Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353977 - apachectl -S returns no output when SELinux is enforcing
Summary: apachectl -S returns no output when SELinux is enforcing
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-08 15:14 UTC by Hung
Modified: 2017-02-07 09:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-02-07 09:29:07 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Hung 2016-07-08 15:14:01 UTC
Description of problem:
When SELinux is enforcing mode "apachectl -S" will returns no output nor any error 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install httpd
2. Verify Selinux mode is enforcing 
3. Run "apachectl -S" command  

Actual results:
# apachectl -S

Expected results:
When not in enforcing: 
# apachectl -S
[Fri Jul 08 11:03:17.724585 2016] [so:warn] [pid 1441] AH01574: module status_module is already loaded, skipping
VirtualHost configuration:
*:8443        (/etc/httpd/conf.d/nss.conf:83)
*:443         (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/"
User: name="apache" id=48
Group: name="apache" id=48

Additional info:

As a workaround: "httpd -S" does provided the same output while Selinux mode is in enforcing 

Customer suggested the following:

While 'apachectl configtest' works (since it has a workaround mentioned in that comment), 'apachectl -t' doesn't since it doesn't use the workaround and instead gives the same output as 'apachectl configtest'.

Looking at the script, there is a catchall for flags to be passed through directly to httpd, but this doesn't have the workaround that 'configtest' does. So I suggest adding it:

--- apachectl.orig      2016-07-08 09:10:58.296177996 -0400
+++ apachectl   2016-07-08 09:12:29.159596403 -0400
@@ -134,7 +134,11 @@
-    /usr/sbin/httpd $OPTIONS "$@"
+    if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then
+      runcon -- `id -Z` /usr/sbin/httpd $OPTIONS "$@"
+    else
+      /usr/sbin/httpd $OPTIONS "$@"
+    fi
This allows apachectl to work as expected even with SELinux enforcing.

Comment 2 Daniel Laczi 2016-11-16 18:43:22 UTC
This is also valid for Fedora

Comment 4 Joe Orton 2017-02-07 09:29:07 UTC
Thanks for the report, but we've no plans to change this.

It's better that if you want to run httpd in the unconfined domain, you invoke "httpd -S" directly.  It's safe to run "httpd -t" unconfined to get console output, but changing apachectl as above would also mean, e.g.:

  apachectl -f /etc/httpd/conf/httpd.conf

would start httpd in the unconfined domain.

Note You need to log in before you can comment on or make changes to this bug.