Bug 675019

Please attach the audit log?  We need to know things like which socket is it binding too?  Why is mod_cluster listening to a soundd port?  What log file/directory is mod_cluster creating a log file in?

Created attachment 477050 [details]
audit.log

Here is the audit log, let me know what else you need.

I want to know what directory it is storing manager.node.nodes and other
files in? manager.host.hosts?
manager.balancer.balancers?
manager.sessionid.sessionid?
manager.domain.domain?

Which ports does it need to relay?  All tcp Ports?  All udp Ports?

This is definitely something we want to fix in 6.1.

Thank you wanting to fix this in 6.1!!!!  Let me know how I can be of help.

Jim,
could you add me a quick how to setup mod_cluster?

Could you add the command

# auditctl -w /etc/shadow -p w 

Then you should get a path with the next avc messages.

Also look at Dan's questions.

I am on the road this week with travel, above questions will have to to wait until next week.

I suspect these files are created directly in the /var/log/httpd/ dir. Also I don't think files are log files and should be located in the log dir. Look like more as cache files so should be located in 

/var/cache/httpd

I am trying to setup this environment.

Created attachment 478918 [details]
audit log after turning on auditctl -w /etc/shadow -p w

Created attachment 478921 [details]
Here are the instructions for installing mod_cluster

Please let me know if you have any other questions.

Thanks for the audit.log. So these

manager.balancer.balancers
manager.sessionid.sessionid
manager.domain.domain

files are created in the /etc/httpd/log directory. I was talking with mod_cluster QA also and he confirmed it.

I believe this is wrong and the location should be changed to use the /var/cache/httpd directory since these files are not log files. Then apache policy could cover it.

# sesearch -A -s httpd_t -t httpd_cache_t

I am seeing from the pdf file 

"Listen 127.0.0.1:8000"

This is a reason why htppd is using the soundd port. Again I believe httpd cache port could be used for this.

# semanage port -l | grep -w http_cache_port_t
http_cache_port_t              tcp      8080, 8118, 10001-10010
http_cache_port_t              udp      3130


The last issue. Why is 23364/udp port used? Did you setup it?

Jim,
could you add mod_cluster developer(s) to discuss these issues?

As I wrote in the comments #13, #14 I believe it should be fixed in mod_cluster. Since we don't want to allow apache to write own logs or use generic ports. 

I am going to close it as WONTFIX from SELinux perspective for now. If you do not agree, please reopen the bug with requested info.

There is a workaround. But how I said it should be fixed in mod_cluster.

1. Use apache cache ports in mod_cluster conf files

# semanage port -l | grep -w http_cache_port_t
http_cache_port_t              tcp      8080, 8118, 10001-10010
http_cache_port_t              udp      3130

2. Add local policy

# cat> jbosshttpd.te<<  _EOF 

module jbosshttpd 1.0;

require {
 type httpd_log_t;
 type httpd_t;
 class file write;
 class dir remove_name;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file write;

_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i jbosshttpd.pp

How can this be closed, we have engineering work on the mod_cluster side, and then it needs to be tested validated that this is all that is needed to correct the errors that I am seeing?

Well, how I said I closed this from SELinux perspective. 

Where I could bring up this issue for mod_cluster? Or you mean mod_cluster folks work on that?

https://issues.jboss.org/browse/MODCLUSTER-211  Comments can be made here, unfortuntly this has been assigned to a docs person, yet your requests are a touch of docs, but mostly engineering changes.  If you can update that ticket with that info, or tell me what to say I can do that.

Thank you in advance.

So I would like to change

manager.balancer.balancers
manager.sessionid.sessionid
manager.domain.domain

files to be created in /var/cache/httpd directory.

type=AVC msg=audit(1298936751.334:44): avc:  denied  { unlink } for  pid=2461 comm="httpd" name="manager.node.nodes" dev=sda2 ino=40368 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1298936751.334:44): arch=c000003e syscall=87 success=no exit=-13 a0=7fd3f523a8d0 a1=7fd3f52014d8 a2=2 a3=7fff69e5f000 items=0 ppid=1 pid=2461 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Can you decode what is going on with this error message?

 I tried per the jira:
MemManagerFile /var/cache/httpd
and updated the communication port from 8000 to 10001.

Yes, apache calls unlink to remove the "manager.node.nodes" file.

Could you add output of

# ls -lZ /etc/httpd/log

and

# ls -lZ /var/cache/httpd

[root@localhost jimtyrrell]# ls -lZ /etc/httpd/logs/
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access_log-20110215
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log-20110215
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log-20110228
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid.slotmem
[root@localhost jimtyrrell]# 


[root@localhost jimtyrrell]# ls -lZ /var/cache/httpd/

[root@localhost jimtyrrell]#

If you execute

# semanage permissive -a httpd_t

what avc msgs are you seeing then?

type=AVC msg=audit(1298997487.524:22622): avc:  denied  { unlink } for  pid=2373 comm="httpd" name="manager.node.nodes" dev=sda2 ino=40368 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1298997487.524:22622): arch=c000003e syscall=87 success=yes exit=0 a0=7fbf2ff2b8d0 a1=7fbf2fef24d8 a2=2 a3=7ffff6d64e40 items=0 ppid=1 pid=2373 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

If the manager.* files are still in /etc/httpd/logs/ it is that the directive:
MemManagerFile /var/cache/httpd
Is not the right virtualhost, could you put it in the main server (outside any virtualhost).