SELinux的许可被拒绝给Phusion Passenger用于redmine

Question

我试图在CentOS 6.3上安装Redmine,但我继续在日志文件中收到此错误

Passenger could not be initialized because of this error: Unable to start 
the Phusion Passenger watchdog (/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout
 /agents/PassengerWatchdog): Permission denied (errno=13)

我一直在网上看,无法在任何地方或任何方式找到此错误来解决它.我试图改变权限的文件夹777和apache:apache但既不工作.

我想出让redmine工作的唯一解决方案是将SELinux设置为禁用或允许(我不想这样做).

有没有人有另一种方法来解决这个问题,使SELinux启用？

在/ var/log/messages下找到SELinux日志文件

这是文件的结尾

    Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
    Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2331 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
    Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
    Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2332 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
    Oct 16 14:07:31 localhost rtkit-daemon[2183]: Sucessfully made thread 2427 of process 2427 (/usr/bin/pulseaudio) owned by '500' high priority at nice level -11.
    Oct 16 14:07:31 localhost pulseaudio[2427]: pid.c: Daemon already running.
    Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.726:5): avc:  denied  { execute_no_trans } for  pid=2663 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
    Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.760:6): avc:  denied  { execute_no_trans } for  pid=2668 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write!
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_intel8x0'. Please report this issue to the ALSA developers.
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail.

有什么建议？

Answer 1

因此,您可以使用audit2allow(yum install audit-libs-python audit-libs)来解决此问题.

SELinux登录到/var/log/audit/audit.log.如果您通过重新启动Web服务(服务httpd restart)来拖尾并捕获输出,则可以通过audit2allow运行新输出并在selinux下安装模块...

因此,假设您已将其捕获到名为"audit_tmp"的文件中:

cat audit_tmp | audit2allow -D -M passenger

这将创建一个名为passenger.pp的文件,您可以使用以下方法应用:

semodule -i passenger.pp

这样做会解除阻止乘客加载的第一件事 - 但请注意,可能会有更多因此需要再次重复该过程直到它起作用.我希望这是有道理的!