Bug 167949
Summary: | when selinux is enabled, httpd refuses to start | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Edward Rudd <urkle> | ||||
Component: | selinux-policy-targeted | Assignee: | Russell Coker <rcoker> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4 | CC: | alexander_pircher, sundaram | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-05-05 19:30:24 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Edward Rudd
2005-09-09 20:02:36 UTC
Thank you for the report. However this should be assigned to selinux-targeted-policy as this has been identified as related to SELinux. Make sure that you have all the updates (yum update) and relabel your filesystem using #touch /.autorelabel and reboot your system as mentioned in the Fedora SELinux FAQ If audit daemon is disabled in your system, you will see avc denied messages in /var/log/messages and post the output of that if the problem still exists after the updates I had similar problems in FC3 and had disabled SElinux when I upgraded to FC4.. I finally decided to enable it again and reboot after doing a full update to the lastest eratta, and upon reboot it did a complete relabel of the file system. And the auditd is enabled as I do see other messages appearing in the audit log, just absolutely nothing when apache is attemted to start. Also during bootup it usually says "unable to bind on port 80". but never ever gives that error when I try to start it after the system is up.. just a failed from the init script and nothing in the logs.. (unless I run the init script in a subshell as I mentioned in the initial report). I initially filed it under httpd as it seemed it might have been an issue with the init script itself. given that oddity I noticed. Ok, can you try disabling SELinux with setenforce 0 and verify that this is indeed related to SELinux? [root@urkle ~]# service httpd stop Stopping httpd: [ OK ] [root@urkle ~]# service httpd start Starting httpd: [FAILED] [root@urkle ~]# setenforce 0 [root@urkle ~]# service httpd start Starting httpd: [ OK ] [root@urkle ~]# service httpd stop Stopping httpd: [ OK ] [root@urkle ~]# setenforce 1 [root@urkle ~]# service httpd start Starting httpd: [FAILED] [root@urkle ~]# /etc/init.d/httpd start Starting httpd: [FAILED] [root@urkle ~]# sh /etc/init.d/httpd start Starting httpd: [ OK ] Looks like an SELinux problem. Just to make sure. What context is it running in ps -eZ | grep http You can enable all audit messages by installing selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load Then start the httpd server. See if you get any avc messages in /var/log/messages or /var/log/audit/audit.log make clean; make load will turn the additional auditing back off. the way it is currently running (via sh /etc/init.d/httpd start) it is running under "root:system_r:unconfined_t" and enable all audit messages in the policy didn't change any of the output to /var/log/{messages,audit/audit.log} wait.. ahh. need to restart auditd.. I will attach the log. Created attachment 119868 [details]
section of /var/log/audit/audit.log when "service httpd start" was run
Two things come out of the log. allow httpd_t devpts_t:chr_file { read write }; allow httpd_t ftp_port_t:tcp_socket name_bind; Does the startup of httpd prompt the user for some input? Second, Why does httpd listen on the ftp port? Dan No it doesn't ask for any input. And the FTP port is because I have my mod_ftpd installed in it. ( I completely for got about that). Seems as though that is the cause of the problem. Disabling mod_ftpd allows it to startup.. Shouldn't there be some better way of tracking down the reason for this? And how do I add the ftp ports as allowable? (probably a pill due to the fact that FTP requires port 21 and a series of random ports for the data ports) Are you running NIS on this machine or do you have allow_ybind boolean turned on? If so that is why the httpd trying to access ftp_port_t was dontaudit. If not then there is a problem in policy. I am not sure how to handle mod_ftpd, I could add policy to allow httpd to listen on this port if a boolean was set, but this is the first time I have heard of this bug and have no idea how often mod_ftpd is used. not using NIS, and don't even think I have ypbind installed. mod_ftpd : http://www.outoforder.cc/projects/apache/mod_ftpd/ mod_ftpd is an FTP server for apache 2 written by me. It's used by a few peaople, not exactly sure how many. But I am receiving a little over 100 downloads a month, sometimes over 200, since I wrote the module 2 years ago. Also Covalent has recently released their mod_ftp into open source (still working it's way through the Apache incubator). So it would be nice to have a policy added to allow httpd to listen to that port, and to a range of high ports (unless those aren't blocked in the policy) for passive data transfers. If you install policy sources and add the following lines to the apache.te file bool httpd_enable_ftp_server false; if (httpd_enable_ftp_server) { allow httpd_t ftp_port_t:tcp_socket name_bind; } Does this work without the passive outward connections? Then if you need the outbound connections you can set the boolean httpd_can_network_connect This added selinux policy is allowing my FTP module to work (and it seems it's already made it into the targeted policy. Now as passive requires the server to bind localy for incoming connections so we need to add in an option to allow incoming passive connections on a range of high ports. Active FTP requires the server make outgoing connections to the client and requires the httpd_can_network_connect to be enabled. *** Bug 168346 has been marked as a duplicate of this bug. *** |