I'm running Red Hat Enterprise Linux Server release 6.4 (Santiago) on Amazon EC2.
I have installed Phusion Passenger via a gem.
When I start httpd
I have this error message in less /var/log/httpd/error_log
[Tue Jan 21 08:07:43 2014] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0[Tue Jan 21 08:07:43 2014] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)[Tue Jan 21 08:07:43 2014] [error] *** Passenger could not be
initialized because of this error: Unable to start the Phusion
Passenger watchdog because it encountered the following error during
startup: Cannot change the directory
'/tmp/passenger.1.0.2072/generation-0/buffered_uploads' its UID to 48
and GID to 48: Operation not permitted (errno=1)
Output of sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Content of /var/log/audit/audit.log
related to PassengerWatchd
type=AVC msg=audit(1390309663.196:134): avc: denied { sys_resource }
for pid=2077 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(1390309663.196:134): arch=c000003e syscall=1
success=no exit=-13 a0=5 a1=7f0c303ad000 a2=6 a3=ffffffff items=0
ppid=2075 pid=2077 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4 comm="PassengerWatchd"
exe="/opt/walk-manager/vendor/bundle/ruby/2.0.0/gems/passenger-4.0.26/buildout/agents/PassengerWatchdog"
subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
I'm new to SELinux so I don't know what other information I can provide here
I've made the installation of my entire project as root
and as root
I'm trying to start httpd
the default user ec2-user
doesn't have permission to start httpd
Best Answer
There are two approaches:
audit2allow
to create the exceptions, restart HTTPD, find the next set of exceptions and repeat until you go them all.