SELinux许可被Phusion Passenger拒绝以换取 [英] SELinux permission denied to Phusion Passenger for redmine

问题描述

我正在尝试在 CentOS 6.3 上安装 Redmine ，但是我仍然在日志文件中得到此错误

I am trying to install Redmine on CentOS 6.3 but I continue to get this error in the log file

Passenger could not be initialized because of this error: Unable to start 
the Phusion Passenger watchdog (/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout
 /agents/PassengerWatchdog): Permission denied (errno=13)

我一直在网上寻找，无法在任何地方或以任何方式解决此错误.我尝试将对文件夹的权限更改为777和apache:apache，但均无效.

I have been looking online and cannot find this error anywhere or any way to fix it. I have tried changing permissions to the folder to 777 and apache:apache but neither work.

我想出的让 redmine 起作用的唯一解决方案是将 SELinux 设置为禁用或允许(我不想这样做).

The only solution that I have come up with to get redmine to work is to set SELinux to disabled or permissive (which I do not want to do).

有人能解决此问题而使 SELinux 处于启用状态吗?

Does anyone have another way to fix this problem that leaves SELinux enabled?

在/var/log/messages下找到SELinux日志文件

Found the SELinux log file under /var/log/messages

这是文件的结尾

    Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
    Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2331 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
    Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
    Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2332 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
    Oct 16 14:07:31 localhost rtkit-daemon[2183]: Sucessfully made thread 2427 of process 2427 (/usr/bin/pulseaudio) owned by '500' high priority at nice level -11.
    Oct 16 14:07:31 localhost pulseaudio[2427]: pid.c: Daemon already running.
    Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.726:5): avc:  denied  { execute_no_trans } for  pid=2663 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
    Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.760:6): avc:  denied  { execute_no_trans } for  pid=2668 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write!
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_intel8x0'. Please report this issue to the ALSA developers.
    Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail.

有什么建议吗?

推荐答案

因此，您可以使用audit2allow(yum install audit-libs-python audit-libs)来解决此问题.

So, you can fix this by using audit2allow (yum install audit-libs-python audit-libs).

SELinux日志到/var/log/audit/audit.log.如果您跟踪并捕获了重新启动Web服务(服务httpd restart)的输出，则可以通过audit2allow运行新输出，并创建一个模块以在selinux下安装...

SELinux logs to /var/log/audit/audit.log. If you tail and capture the output from restarting the web service (service httpd restart) you can then run the new output through audit2allow and make a module to install under selinux...

因此，假设您已将其捕获到名为"audit_tmp"的文件中:

So, assuming you have captured it into a file called "audit_tmp":

cat audit_tmp | audit2allow -D -M passenger

这将创建一个名为passenger.pp的文件，您可以使用以下文件进行应用:

This will create a file called passenger.pp which you can apply using:

semodule -i passenger.pp

这样做将阻止阻止乘客装载的第一件事-但请注意可能还会更多，因此您需要再次重复该过程，直到工作为止.我希望这是有道理的！

Doing this will unblock the first thing that was stopping passenger from loading - but be aware that there will probably be more so you will need to repeats the process again until it works. I hope that makes sense!

这篇关于SELinux许可被Phusion Passenger拒绝以换取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！