Bug 225452 - SElinux issue - mod_jk and JBossAS - "avc: denied { write } comm="httpd" name="jk.shm"
SElinux issue - mod_jk and JBossAS - "avc: denied { write } comm="httpd" na...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-30 13:05 EST by Len DiMaggio
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-21 11:50:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Len DiMaggio 2007-01-30 13:05:22 EST
Description of problem:
SElinux issue - mod_jk and JBossAS -  "avc: denied  { write } comm="httpd"
name="jk.shm"

This avc message is written to /var/log/messages when the httpd service is
started - and mod_jk is configured per
(http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingMod_jk1.2WithJBoss)

Version-Release number of selected component (if applicable):
StacksV1-re20070123.0
httpd-2.0.59-1.el4s1.3
jbossas-4.0.5-1.el4s1.5
jbossas-core-4.0.5-1.el4s1.5
mod_jk-ap20-1.2.20-1.el4s1.1
selinux-policy-targeted-1.17.30-2.140

How reproducible:
100%

Steps to Reproduce:
1. Configure mod_jk with JBoss
2. Start up the httpd service
  
Actual results:
Jan 30 12:50:40 cheddar kernel: audit(1170179440.578:10): avc:  denied  { write
} for  pid=32391 comm="httpd" name="jk.shm" dev=dm-0 ino=7586829
scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file
Jan 30 12:50:40 cheddar kernel: audit(1170179440.979:11): avc:  denied  { write
} for  pid=32392 comm="httpd" name="mibs" dev=dm-0 ino=7637551
scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir
Jan 30 12:50:41 cheddar kernel: audit(1170179441.210:12): avc:  denied  { write
} for  pid=32392 comm="httpd" name="jk.shm" dev=dm-0 ino=7586829
scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file

Expected results:
No errors

Additional info:
http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingMod_jk1.2WithJBoss
Comment 1 Joe Orton 2007-01-30 16:03:41 EST
This is going to require a change to the SELinux policy, which AFAIK can't be
delivered as part of the Stack and will have to be done in a base-RHEL SELinux
update.

Reassigning.  Where is this jk.shm file being placed in the filesystem?
Comment 2 Len DiMaggio 2007-01-30 16:14:12 EST
[root@cheddar ~]# ll  /var/log/httpd/jk.shm
-rw-r--r--  1 root root 0 Jan 30 12:03 /var/log/httpd/jk.shm
Comment 3 Daniel Walsh 2007-01-30 16:48:27 EST
Why is this being placed in the log jk.shm directory?
Comment 4 Joe Orton 2007-01-30 17:01:10 EST
I'd ask further:

1) what is this file used for?  If it's a shared memory segment why can't an
anonymous shm method be used?

2) what packages depend on the location of this file.

Does Mladen have access to Red Hat Bugzilla?
Comment 5 Vivek Lakshmanan 2007-01-30 22:40:02 EST
> 1) what is this file used for?  If it's a shared memory segment why can't an
> anonymous shm method be used?
Its use is supposedly for load balancing to work properly. It indeed is a shared
memory segment. I am forwarding the BZ link and questions posed here to mladen
since he can answer them better.

> 2) what packages depend on the location of this file.
I dont think any other packages depend on its location. 

> Does Mladen have access to Red Hat Bugzilla?
The BZ seems to be marked public so he should be able to atleast view it...
Comment 6 Vivek Lakshmanan 2007-01-30 22:42:16 EST
(In reply to comment #3)
> Why is this being placed in the log jk.shm directory?

The reason why it ended up in /var/log/httpd/jk.shm is because the JkShmFile
"logs/jk.shm" directive in the httpd.conf translates to $ServerRoot/logs/jk.shm
where $ServerRoot in this case is /etc/httpd. /etc/httpd/logs is a symlink to
/var/log/httpd. 

Short of a custom policy module, a crude fix could perhaps be to use an absolute
path to a less offensive location in JkShmFile maybe? 

Comment 7 Mladen Turk 2007-01-31 02:15:25 EST
(In reply to comment #4)
> 1) what is this file used for?  If it's a shared memory segment why can't an
> anonymous shm method be used?
>

It is used as a scoreboard with run time data for workers so the
load balancer works more accurately.
 
> 2) what packages depend on the location of this file.
>

Like Vivek said, it evaluates to $ServerRootRelative, so the solution is
to use the absolute path to a less offensive location for JkShmFile
Using anonymous shared memory would need to be developed probably
by using callback to the APR. I'll take a look into that.
 
> Does Mladen have access to Red Hat Bugzilla?

Yes :)
Comment 8 Joe Orton 2007-01-31 10:14:22 EST
If the shm segment is only for internal use within mod_jk it should definitely
be fixed to use an shm mechanism which doesn't require creating files in the
filesystem.

Failing that (or if that can't be done in time) it should be moved somewhere
sensible.  I'd suggest having mod_jk own /var/run/mod_jk and have the default
shm location be "run/mod_jk/jk.shm" or similar.  Then the SELinux policy can be
updated.
Comment 9 Len DiMaggio 2007-02-01 13:55:16 EST
This:

------------------------------------------------
# Add shared memory.
# This directive is present with 1.2.10 and
# later versions of mod_jk, and is needed for
# for load balancing to work properly
#JkShmFile logs/jk.shm
JkShmFile run/mod_jk/jk.shm
------------------------------------------------

Does seem to resolve the problem - no AVC messages are written to the log when
the httpd service is started.

Comment 10 Daniel Walsh 2007-06-21 09:10:44 EDT
So can I close this as not a bug, or reassign it to some other application?
Comment 11 Vivek Lakshmanan 2007-06-21 11:11:07 EDT
(In reply to comment #10)
> So can I close this as not a bug, or reassign it to some other application?

Yes, you can close as not a bug... The new mod_jk rpms have been made to own
/var/run/mod_jk and the reference documentation has been updated to suggest the
use of the following directive which should avoid the issue:
JkShmFile run/mod_jk/jk.shm

Any subsequent issues regarding this should be filed against mod_jk instead.

Note You need to log in before you can comment on or make changes to this bug.