Passenger unable to start phusion

Question

On Cent OS 6.0 with SELinux running, I get an error "Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog"

This thread discusses the problem. https://groups.google.com/forum/?fromgroups#!topic/phusion-passenger/qaVUIq2HceE

Is there any way to resolve this without disabling SELinux. Seems like it doesn't something important, and should be configured instead of disabled.

Answer 1

Because SELinux is wary of Apache, you can try allowing Apache access to passenger files and directories. Try the following, but YMMV! If you’ve installed Phusion Passenger via a gem, then run this command to determine Phusion Passenger’s root folder:

passenger-config --root

Then do

chcon -R -h -t httpd_sys_content_t /path-to-passenger-root

If you installed Passenger from a tarball of some kind, try this instead:

chcon -R -h -t httpd_sys_content_t /path/to/passenger/folder

In either case restart Apache.

You might also need to satisfy SELinux's *httpd_sys_content_t* security context for access to your rails app. You may also need to do the following:

chcon -R -h -t httpd_sys_content_t /path/to/your/rails/app

Maybe this will work for you.

Answer 2

Using chcon only works temporarily. The next time the machine does a reboot and SELinux does a relabel, the configuration will be lost. The files will be relabeled to whatever context is right for where they are in the filesystem.

If you put the rails app under /var/www/html then SELinux will maintain the contexts at relabel time, because SELinux policy says that's where web content should be. Initially you'd do restorecon -R /var/ww/html/path/to/app to set the contexts.

I've found though, that Passenger does lots of stuff that SELinux wants to deny so just a relabel isn't enough. It's easy to create policy to allow that, but I see it as a security risk. Too bad the Rails community doesn't make it easier to deploy on a normal server (i.e. not an Ruby stack).