Bug 225452
| Summary: | SElinux issue - mod_jk and JBossAS - "avc: denied { write } comm="httpd" name="jk.shm" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Len DiMaggio <ldimaggi> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | dbhole, dwalsh, gozen, jorton, viveklak |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-06-21 15:50:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is going to require a change to the SELinux policy, which AFAIK can't be delivered as part of the Stack and will have to be done in a base-RHEL SELinux update. Reassigning. Where is this jk.shm file being placed in the filesystem? [root@cheddar ~]# ll /var/log/httpd/jk.shm -rw-r--r-- 1 root root 0 Jan 30 12:03 /var/log/httpd/jk.shm Why is this being placed in the log jk.shm directory? I'd ask further: 1) what is this file used for? If it's a shared memory segment why can't an anonymous shm method be used? 2) what packages depend on the location of this file. Does Mladen have access to Red Hat Bugzilla? > 1) what is this file used for? If it's a shared memory segment why can't an > anonymous shm method be used? Its use is supposedly for load balancing to work properly. It indeed is a shared memory segment. I am forwarding the BZ link and questions posed here to mladen since he can answer them better. > 2) what packages depend on the location of this file. I dont think any other packages depend on its location. > Does Mladen have access to Red Hat Bugzilla? The BZ seems to be marked public so he should be able to atleast view it... (In reply to comment #3) > Why is this being placed in the log jk.shm directory? The reason why it ended up in /var/log/httpd/jk.shm is because the JkShmFile "logs/jk.shm" directive in the httpd.conf translates to $ServerRoot/logs/jk.shm where $ServerRoot in this case is /etc/httpd. /etc/httpd/logs is a symlink to /var/log/httpd. Short of a custom policy module, a crude fix could perhaps be to use an absolute path to a less offensive location in JkShmFile maybe? (In reply to comment #4) > 1) what is this file used for? If it's a shared memory segment why can't an > anonymous shm method be used? > It is used as a scoreboard with run time data for workers so the load balancer works more accurately. > 2) what packages depend on the location of this file. > Like Vivek said, it evaluates to $ServerRootRelative, so the solution is to use the absolute path to a less offensive location for JkShmFile Using anonymous shared memory would need to be developed probably by using callback to the APR. I'll take a look into that. > Does Mladen have access to Red Hat Bugzilla? Yes :) If the shm segment is only for internal use within mod_jk it should definitely be fixed to use an shm mechanism which doesn't require creating files in the filesystem. Failing that (or if that can't be done in time) it should be moved somewhere sensible. I'd suggest having mod_jk own /var/run/mod_jk and have the default shm location be "run/mod_jk/jk.shm" or similar. Then the SELinux policy can be updated. This: ------------------------------------------------ # Add shared memory. # This directive is present with 1.2.10 and # later versions of mod_jk, and is needed for # for load balancing to work properly #JkShmFile logs/jk.shm JkShmFile run/mod_jk/jk.shm ------------------------------------------------ Does seem to resolve the problem - no AVC messages are written to the log when the httpd service is started. So can I close this as not a bug, or reassign it to some other application? (In reply to comment #10) > So can I close this as not a bug, or reassign it to some other application? Yes, you can close as not a bug... The new mod_jk rpms have been made to own /var/run/mod_jk and the reference documentation has been updated to suggest the use of the following directive which should avoid the issue: JkShmFile run/mod_jk/jk.shm Any subsequent issues regarding this should be filed against mod_jk instead. |
Description of problem: SElinux issue - mod_jk and JBossAS - "avc: denied { write } comm="httpd" name="jk.shm" This avc message is written to /var/log/messages when the httpd service is started - and mod_jk is configured per (http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingMod_jk1.2WithJBoss) Version-Release number of selected component (if applicable): StacksV1-re20070123.0 httpd-2.0.59-1.el4s1.3 jbossas-4.0.5-1.el4s1.5 jbossas-core-4.0.5-1.el4s1.5 mod_jk-ap20-1.2.20-1.el4s1.1 selinux-policy-targeted-1.17.30-2.140 How reproducible: 100% Steps to Reproduce: 1. Configure mod_jk with JBoss 2. Start up the httpd service Actual results: Jan 30 12:50:40 cheddar kernel: audit(1170179440.578:10): avc: denied { write } for pid=32391 comm="httpd" name="jk.shm" dev=dm-0 ino=7586829 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Jan 30 12:50:40 cheddar kernel: audit(1170179440.979:11): avc: denied { write } for pid=32392 comm="httpd" name="mibs" dev=dm-0 ino=7637551 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir Jan 30 12:50:41 cheddar kernel: audit(1170179441.210:12): avc: denied { write } for pid=32392 comm="httpd" name="jk.shm" dev=dm-0 ino=7586829 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Expected results: No errors Additional info: http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingMod_jk1.2WithJBoss