CentOS - Nov 2012 - apache, passenger, and selinux

I seem to have quieted some, but I'm still getting noise from selinux.
Here's one that really puzzles me: my users have a ruby app with passenger
running. However, one of the sealerts gives me:
 sealert -l 5a02b0a1-8512-4f71-b1c8-70a40b090a9d
SELinux is preventing /bin/chmod from using the fowner capability.

*****  Plugin catchall_boolean (89.3 confidence) suggests 
*******************

If you want to allow Apache to run in stickshift mode, not transition to
passenger
Then you must tell SELinux about this by enabling the
'httpd_run_stickshift' boolean.You can read 'httpd_selinux' man
page for
more details.
Do
setsebool -P httpd_run_stickshift 1
<...>

Is there a boolean I'm missing, or are they doing something wrong? Clues
for the poor appreciated.

     mark

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/2012 03:18 PM, m.roth at 5-cent.us wrote:
> I seem to have quieted some, but I'm still getting noise from selinux. 
> Here's one that really puzzles me: my users have a ruby app with
passenger
> running. However, one of the sealerts gives me: sealert -l
> 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod from
> using the fowner capability.
> 
> *****  Plugin catchall_boolean (89.3 confidence) suggests 
> *******************
> 
> If you want to allow Apache to run in stickshift mode, not transition to 
> passenger Then you must tell SELinux about this by enabling the 
> 'httpd_run_stickshift' boolean.You can read 'httpd_selinux'
man page for
> more details. Do setsebool -P httpd_run_stickshift 1 <...>
> 
> Is there a boolean I'm missing, or are they doing something wrong?
Clues
> for the poor appreciated.
> 
> mark
> 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 
Have you turned on this boolean?  And did it quiet the AVC's.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC2fTQACgkQrlYvE4MpobM8BwCfcyQ8KPDf5s8rVAKNUCIMedJr
jfcAoNfDpQW0dQnymPM97TM604H6jKS2
=HA/W
-----END PGP SIGNATURE-----

Miroslav Grepl wrote:
> On 11/29/2012 08:00 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 11/28/2012 04:22 PM, m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 11/28/2012 03:18 PM, m.roth at 5-cent.us wrote:
>>>>>> I seem to have quieted some, but I'm still getting
noise from
>>>>>> selinux. Here's one that really puzzles me: my
users have a ruby
app with
>>>>>> passenger running. However, one of the sealerts gives
me: sealert -l
>>>>>> 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is
preventing
>>>>>> /bin/chmod from using the fowner capability.
>>>>>>
>>>>>> *****  Plugin catchall_boolean (89.3 confidence)
suggests
>>>>>> *******************
>>>>>>
>>>>>> If you want to allow Apache to run in stickshift mode,
not
>>>>>> transition
>>>>>> to passenger Then you must tell SELinux about this by
enabling the
>>>>>> 'httpd_run_stickshift' boolean.You can read
'httpd_selinux' man page
>>>>>> for more details. Do setsebool -P httpd_run_stickshift
1 <...>
>>>>>>
>>>>>> Is there a boolean I'm missing, or are they doing
something wrong?
>>>>>> Clues for the poor appreciated.
>>>>>>
>>>>> Have you turned on this boolean?  And did it quiet the
AVC's.
>>>> I have not. The reason I'm asking is that I was thinking
that it *did*
>>>> want to transition to passenger, and was hoping for a clue as
to why
>>>> it was doing this, rather than make the transition. I've
asked the lead
>>>> developer, who had no clue.
>>>>
>>>> The original lead developer left early this year, IIRC.
>>>>
>>> I am not sure.  Of course are the passenger programs properly
labeled
>>> as
>>> passenger_exec_t?
>> I just tried. I'm on CentOS 6.3, and get
>> semanage fcontext -a -t passenger_exec_t
>> "/opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/*"
>> libsepol.context_from_record: type passenger_exec_t is not defined (No
>> such file or directory).
>> libsepol.context_from_record: could not create context structure
>> (Invalid
>> argument).
>> libsemanage.validate_handler: invalid context
>> system_u:object_r:passenger_exec_t:s0 specified for
>> /opt/ruby/lib/ruby/gems/1.8/gems/passenger-3.0.15/bin/* [all files]
>> (Invalid argument).
>> libsemanage.dbase_llist_iterate: could not iterate over records
(Invalid
>> argument).
>> /usr/sbin/semanage: Could not commit semanage transaction
>>
> What does
>
> # rpm -q selinux-policy
selinux-policy-3.7.19-155.el6_3.8.noarch
>
> # seinfo -t |grep passenger
>
Nothing.

      mark