Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518444 - SELinux is preventing httpd from write acess on the file /var/log/httpd/jk-runtime-status.*
Summary: SELinux is preventing httpd from write acess on the file /var/log/httpd/jk-ru...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 27
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Luboš Uhliarik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-28 22:55 UTC by James McKernan
Modified: 2018-09-26 11:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-26 11:56:34 UTC


Attachments (Terms of Use)
journalctl -xe output from failed httpd launch (deleted)
2017-11-28 22:55 UTC, James McKernan
no flags Details

Description James McKernan 2017-11-28 22:55:07 UTC
Created attachment 1360089 [details]
journalctl -xe output from failed httpd launch

Description of problem: I'm trying to set up the typical apache httpd to tomcat over AJP on localhost VM. An SELinux policy is blocking access to the PID log for jk-runtime causing catastrophic failure of the httpd daemon launch. 


Version-Release number of selected component (if applicable):
Server version: Apache/2.4.29 (Fedora)
Server built:   Oct 25 2017 12:34:45
Server's Module Magic Number: 20120211:68



How reproducible: 100% on instance


Steps to Reproduce:
1. Temporarily opened file perms to /var/log/httpd, and ran start script. Result: Failure
2. Attempted temp fix:
ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -X 300 -i my-httpd.pp
Result: semodule:  Failed on my-httpd.pp!
3. Completely rebuilt environment
Result: identical problem

Actual results: Failure to launch httpd and tomcat


Expected results: Launch httpd and tomcat on local VM with AJP


Additional info: SELinux governance bug or my misconfiguration?

Comment 1 Lukas Vrabec 2017-12-11 14:19:01 UTC
James, 

Could you reproduce your issue and attach output of: 

# ausearch -m AVC -ts today 

Thanks,
Lukas.

Comment 2 James McKernan 2017-12-11 21:42:02 UTC
Per Lukas request:

> sudo systemctl start httpd.service 
[sudo] password for jmcker: 
Job for httpd.service failed because the control process exited with error code.
See "systemctl  status httpd.service" and "journalctl  -xe" for details.

> sudo ausearch -m AVC -ts today > 

more ausearch.httpd.service.bug.txt
----
time->Mon Dec 11 13:35:01 2017
type=AVC msg=audit(1513028101.393:266): avc:  denied  { write } for  pid=2876 comm="httpd" path="/var/log/httpd/jk-runtime-status.2876" dev="dm-0" ino=134380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0
>

Comment 3 Lukas Vrabec 2017-12-12 12:27:41 UTC
Is there any change how httpd writes to httpd logs? It looks like file is opened for writing but in policy we have just appending. This can be better option from security reasons.

Comment 4 James McKernan 2018-04-11 16:52:46 UTC
Are there any updates to solving this problem. Command lining the httpd and tomcat daemons isn't pleasant. Thanks. -James

Comment 5 Joe Orton 2018-09-26 11:56:34 UTC
AFAICT no module we ship should create this file, it comes from using mod_jk from Tomcat upstream built from source? 

If third-party modules use the httpd API correctly - i.e. using ap_runtime_dir_relative() - to determine the location of such files, it should work as expected, they will end up in /run/httpd rather than /var/log/httpd.  If third-party modules are buggy and try to put non-logfiles in the log directory they should be correctly denied by SELinux.  i.e. this is working as expected.


Note You need to log in before you can comment on or make changes to this bug.