Bug 433252 - Starting httpd directly doesn't put it under selinux control.
Summary: Starting httpd directly doesn't put it under selinux control.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-18 04:59 UTC by Jeff Norden
Modified: 2008-02-18 15:13 UTC (History)
0 users

Clone Of:
Last Closed: 2008-02-18 15:13:50 UTC

Attachments (Terms of Use)

Description Jeff Norden 2008-02-18 04:59:45 UTC
Description of problem:
It the apache web server is started directly, instead of from the
/etc/init.d/httpd script, then it runs as unconfined_t instead of httpd_t

Steps to Reproduce:
1.  Shut down apache with 'service httpd stop'
2.  Start apache directly by executing /usr/sbin/httpd as root
3.  Check the selinux context via ps -axZ  and/or  tail
/var/log/httpd/error_log|grep SELinux
Actual results:
Apache is not under selinux control when started as above.  If you then do
'sevice httpd restart', the web server will run as httpd_t under control of the
targeted policy again.

Expected results:
Apache should run in the httpd_t domain no matter how it is started up.  As it
stands, it seems to depend on the selinux context of the init.d/httpd script
being set to: httpd_script_exec_t in *addition* to /usr/sbin/httpd being set to
Additional info:
You get very weird behavior if the context of the init.d/httpd file gets changed
(e.g, if you try to edit the script - this is what happened to me).
On bootup, apache will start under httpd_t (I'm guessing this has to do with
some special parts of the policy that take effect at that time), but if you
later do 'service httpd restart' to re-start the web server, then apache will no
longer be under selinux control.  If you do 'ls -Z /usr/sbin/httpd' it appears
that the server *should* start correctly.

This gives the appearance of something that works at startup, but 'breaks' if
you stop and re-start it, and can only be 'fixed' by re-booting the whole
system.  This is normal, expected behavior for the operating systems from
Redmund, but it is kind of disconcerting to see it occur under Linux!

Comment 1 Daniel Walsh 2008-02-18 15:13:50 UTC
This seems like you have a labeling problem.

SELinux relies on file labels to start applications correctly.

/sbin/init -> init_exec_t -> init_t
init_t -> Starts init scripts labeled initrc_exec_t -> initrc_t
initrc_t -> Starts httpd labeled httpd_exec_t -> httpd_t

If any of these labels are wrong, this will not happen.  We decided long ago not
to automatically transition unconfined_t -> httpd_exec_t -> httpd_t.  This is to
allow debugging, so you should always start via the init scripts or apachectl. 
I would guess that you have a labeling problem in your initscripts

restorecon -R -v /etc/rc.d

Note You need to log in before you can comment on or make changes to this bug.