Bug 1646937

Summary: Unable to start httpd
Product: Red Hat Software Collections Reporter: Branislav Náter <bnater>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Branislav Náter <bnater>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: httpd24CC: jorton, tborcin
Target Milestone: rc   
Target Release: 3.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-13 08:37:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Branislav Náter 2018-11-06 10:58:01 UTC 
Description of problem:
After certain sequence of test cases, I'm not able to start httpd.

Version-Release number of selected component (if applicable):
httpd24-httpd-2.4.34-6.el7.x86_64
httpd24-mod_md-2.4.34-6.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. run httpd/mod_authn_anon/smoke
2. run httpd/Regression/bz1299889-create-apache-user-when-group-exists
3. run httpd/mod_authz_user/smoke

Actual results:
unable to start httpd with following error:
[ ERROR ] AVC check: FAIL
----
type=PROCTITLE msg=audit(11/06/2018 05:00:28.874:1033) : proctitle=/opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND 
type=SYSCALL msg=audit(11/06/2018 05:00:28.874:1033) : arch=x86_64 syscall=chown success=no exit=EACCES(Permission denied) a0=0x5568a6db4018 a1=apache a2=unset a3=0x7ffe990ffce0 items=0 ppid=1 pid=21225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/opt/rh/httpd24/root/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(11/06/2018 05:00:28.874:1033) : avc:  denied  { setattr } for  pid=21225 comm=httpd name=challenges dev="vda1" ino=37750190 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

error_log:
[Tue Nov 06 04:27:59.637440 2018] [core:notice] [pid 12090] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Nov 06 04:27:59.638040 2018] [:error] [pid 12090] (13)Permission denied: AH10082: Can't change owner of /opt/rh/httpd24/root/etc/httpd/state/md/challenges
[Tue Nov 06 04:27:59.638050 2018] [md:error] [pid 12090] (13)Permission denied: AH10047: setup challenges directory, call check_group_dir(*pstore, MD_SG_CHALLENGES, p, s)
[Tue Nov 06 04:27:59.638053 2018] [md:error] [pid 12090] (13)Permission denied: AH10072: setup md registry
AH00016: Configuration Failed

Expected results:
it works

Additional info:
I believe this is related to mod_md. scl ownership test is also failing:
:: [ 16:36:23 ] :: [   FAIL   ] :: All files in /opt/rh/httpd24 owned by that collection 
:: [ 16:36:23 ] :: [   LOG    ] :: Files in the question:
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.old
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/01-md.conf
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-python27-wsgi.conf.bak
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/usr/share/doc/httpd24-mod_auth_mellon
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md/accounts
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md/challenges
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md/httpd.json
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md/md_store.json
:: [ 16:36:23 ] :: [   LOG    ] :: /opt/rh/httpd24/root/var/lib/httpd/md/staging
Comment 5 Branislav Náter 2018-11-09 09:39:38 UTC 
Verified on httpd24-httpd-2.4.34-7.el7
Comment 7 errata-xmlrpc 2018-11-13 08:37:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3558