specify anything.

- Daniel

[Lawrence Matacena]

Ugh. I guess you're right. I'll probably begrudgingly do that. I haven't been thinking lately. My thoughts were basically to try to keep the system as clean as I can. As I'm not going to be using that Ruby/Gem version and it's just another thing to manage, however minimally. On top of that, I don't want there to be any headaches regarding apps using the system/RPM Ruby vs the RVM Rubies. I had a conflict issue like that recently that I had to sort out.

That being said, in regards to my original question, I don't understand why there's still an SELinux issue.

Edit: I added the "unconfined_stream_connect(httpd_t)" line to the passenger.te file and it appears to work. I just don't know what that may do or if I can somehow make that more secure or specific to passenger contexts.

[Hongli Lai]

The PassengerAgent must be compiled with the 'USE_SELINUX' macro,
otherwise it won't properly activate the right SELinux domain. This is
needed in addition to installing the policy.

Our RPMs take care of this automatically. But if you build from source
then you have to do this yourself.

On Fri, May 13, 2016 at 10:02 PM, Lawrence Matacena
<lmat...@stopforschools.com> wrote:
> Ugh. I guess you're right. I'll probably begrudgingly do that. I haven't
> been thinking lately. My thoughts were basically to try to keep the system
> as clean as I can. As I'm not going to be using that Ruby/Gem version and
> it's just another thing to manage, however minimally. On top of that, I
> don't want there to be any headaches regarding apps using the system/RPM
> Ruby vs the RVM Rubies. I had a conflict issue like that recently that I had
> to sort out.
>
> That being said, in regards to my original question, I don't understand why
> there's still an SELinux issue.
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "Phusion Passenger Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to phusion-passen...@googlegroups.com.
> To post to this group, send email to phusion-...@googlegroups.com.
> Visit this group at https://groups.google.com/group/phusion-passenger.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/phusion-passenger/73127744-5423-4a23-9f4f-a67fc058598d%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.



--
Phusion B.V. | Web Application deployment, scaling, and monitoring solutions

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 63501007 (The Netherlands)

[Lawrence Matacena]

Thanks a lot! Although it was working with the way I had it I wanted to do it the right way.

In case others are interested, I did the following and it appears to be working smoothly and "properly". Don't forget to install the policy.

export USE_SELINUX=yes
passenger-install-apache2-module

Is there a reason this isn't included in the install script instead of just a warning and recommendation to use the rpm?

[Hongli Lai]

On Fri, Jun 3, 2016 at 12:59 AM, Lawrence Matacena
<lmat...@stopforschools.com> wrote:
> Thanks a lot! Although it was working with the way I had it I wanted to do
> it the right way.
>
> In case others are interested, I did the following and it appears to be
> working smoothly and "properly". Don't forget to install the policy.
>
> export USE_SELINUX=yes
> passenger-install-apache2-module
>
> Is there a reason this isn't included in the install script instead of just
> a warning and recommendation to use the rpm?

It is because the USE_SELINUX-related code was specifically written to
be used in combination with the SELinux policy files that we supply in
the RPMs. The option by itself is not useful.