Bug 433252 - Starting httpd directly doesn't put it under selinux control.
Starting httpd directly doesn't put it under selinux control.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-17 23:59 EST by Jeff Norden
Modified: 2008-02-18 10:13 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-18 10:13:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Norden 2008-02-17 23:59:45 EST
Description of problem:
It the apache web server is started directly, instead of from the
/etc/init.d/httpd script, then it runs as unconfined_t instead of httpd_t

Steps to Reproduce:
1.  Shut down apache with 'service httpd stop'
2.  Start apache directly by executing /usr/sbin/httpd as root
3.  Check the selinux context via ps -axZ  and/or  tail
/var/log/httpd/error_log|grep SELinux
  
Actual results:
Apache is not under selinux control when started as above.  If you then do
'sevice httpd restart', the web server will run as httpd_t under control of the
targeted policy again.

Expected results:
Apache should run in the httpd_t domain no matter how it is started up.  As it
stands, it seems to depend on the selinux context of the init.d/httpd script
being set to: httpd_script_exec_t in *addition* to /usr/sbin/httpd being set to
httpd_exec_t
Additional info:
You get very weird behavior if the context of the init.d/httpd file gets changed
(e.g, if you try to edit the script - this is what happened to me).
On bootup, apache will start under httpd_t (I'm guessing this has to do with
some special parts of the policy that take effect at that time), but if you
later do 'service httpd restart' to re-start the web server, then apache will no
longer be under selinux control.  If you do 'ls -Z /usr/sbin/httpd' it appears
that the server *should* start correctly.

This gives the appearance of something that works at startup, but 'breaks' if
you stop and re-start it, and can only be 'fixed' by re-booting the whole
system.  This is normal, expected behavior for the operating systems from
Redmund, but it is kind of disconcerting to see it occur under Linux!
Comment 1 Daniel Walsh 2008-02-18 10:13:50 EST
This seems like you have a labeling problem.

SELinux relies on file labels to start applications correctly.

/sbin/init -> init_exec_t -> init_t
init_t -> Starts init scripts labeled initrc_exec_t -> initrc_t
initrc_t -> Starts httpd labeled httpd_exec_t -> httpd_t

If any of these labels are wrong, this will not happen.  We decided long ago not
to automatically transition unconfined_t -> httpd_exec_t -> httpd_t.  This is to
allow debugging, so you should always start via the init scripts or apachectl. 
I would guess that you have a labeling problem in your initscripts

restorecon -R -v /etc/rc.d


Note You need to log in before you can comment on or make changes to this bug.