Installing Phusion Passenger 4 with SELINUX enabled is quite a challenge, especially with the lack of documentation out there with the latest version of Passenger.
Installation Notes:
Follow the following guide: http://www.seifeet.com/2012/09/ruby-apache-on-centos-63.html. This will get you 90% of the way there.
There are a few changes that I needed to make to get it working properly with my app.
Set the passenger temp folder to /var/run/rubygem-passenger instead of /tmp/ in the Apache config. (/etc/httpd/conf.d/passenger.conf)
PassengerTempDir /var/run/rubygem-passenger
The reason behind this is due to the SELINUX permissions on the parent /tmp folder will not work properly. If you don’t have the PassengerTempDir set in Apache, you will get an error of a temp folder not being set when running “grep httpd /var/log/audit/audit.log | audit2allow -M passenger“
Here’s the permissions I have for the rubygem-passenger folder:
rvm rvm system_u:object_r:httpd_var_run_t:s0 rubygem-passenger
Set the permissions of the /myrailsapp/tmp folder
If you are using compiled CSS libraries such as Compass, you will need to set the proper SELINUX permissions for the compiled assets folder. Otherwise, any changes to the compiled css files will cause a fatal error in your application (read failure in the tmp folder).
chcon -R -t httpd_sys_rw_content_t tmp
Sample Passenger configuration file for Apache (/etc/httpd/conf.d/passenger.conf)
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-4.0.0.rc4/libout/apache2/mod_passenger.so
PassengerRoot /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-4.0.0.rc4 PassengerRuby /usr/local/rvm/wrappers/ruby-2.0.0-p0/ruby PassengerDefaultUser rvm PassengerDefaultGroup rvm PassengerLogLevel 2 PassengerDebugLogFile /var/log/httpd/passenger.log PassengerPreStart [YOUR SITE URL] PassengerMaxPoolSize 2 PassengerPoolIdleTime 300 PassengerTempDir /var/run/rubygem-passenger
Still having issues with the install? Here’s some fixes:
Error: Cannot stat ‘/var/run/rubygem-passenger/passenger.1.0.19162’: Permission denied
Fix: This is due to SELINUX blocking access to the folder. Run the “grep httpd /var/log/audit/audit.log | audit2allow -M passenger” after changing setenforce to 0, restarting httpd, and adding the policy via semanage -i passenger.pp.
Error: Cannot change the directory ‘/tmp/passenger.1.0.—/generation-0/buffered_uploads’ its UID to 48 and GID to 48
Fix: This is a regular user permission issue (User/Group needs to have write permissions) and is also related to not using /var/run/rubygem-passenger
Error: Errno::EACCES Permission Denied
Fix: Your /[myrailsapp]/tmp folder permissions is incorrect. Compiled CSS libraries use the /[myrailsapp]/tmp folder to save all the data This could be either the user/group permissions or the SELINUX. The fastest way to check to see if its a SELINUX issue is setting setenforce to 0 and restarting httpd. If the app works, then you will need to set the /[myrailsapp]/tmp folder permissions. If not, check to see that the folder has global read/write permissions.
