Red Hat Bugzilla – Bug 433252
Starting httpd directly doesn't put it under selinux control.
Last modified: 2008-02-18 10:13:50 EST
Description of problem:
It the apache web server is started directly, instead of from the
/etc/init.d/httpd script, then it runs as unconfined_t instead of httpd_t
Steps to Reproduce:
1. Shut down apache with 'service httpd stop'
2. Start apache directly by executing /usr/sbin/httpd as root
3. Check the selinux context via ps -axZ and/or tail
Apache is not under selinux control when started as above. If you then do
'sevice httpd restart', the web server will run as httpd_t under control of the
targeted policy again.
Apache should run in the httpd_t domain no matter how it is started up. As it
stands, it seems to depend on the selinux context of the init.d/httpd script
being set to: httpd_script_exec_t in *addition* to /usr/sbin/httpd being set to
You get very weird behavior if the context of the init.d/httpd file gets changed
(e.g, if you try to edit the script - this is what happened to me).
On bootup, apache will start under httpd_t (I'm guessing this has to do with
some special parts of the policy that take effect at that time), but if you
later do 'service httpd restart' to re-start the web server, then apache will no
longer be under selinux control. If you do 'ls -Z /usr/sbin/httpd' it appears
that the server *should* start correctly.
This gives the appearance of something that works at startup, but 'breaks' if
you stop and re-start it, and can only be 'fixed' by re-booting the whole
system. This is normal, expected behavior for the operating systems from
Redmund, but it is kind of disconcerting to see it occur under Linux!
This seems like you have a labeling problem.
SELinux relies on file labels to start applications correctly.
/sbin/init -> init_exec_t -> init_t
init_t -> Starts init scripts labeled initrc_exec_t -> initrc_t
initrc_t -> Starts httpd labeled httpd_exec_t -> httpd_t
If any of these labels are wrong, this will not happen. We decided long ago not
to automatically transition unconfined_t -> httpd_exec_t -> httpd_t. This is to
allow debugging, so you should always start via the init scripts or apachectl.
I would guess that you have a labeling problem in your initscripts
restorecon -R -v /etc/rc.d