Fix: Unable to start the Phusion Passenger watchdog

Posted by Alexander Ross on 28 September 2014

Does this look familiar for you? If it does, then you are on the right place.

# /var/log/httpd/error_log
[Wed Sep 24 18:21:20 2014] [notice] caught SIGTERM, shutting down
[Wed Sep 24 18:21:20 2014] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Sep 24 18:21:20 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Sep 24 18:21:20 2014] [error] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog (/usr/local/lib/ruby/gems/2.1.0/gems/passenger-4.0.52/buildout/agents/PassengerWatchdog): Permission denied (errno=13)

I did get this error while configured a new server with CentOS 6.5, Apache and Passenger for an Ruby on Rails application. If your setup looks different, then you may not be able to do exactly like me. I did google allot on Unable to start the Phusion Passenger watchdog and Permission denied (errno=13) but without success. I first thought it had something to do with file permissions but it wasn't. The real problem here are SELinux security policy. We do not want to turn this one of because it actually are trying to do good for us. After all it's there for our security.

We need to know which services that is prevented in order to start passenger and allow only those. To do that we start by setting SELinux into permissive mode. This will allow us to run all application without it being stoped by SELinux use but it will log warnings which we will use to create rule and permit what we need.

Open /etc/selinux/config and change SELINUX=enforcing to SELINUX=permissive.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted

Now you need to reboot your server in order for these settings to take action.

Start the processes needed for your application to run (mysql, redis and so on) and then visit your page in the browser. It should now be working because everything is permitted but will create warnings.

Now we can create our rules by running the command bellow.

grep httpd_t /var/log/audit/audit.log | audit2allow -m httpdrules > httpdrules.te

You can now also run cat httpdrules.te and make sure it doesn't contain anything suspicious. If it looks ok then we can make it permanent by running

# notice the capitalized -M instead of -m that we used before
grep httpd_t /var/log/audit/audit.log | audit2allow -M httpdrules
semodule -i httpdrules.pp

Next step to se if it all is working is to change permissive back to enforcing in our /etc/selinux/config file and reboot.

Q & A

It still doesn't work!
If you get an similar error you can look at CentOS wiki how to customize these rules more. Else if you got another error this may just be one of a few errors in your stack. Google is your friend.
How to install audit2allow if it's not available
It comes with policycoreutils-python which is often installed with the system. If this isn't on your system for any reason it can be installed with yum install policycoreutils-python.
I don't use CentOS but i have the same error, will this work for me?
This guide is written based on my experiences with CentOS, Apache, Passenger and a Ruby on Rails application i tried to deploy. Some parts in this may still be useful for you. But you will need to google a bit if your files don't look the same or if they are not on the same location.
I don't care about security, how to turn of SELinux completly?
This is something you should only do if you not planing to go public with your application. If this is true then just change your SELINUX option in /etc/selinux/config to disabled and reboot.