Bug 199419 - "apachectl graceful" kills apache when selinux enabled
Summary: "apachectl graceful" kills apache when selinux enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-19 14:16 UTC by Tomasz Ostrowski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-28 20:03:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
strace of the apache parent process while "apachectl graceful" (1.45 KB, text/plain)
2006-07-19 14:48 UTC, Tomasz Ostrowski 		no flags Details
View All

Description Tomasz Ostrowski 2006-07-19 14:16:32 UTC 
Description of problem:
The following commands:
    apachectl graceful
    service httpd graceful
    /etc/rc.d/init.d/httpd graceful
kill apache parent process when selinux is enabled. Every apache slave is then
able to serve one request and then dies. When every slave die connections are
refused.

The following is logged to /var/log/httpd/error_log:
[Wed Jul 19 16:02:44 2006] [notice] Graceful restart requested, doing restart
[Wed Jul 19 16:02:44 2006] [notice] seg fault or similar nasty error detected in
the parent process

The following is logged to /var/log/audit/audit.log:
type=AVC msg=audit(1153317764.717:7129):
  avc: denied  { name_connect } for  pid=25200 comm="httpd" dest=80
  scontext=user_u:system_r:httpd_t:s0
  tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1153317764.717:7129):
  arch=40000003 syscall=102 success=no exit=-13
  a0=3 a1=bfe15110 a2=cf91e8 a3=8084aa0 items=0 pid=25200
  auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
  tty=(none) comm="httpd" exe="/usr/sbin/httpd"
  subj=user_u:system_r:httpd_t:s0
type=SOCKADDR msg=audit(1153317764.717:7129):
  saddr=0A000050000000000000000000000000000000000000000000000000
  type=SOCKETCALL msg=audit(1153317764.717:7129):
  nargs=3 a0=9 a1=8084aa0 a2=1c

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.2-1.fc5
httpd-2.2.2-1.0

How reproducible:
Always.

Steps to Reproduce:
1. /etc/rc.d/init.d/httpd/start
2. apachectl graceful
3. for i in `seq 1 10`; do
     service httpd status
     wget http://localhost/ > /dev/null 2>&1
   done
4. telnet localhost 80

Actual results:
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408) is running...
httpd (pid 25414 25413 25412 25411 25410 25409) is running...
httpd (pid 25414 25413 25412 25411 25410) is running...
httpd (pid 25414 25413 25412 25411) is running...
httpd (pid 25414 25413 25412) is running...
httpd (pid 25414 25413) is running...
httpd (pid 25414) is running...
httpd dead but pid file exists
httpd dead but pid file exists
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused

Expected results:
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
httpd (pid 25414 25413 25412 25411 25410 25409 25408 25407) is running...
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).

Additional info:
This is very urgent - "apachectl graceful" is very often used after changes to
Apache configuration. And the problem can not be seen immediately so an
administrator will not notice that apache is dead using basic test immediately
after changes.
Comment 1 Daniel Walsh 2006-07-19 14:34:05 UTC 
Why is this connection to the http port?

Default selinux permissions on http are to not allow it to connect to other http
boxes.  Looks like apachectl is somehow connecting to the port and getting a
denial and then exiting.  Maybe checking to see if it is listeing?

You can turn on httpd_can_network_relay boolean to allow httpd to connect to the
httpd port.

setsebool -P httpd_can_network_relay=1

But this is a work around.
Comment 2 Joe Orton 2006-07-19 14:42:07 UTC 
http://www.redhat.com/archives/fedora-selinux-list/2005-August/msg00006.html
Comment 3 Joe Orton 2006-07-19 14:45:26 UTC 
Tomasz, can you file a separate report against httpd and include a backtrace for
the segfault?  That is a separate issue.  To get a backtrace add
"CoreDumpDirectory /tmp" to httpd.conf, then run gdb on the core dump produced
and enter "bt full" at the gdb prompt
Comment 4 Tomasz Ostrowski 2006-07-19 14:48:49 UTC 
Created attachment 132690 [details]
strace of the apache parent process while "apachectl graceful"

I'm attaching a strace of the Apache parent while doing "apachectl graceful".
It does show that Apache segfaults (as logged in error_log).
Comment 5 Tomasz Ostrowski 2006-07-19 15:29:17 UTC 
(In reply to comment #3)
> Tomasz, can you file a separate report against httpd and include a backtrace for
> the segfault?

Done. Filed a bug 199429.
Comment 6 Daniel Walsh 2006-09-18 17:52:18 UTC 
Fixed in selinux-policy-2.3.14-3
Comment 7 Daniel Walsh 2007-03-28 20:03:34 UTC 
Closing bugs
Note You need to log in before you can comment on or make changes to this bug.