fixes 2789 - selinux denials

[lzap]

This fixes all denials I had. But I was not able to reproduce
"/sbin/ifconfig" exec.

I have put together few SELinux notes here, feel free to edit:

http://projects.theforeman.org/projects/foreman/wiki/SELinux

[domcleal]

Two things strike me as odd about this.. one is that the AVCs appear to be relating to a Passenger daemon running in the httpd_t context rather than passenger_t.

The other is that my RHEL 6 host appears to permit this already:

# sesearch --allow -s httpd_t -c capability -p fowner
Found 1 semantic av rules:
   allow httpd_t httpd_t : capability { fowner fsetid sys_resource } ; 
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.7.19-195.el6.noarch

[lzap]

Ah right because you have httpd_setrlimit bool turned on.

I mis-read the audit2allow comment, I think I can remove those two lines completely as these are covered by setrlimit.

[lzap]

On the second thing - there is one design issue with mod_passenger - some code is running within httpd context. It's by design of mod_passenger and we cannot really do about it. Let me ask again tomorrow to confirm this.

[domcleal]

I still have httpd_setrlimit off, interestingly enough.. sesearch shouldn't show me results for policy that's turned off, should it?

Noted about httpd_t domain, makes sense.

[lzap]

Ok removed that block as it looks like it is not needed.

Adding new block - solves Fedora 19 denials:

type=AVC msg=audit(1374627407.297:1387): avc:  denied  { search } for  pid=1961 comm="httpd" name="puppet" dev="vda1" ino=29386 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir

[ohadlevy]

i see dev=vda there, is there a way to generalize it to work on non virt
systems (with sda) too?

[lzap]

Where do you see vda? In the denial line? Sure, but the rule I just pushed is generic:

tunable_policy(`httpd_run_foreman', `
    corenet_tcp_connect_puppet_port(httpd_t)
    puppet_read_config(httpd_t)
')

[domcleal]

Thanks @lzap, merged as 36c7bfa.