RedHat 7, Passenger 5.1.7, SELinux: AH00035: access to / denied

[bdeter]

TLDR - having trouble with 5.1.7 and SELinux. Everything works if I run setenforce 0.

Ruby 2.3.4

Redhat 7.4

Passenger 5.1.7

With selinux on, I'm seeing this error in the logs:

AH00035: access to / denied (filesystem path '/webapps/<app>/<env>/current') because search permissions are missing on a component of the path

I checked that other has read and execute permission on the entire path. current is a link to releases/2017... as typical with Capistrano.

Various other things I saw people suggest that I don't really understand:

  ps auxwZ | grep 'Passenger core' | grep -v grep

  system_u:unconfined_r:unconfined_t:s0 root 22545 0.0  0.0 1223628 11952 ?      Sl   17:47   0:00 Passenger core

  semodule -l|grep passenger

  passenger 104.0

  ls -Z /usr/lib64/passenger/support-binaries/PassengerAgent

  -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 /usr/lib64/passenger/support-binaries/PassengerAgent

  ps auxwZ | grep RubyApp | grep -v grep

  system_u:unconfined_r:unconfined_t:s0 deploy 31505 0.0  1.0 670328 176060 ?    Sl   18:09   0:00 Passenger RubyApp: qa

I then tried using the releases/2017... directory instead of the symbolically linked current. Then I got the error:

Passenger error #2

cannot stat config.ru

My config.ru is there with read permissions for everyone. Removing config.ru caused it to show the Redhat welcome page.

I then ran setenforce 0 and everything worked fine with or without the symbolic link.

So, I'm guessing this is an selinux issue but I thought 5.1.7 was supposed to include support for it per the Github issues.

Thank you very much for any help you can provide.

Brian

[bdeter]

Evidently running this is still required:

chcon -R -h -t httpd_sys_content_t /path-to-your-app

I thought 5.1 didn't require that based on this issue: https://github.com/phusion/passenger/issues/1486 but maybe I misread it. It would be great if the install instructions mentioned that, if it is still required.

Brian

[Camden Narzt]

Running chcon like that shouldn't be required. As you saw the PassengerAgent has the correct label, so issue 1486 is not the problem. And the Passenger Core process is unconfined so that shouldn't be your problem either.

You didn't mention how you were running Passenger: with apache, nginx or standalone.

[bdeter]

I'm running it using Apache. I'm setting up another similar server and haven't gotten to the chcon part yet, so if you can suggest something else to look at, I am happy to.

Thanks

Brian

[Camden Narzt]

Ok please run ls -lZad . in each dir in the path to your app (both the symlink path and the real path).

[bdeter]

All directories prior to running chcon are:

drwxrwxr-x. deploy deploy unconfined_u:object_r:default_t:s0

Files other than a few sensitive ones are:

-rw-r--r--. deploy deploy unconfined_u:object_r:default_t:s0

The symlink itself is:

lrwxrwxrwx. deploy deploy unconfined_u:object_r:default_t:s0 ./current

Thanks

[Camden Narzt]

And just to be sure your PassengerUser (https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser) is deploy?

[bdeter]

I'm not setting it explicitly, but config.ru is owned by the deploy user so auto-detection should find it. I will reproduce the issue on the new server, then try setting it explicitly to see if it has any effect.

[bdeter]

Adding an explicit PassengerUser deploy did not help.

One note: we are using PassengerAppGroupName so we can run multiple subdomains out of the same directory.

https://www.phusionpassenger.com/library/config/apache/reference/#passengerappgroupname

So our virtual host looks like:

  DocumentRoot /webapps/appname/production/current/public

  RailsEnv customer1

  PassengerAppGroupName "customer1"

[Camden Narzt]

Just a heads-up RailsEnv is an alias to the PassengerAppEnv (https://www.phusionpassenger.com/library/config/apache/reference/#passengerappenv) option for setting the RAILS_ENV, RACK_ENV, WSGI_ENV, NODE_ENV, and PASSENGER_APP_ENV environment variables. Since customer1 is an unusual value to set them to, you may be looking for the SetEnv option (http://httpd.apache.org/docs/2.4/mod/mod_env.html#setenv).

In the meantime I'll try and reproduce your issue.

[bdeter]

We have one folder with our code for production.  /webapps/appname/production. Then we have one virtual host for each client which uses a subdomain. Each customer has its own RailsEnv. So customer1.appname.com and customer2.appname.com go to RailsEnv customer1 and customer2, but share the code.  The goal is to have completely separate processes for each customer without needing a separate copy of the code for each one. My understanding from 5+ years ago when we first set this up is that we need PassengerAppGroupName set so Passenger doesn't try to use the directory name to determine the environment.

Thanks for looking into this.

[Camden Narzt]

When you install passenger do you see the following message?

Installing Passenger SELinux policy for the targeted variant
libsemanage.semanage_direct_install_info: Overriding passenger module at lower priority 100 with module at priority 400.

[Camden Narzt]

I'm not able to reproduce this issue unfortunately.

[bdeter]

I don't have any logs from installing it. I tried to follow https://www.phusionpassenger.com/library/install/apache/install/oss/el7/ exactly.

[bdeter]

Ok, well thanks for looking. Maybe someone else will hit this and give you more data.