Hello, can you share the SELinux denial which caused this? Also it would be good to see the details of the “permission denied”. I have seen a temporary permission denied error during passenger launch, but when it finishes it goes away. The only thing to do in that case was to wait a bit longer until it comes up.
Maybe it’s because our postgres server doesn’t listen on the default port 5432, but on 5455. I didn’t think about the non standard ports until I read the AVC carefully again.
SELinux is preventing ruby from name_connect access on the tcp_socket port 5455.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow passenger to can connect all
Then you must tell SELinux about this by enabling the 'passenger_can_connect_all' boolean.
Do
setsebool -P passenger_can_connect_all 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that ruby should be allowed name_connect access on the port 5455 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ruby' --raw | audit2allow -M my-ruby
# semodule -i my-ruby.pp
Additional Information:
Source Context system_u:system_r:passenger_t:s0
Target Context system_u:object_r:jboss_messaging_port_t:s0
Target Objects port 5455 [ tcp_socket ]
Source ruby
Source Path ruby
Port 5455
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.15.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name foreman1.3ve.bmlv.at
Platform Linux foreman.host.name
3.10.0-957.27.2.el7.x86_64 #1 SMP Tue Jul 9
16:53:14 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2019-09-11 15:59:54 CEST
Last Seen 2019-09-11 15:59:54 CEST
Local ID e744cadc-95f3-45e3-9ee6-04cab83b7775
Raw Audit Messages
type=AVC msg=audit(1568210394.788:7041): avc: denied { name_connect } for pid=4196 comm="ruby" dest=5455 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:jboss_messaging_port_t:s0 tclass=t
cp_socket permissive=0
Hash: ruby,passenger_t,jboss_messaging_port_t,tcp_socket,name_connect
That is absolutely the reason, no doubt. SELinux just did the right job it was designed for. If you want to keep improved security, simply add this port to PostgreSQL port type using semanage port command instead of allowing all ports.