SELinux with passenger/puppet
Submitted by kacy on
I've tried to install passenger to serve the puppetmaster's application on my network.
The installation was easy but running httpd with SElinux was pretty hard, I've found a solution, creating an SEmodule on this website.
I've completed it with an additional rule allowing sock_file write... result down there (file puppet_passenger.te) :
module puppet_passenger 1.10; require { type bin_t; type devpts_t; type httpd_t; type passenger_t; type passenger_tmp_t; type puppet_log_t; type puppet_var_lib_t; type port_t; type proc_net_t; type rpm_var_lib_t; class process { getattr siginh setexec sigchld noatsecure transition rlimitinh }; class unix_stream_socket { getattr accept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class sock_file write; class dir { create getattr setattr add_name remove_name search open read write ioctl lock rmdir }; } #============= httpd_t ============== allow httpd_t passenger_tmp_t:sock_file write; allow httpd_t port_t:udp_socket name_bind; allow httpd_t proc_net_t:file { read getattr open }; allow httpd_t rpm_var_lib_t:dir { search getattr }; allow httpd_t rpm_var_lib_t:file open; allow httpd_t bin_t:file entrypoint; allow httpd_t passenger_t:process sigchld; allow httpd_t passenger_t:unix_stream_socket { getattr accept read write }; puppet_manage_lib(httpd_t) puppet_search_log(httpd_t) puppet_search_pid(httpd_t) allow httpd_t puppet_log_t:dir { setattr }; allow httpd_t puppet_log_t:file { setattr }; allow httpd_t puppet_var_lib_t:dir { create rmdir }; allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto }; #============= passenger_t ============== allow passenger_t devpts_t:dir search; allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure }; allow passenger_t self:capability { sys_resource sys_ptrace }; allow passenger_t self:process setexec; ps_process_pattern(passenger_t, httpd_t) domain_read_all_domains_state(passenger_t)
And to compile it :
make -f /usr/share/selinux/devel/Makefile