SELinux issues (possibly since shellshock patch)
Added by Mark Moorcroft almost 10 years ago
[root@foo ~]# rpm -qa | grep ruby
ruby-libs-1.8.7.352-13.el6.x86_64
ruby-rdoc-1.8.7.352-13.el6.x86_64
ruby-devel-1.8.7.352-13.el6.x86_64
ruby-irb-1.8.7.352-13.el6.x86_64
rubygems-devel-1.3.7-5.el6.noarch
ruby-1.8.7.352-13.el6.x86_64
rubygems-1.3.7-5.el6.noarch
#> rails --version
/usr/lib/ruby/site_ruby/1.8/rubygems.rb:233:in `activate': can't activate rack (~> 1.4.5, runtime) for ["actionpack-3.2.16", "railties-3.2.16"], already activated rack-1.5.2 for ["rack-ssl-1.3.3", "railties-3.2.16"] (Gem::LoadError)
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:249:in `activate'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:248:in `each'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:248:in `activate'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:249:in `activate'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:248:in `each'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:248:in `activate'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:1082:in `gem'
from /usr/bin/rails:18
CentOS 6.5
mysql-server-5.1.73-3.el6_5.x86_64
sh: darcs: command not found
Environment:
Redmine version 2.4.2.stable
Ruby version 1.8.7-p352 (2011-06-30) [x86_64-linux]
Rails version 3.2.16
Environment production
Database adapter MySQL
SCM:
Subversion 1.6.11
Mercurial 1.4
Bazaar 2.1.1
Git 1.7.1
Filesystem
Redmine plugins:
no plugin installed
I can't confirm this, but I believe since the shellshock patch was applied I am seeing a huge number of SELinux errors related to "ps" being run in background and file context in /proc. Here is a small sample of what spits out if I open the redmine page after starting apache. Keep in mind the federal guidance requires a fairly verbose audit record, but the "denied" messages are new.
Oct 8 12:12:13 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=SYSCALL msg=audit(1412795533.044:304): arch=c000003e syscall=92 success=yes exit=0 a0=7f73e034c5c0 a1=30 a2=30 a3=4d585858582e6775 items=1 ppid=2097 pid=2322 auid=1853945932 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="PassengerHelper" exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/buildout/agents/PassengerHelperAgent" subj=unconfined_u:system_r:httpd_t:s0 key="perm_mod"
Oct 8 12:12:13 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=CWD msg=audit(1412795533.044:304): cwd="/"
Oct 8 12:12:13 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=PATH msg=audit(1412795533.044:304): item=0 name="/tmp/passenger.spawn-debug.XXXXMwk7LF" inode=114566 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_tmp_t:s0 nametype=NORMAL
Oct 8 12:12:13 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=EOE msg=audit(1412795533.044:304):
Oct 8 12:12:22 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795542.929:305): avc: denied { fowner } for pid=2335 comm="chmod" capability=3 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
Oct 8 12:12:22 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795542.929:305): avc: denied { fsetid } for pid=2335 comm="chmod" capability=4 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
<snip>
Oct 8 12:12:23 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795543.280:316): avc: denied { write } for pid=2322 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=4158 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Oct 8 12:12:23 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=SYSCALL msg=audit(1412795543.280:316): arch=c000003e syscall=1 success=yes exit=8 a0=a a1=7f73e034db90 a2=8 a3=48 items=0 ppid=2097 pid=2322 auid=1853945932 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="PassengerHelper" exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.35/buildout/agents/PassengerHelperAgent" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Oct 8 12:12:23 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=EOE msg=audit(1412795543.280:316):
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795548.010:317): avc: denied { getattr } for pid=2346 comm="ps" path="/proc/1" dev=proc ino=8710 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=SYSCALL msg=audit(1412795548.010:317): arch=c000003e syscall=4 success=yes exit=0 a0=83c4d0 a1=34b9611ca0 a2=34b9611ca0 a3=83c4d6 items=1 ppid=2100 pid=2346 auid=1853945932 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=CWD msg=audit(1412795548.010:317): cwd="/"
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=PATH msg=audit(1412795548.010:317): item=0 name="/proc/1" inode=8710 dev=00:03 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=EOE msg=audit(1412795548.010:317):
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795548.017:318): avc: denied { search } for pid=2346 comm="ps" name="1" dev=proc ino=8710 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795548.017:318): avc: denied { read } for pid=2346 comm="ps" name="stat" dev=proc ino=8758 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=AVC msg=audit(1412795548.017:318): avc: denied { open } for pid=2346 comm="ps" name="stat" dev=proc ino=8758 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=SYSCALL msg=audit(1412795548.017:318): arch=c000003e syscall=2 success=yes exit=5 a0=34b9611840 a1=0 a2=0 a3=0 items=1 ppid=2100 pid=2346 auid=1853945932 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Oct 8 12:12:28 xxxxxxx audispd: node=xxxxxxx.foo.bar.gov type=CWD msg=audit(1412795548.017:318): cwd="/"