Description of problem: The following commands: apachectl graceful service httpd graceful /etc/rc.d/init.d/httpd graceful kill apache parent process when selinux is enabled. Every apache slave is then able to serve one request and then dies. When every slave die connections are refused. The following is logged to /var/log/httpd/error_log: [Wed Jul 19 16:02:44 2006] [notice] Graceful restart requested, doing restart [Wed Jul 19 16:02:44 2006] [notice] seg fault or similar nasty error detected in the parent process The following is logged to /var/log/audit/audit.log: type=AVC msg=audit(1153317764.717:7129): avc: denied { name_connect } for pid=25200 comm="httpd" dest=80 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1153317764.717:7129): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe15110 a2=cf91e8 a3=8084aa0 items=0 pid=25200 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 type=SOCKADDR msg=audit(1153317764.717:7129): saddr=0A000050000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1153317764.717:7129): nargs=3 a0=9 a1=8084aa0 a2=1c Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.2-1.fc5 httpd-2.2.2-1.0 How reproducible: Always. Steps to Reproduce: 1. /etc/rc.d/init.d/httpd/start 2. apachectl graceful 3. for i in `seq 1 10`; do service httpd status wget http://localhost/ > /dev/null 2>&1 done 4. telnet localhost 80 Actual results: httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408) is running... httpd (pid 25414 25413 25412 25411 25410 25409) is running... httpd (pid 25414 25413 25412 25411 25410) is running... httpd (pid 25414 25413 25412 25411) is running... httpd (pid 25414 25413 25412) is running... httpd (pid 25414 25413) is running... httpd (pid 25414) is running... httpd dead but pid file exists httpd dead but pid file exists Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection refused Expected results: httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running... Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Additional info: This is very urgent - "apachectl graceful" is very often used after changes to Apache configuration. And the problem can not be seen immediately so an administrator will not notice that apache is dead using basic test immediately after changes.
Why is this connection to the http port? Default selinux permissions on http are to not allow it to connect to other http boxes. Looks like apachectl is somehow connecting to the port and getting a denial and then exiting. Maybe checking to see if it is listeing? You can turn on httpd_can_network_relay boolean to allow httpd to connect to the httpd port. setsebool -P httpd_can_network_relay=1 But this is a work around.
http://www.redhat.com/archives/fedora-selinux-list/2005-August/msg00006.html
Tomasz, can you file a separate report against httpd and include a backtrace for the segfault? That is a separate issue. To get a backtrace add "CoreDumpDirectory /tmp" to httpd.conf, then run gdb on the core dump produced and enter "bt full" at the gdb prompt
Created attachment 132690 [details] strace of the apache parent process while "apachectl graceful" I'm attaching a strace of the Apache parent while doing "apachectl graceful". It does show that Apache segfaults (as logged in error_log).
(In reply to comment #3) > Tomasz, can you file a separate report against httpd and include a backtrace for > the segfault? Done. Filed a bug 199429.
Fixed in selinux-policy-2.3.14-3
Closing bugs