Bug 433252

Summary: Starting httpd directly doesn't put it under selinux control.
Product: [Fedora] Fedora Reporter: Jeff Norden <jeff>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-18 15:13:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Norden 2008-02-18 04:59:45 UTC 
Description of problem:
It the apache web server is started directly, instead of from the
/etc/init.d/httpd script, then it runs as unconfined_t instead of httpd_t

Steps to Reproduce:
1.  Shut down apache with 'service httpd stop'
2.  Start apache directly by executing /usr/sbin/httpd as root
3.  Check the selinux context via ps -axZ  and/or  tail
/var/log/httpd/error_log|grep SELinux
  
Actual results:
Apache is not under selinux control when started as above.  If you then do
'sevice httpd restart', the web server will run as httpd_t under control of the
targeted policy again.

Expected results:
Apache should run in the httpd_t domain no matter how it is started up.  As it
stands, it seems to depend on the selinux context of the init.d/httpd script
being set to: httpd_script_exec_t in *addition* to /usr/sbin/httpd being set to
httpd_exec_t
Additional info:
You get very weird behavior if the context of the init.d/httpd file gets changed
(e.g, if you try to edit the script - this is what happened to me).
On bootup, apache will start under httpd_t (I'm guessing this has to do with
some special parts of the policy that take effect at that time), but if you
later do 'service httpd restart' to re-start the web server, then apache will no
longer be under selinux control.  If you do 'ls -Z /usr/sbin/httpd' it appears
that the server *should* start correctly.

This gives the appearance of something that works at startup, but 'breaks' if
you stop and re-start it, and can only be 'fixed' by re-booting the whole
system.  This is normal, expected behavior for the operating systems from
Redmund, but it is kind of disconcerting to see it occur under Linux!
Comment 1 Daniel Walsh 2008-02-18 15:13:50 UTC 
This seems like you have a labeling problem.

SELinux relies on file labels to start applications correctly.

/sbin/init -> init_exec_t -> init_t
init_t -> Starts init scripts labeled initrc_exec_t -> initrc_t
initrc_t -> Starts httpd labeled httpd_exec_t -> httpd_t

If any of these labels are wrong, this will not happen.  We decided long ago not
to automatically transition unconfined_t -> httpd_exec_t -> httpd_t.  This is to
allow debugging, so you should always start via the init scripts or apachectl. 
I would guess that you have a labeling problem in your initscripts

restorecon -R -v /etc/rc.d