Apache, Passenger, And Selinux

Home » CentOS » Apache, Passenger, And Selinux
CentOS 5 Comments

I seem to have quieted some, but I’m still getting noise from SELinux. Here’s one that really puzzles me: my users have a ruby app with passenger running. However, one of the sealerts gives me:
sealert -l 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod from using the fowner capability.

***** Plugin catchall_boolean (89.3 confidence) suggests

If you want to allow Apache to run in stickshift mode, not transition to passenger Then you must tell SELinux about this by enabling the
‘httpd_run_stickshift’ boolean.You can read ‘httpd_selinux’ man page for more details. Do setsebool -P httpd_run_stickshift 1

Is there a boolean I’m missing, or are they doing something wrong? Clues for the poor appreciated.


5 thoughts on - Apache, Passenger, And Selinux

  • Daniel J Walsh wrote:

    I have not. The reason I’m asking is that I was thinking that it *did*
    want to transition to passenger, and was hoping for a clue as to why it was doing this, rather than make the transition. I’ve asked the lead developer, who had no clue.

    The original lead developer left early this year, IIRC.


  • Daniel J Walsh wrote:

    I just tried. I’m on CentOS 6.3, and get semanage fcontext -a -t passenger_exec_t
    libsepol.context_from_record: type passenger_exec_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsemanage.validate_handler: invalid context system_u:object_r:passenger_exec_t:s0 specified for
    /opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/* [all files]
    (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
    /usr/sbin/semanage: Could not commit semanage transaction