Bug 707139

Summary: SELinux killing Apache Worker MPM
Product: Red Hat Enterprise Linux 5 Reporter: Lukas Koranda <lkoranda>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 5.6CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-308.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 09:19:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Koranda 2011-05-24 07:58:16 UTC 
Description of problem:
SELinux killing Apache Worker MPM

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-300.el5
selinux-policy-targeted-2.4.6-300.el5
httpd-2.2.3-45.el5

How reproducible: 
Switch Apache to use MPM worker and watch...

  
Actual results:

May 23 20:01:25  httpd.worker[650]: [alert] (13)Permission denied: apr_thread_create: unable to create listener thread
May 23 20:01:25  httpd.worker[32640]: [alert] (13)Permission denied: apr_thread_create: unable to create listener thread
May 23 20:01:25  httpd.worker[466]: [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
May 23 20:01:27  httpd.worker[32504]: [alert] No active workers found... Apache is exiting!

Expected results:
Working Apache with MPM worker serving customers.

Additional info:

Active targeted policy

host= type=AVC msg=audit(1306171931.444:821): avc:  denied  { execmem } for  pid=10970 comm="httpd.worker" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process

host= type=SYSCALL msg=audit(1306171931.444:821): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=10949 pid=10970 auid=15195 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=56 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=user_u:system_r:httpd_t:s0 key=(null)
Comment 1 Miroslav Grepl 2011-05-24 10:20:24 UTC 
Looks like we need to backport the httpd_execmem boolean.
Comment 2 Milos Malik 2011-05-24 14:21:15 UTC 
I'm able to reproduce the bug on x86_64 machine with RHEL-5.6.

Here are error messages from /var/log/httpd/error_log:
[Tue May 24 10:13:17 2011] [notice] mod_python: Creating 4 session mutexes based on 120 max processes and 150 max threads.
[Tue May 24 10:13:17 2011] [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
[Tue May 24 10:13:17 2011] [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
[Tue May 24 10:13:17 2011] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Tue May 24 10:13:17 2011] [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
[Tue May 24 10:13:17 2011] [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
[Tue May 24 10:13:17 2011] [alert] (13)Permission denied: apr_thread_create: unable to create worker thread
[Tue May 24 10:13:19 2011] [alert] No active workers found... Apache is exiting!

Here is the AVC:
----
time->Tue May 24 10:13:17 2011
type=SYSCALL msg=audit(1306246397.623:126): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=7523 pid=7936 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1306246397.623:126): avc:  denied  { execmem } for  pid=7936 comm="httpd.worker" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process
----

Interesting is that the same scenario does not reproduce the bug on other architectures with RHEL-5.6.
Even though I tried really hard I was not able to reproduce the bug on any architecture with RHEL-5.7 beta.
Comment 3 Milos Malik 2011-05-24 14:28:34 UTC 
Reproducer
==========
1) uncomment following line in /etc/sysconfig/httpd:
HTTPD=/usr/sbin/httpd.worker
2) create /etc/httpd/conf.d/worker.conf file with following content:
<IfModule worker.c>
ThreadLimit        150
ServerLimit        150
StartServers         5
MaxClients        3000
MinSpareThreads    150
MaxSpareThreads    450
ThreadsPerChild    150
MaxRequestsPerChild  0
</IfModule>
3) setenforce 1
4) service httpd restart
5) ps -efZ | grep httpd

There are no httpd.worker processes running on x86_64 machine with RHEL-5.6.
Comment 4 Daniel Walsh 2011-05-24 15:54:30 UTC 
Does rhel5 have and httpd_execmem boolean?

setsebool -P httpd_execmem 1
Comment 5 Miroslav Grepl 2011-05-25 06:33:39 UTC 
No, I need to backport it.
Comment 7 Miroslav Grepl 2011-06-01 12:56:08 UTC 
Fixed in selinux-policy-2.4.6-308.el5
Comment 10 errata-xmlrpc 2011-07-21 09:19:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 11 errata-xmlrpc 2011-07-21 11:57:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html