I was wondering if it is possible to make a CentOS 7 server less secure by using chcon than it would be if SELinux were in Permissive mode. I am essentially trying to set up Phusion Passenger with Nginx to work with a Ruby version installed using rbenv (a Ruby version manager which essentially installs Ruby libraries, binaries, libs, etc in a user's home directory) for a user who is not a sudoer. I have used tools like setroubleshoot-server to essentially solve various issues such as those with SELinux booleans except that these tools are not helping me in diagnosing issues with the Ruby version that is installed in the home directory of a particular user. Everything works with Phusion Passenger and Nginx when either:
- using the system-wide Ruby (v2.0) installation (SELinux in enforcing mode)
- using the
rbenvinstalled Ruby (v2.2.3) (SELinux in permissive mode) using
rbenvinstalled Ruby (v2.2.3) after running the following command (SELinux in enforcing mode):chcon -R --reference /bin /home/myuser/.rbenv/
Note that I restarted the server between configuration changes to verify the observed behavior.
I feel that I am essentially bypassing SELinux by using chcon to change the security context of the folder containing the rbenv Ruby version to have the same security context as that of the /bin folder. Are there any unintended security consequences to using chcon in this manner?
This is might be outside of the scope of the question, but is there a proper way to set the security context of Ruby interpreters installed in the home directory of a user to be used with Nginx and Phusion Passenger?
