Bug 485512 - httpd won't start with selinux in Enforcing
httpd won't start with selinux in Enforcing
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-13 15:27 EST by Jesus M. Rodriguez
Modified: 2009-09-10 15:12 EDT (History)
1 user (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
error log (2.39 KB, text/plain)
2009-02-13 15:27 EST, Jesus M. Rodriguez
no flags Details

  None (edit)
Description Jesus M. Rodriguez 2009-02-13 15:27:51 EST
Created attachment 331868 [details]
error log

[root@fjs-0-02 httpd]# rpm -q redhat-release
redhat-release-5Server-5.3.0.3

After installation httpd fails to start. A restart won't work either.

[root@fjs-0-02 tmp]# /sbin/service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [FAILED]

[root@fjs-0-02 httpd]# /usr/sbin/getenforce
Enforcing

Change to Permissive:
[root@fjs-0-02 httpd]# /usr/sbin/setenforce Permissive
[root@fjs-0-02 httpd]# /usr/sbin/getenforce
Permissive
[root@fjs-0-02 httpd]# /sbin/service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

It works.
Comment 1 Jan Pazdziora 2009-02-13 16:37:54 EST
Can you please attach output of

grep AVC /var/log/audit/audit.log

?

Thank you.
Comment 2 Jan Pazdziora 2009-02-16 11:21:38 EST
I assume this was with Satellite-5.3.0-RHEL5-re20090213.1 compose. That one has error in Oracle SELinux modules which prevent other SELinux modules to be loaded.

Fixed in Spacewalk repo in commit 2d664ad720651b3fd31dfd9afcb5050fd31aeab8.
Comment 3 Jan Pazdziora 2009-02-24 07:30:59 EST
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
Comment 4 wes hayutin 2009-03-03 13:02:21 EST
[root@grandprix log]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]



[root@grandprix audit]# cat /dev/null > audit.log 
[root@grandprix audit]# tail -f audit.log 
type=AVC msg=audit(1236103224.012:1680): avc:  denied  { search } for  pid=5941 comm="httpd" name="log" dev=dm-0 ino=2485541 scontext=root:system_r:httpd_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1236103224.012:1680): arch=40000003 syscall=195 success=no exit=-13 a0=84ab7c8 a1=bfa42a3c a2=3fcff4 a3=84abdf8 items=0 ppid=5940 pid=5941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=138 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236103224.012:1681): avc:  denied  { search } for  pid=5941 comm="httpd" name="log" dev=dm-0 ino=2485541 scontext=root:system_r:httpd_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1236103224.012:1681): arch=40000003 syscall=195 success=no exit=-13 a0=84abdf8 a1=bfa4294c a2=3fcff4 a3=84abdf8 items=0 ppid=5940 pid=5941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=138 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236103224.184:1682): avc:  denied  { search } for  pid=5941 comm="httpd" name="log" dev=dm-0 ino=2485541 scontext=root:system_r:httpd_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1236103224.184:1682): arch=40000003 syscall=195 success=no exit=-13 a0=845daa0 a1=bfa42f9c a2=3fcff4 a3=841c248 items=0 ppid=5940 pid=5941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=138 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236103224.184:1683): avc:  denied  { search } for  pid=5941 comm="httpd" name="log" dev=dm-0 ino=2485541 scontext=root:system_r:httpd_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1236103224.184:1683): arch=40000003 syscall=195 success=no exit=-13 a0=841c248 a1=bfa42eac a2=3fcff4 a3=841c248 items=0 ppid=5940 pid=5941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=138 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236103224.240:1684): avc:  denied  { search } for  pid=5941 comm="httpd" name="log" dev=dm-0 ino=2485541 scontext=root:system_r:httpd_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1236103224.240:1684): arch=40000003 syscall=195 success=no exit=-13 a0=86889b8 a1=bfa432fc a2=3fcff4 a3=86889b8 items=0 ppid=5940 pid=5941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=138 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
Comment 5 Jan Pazdziora 2009-03-07 13:35:00 EST
I assume that the problem is that httpd is not allowed to read that "log" directory you are starting it that /etc/init.d/httpd restart from. What is that "log" directory, what does ls -Z . say? Will running it from /root and/or using service instead of direct /etc/init.d/httpd help?
Comment 6 wes hayutin 2009-03-09 15:03:00 EDT
seems to work fine now..

[root@grandprix ~]# service httpd stop
Stopping httpd:                                            [  OK  ]
[root@grandprix ~]# service httpd start
Starting httpd:                                            [  OK  ]
[root@grandprix ~]# /etc/init.d/httpd stop
Stopping httpd:                                            [  OK  ]
[root@grandprix ~]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[root@grandprix ~]# 


[root@grandprix audit]# tail -f audit.log

these are just cron audit's

type=USER_ACCT msg=audit(1236625261.607:1460): user pid=31000 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1236625261.635:1461): user pid=31000 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1236625261.635:1462): login pid=31000 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=159
type=USER_START msg=audit(1236625261.803:1463): user pid=31000 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1236625261.831:1464): user pid=31000 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1236625261.831:1465): user pid=31000 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
Comment 7 Jan Pazdziora 2009-03-09 15:20:48 EDT
So was it the problem of running it from a directory that httpd cannot read?
Comment 8 wes hayutin 2009-03-09 17:03:53 EDT
I understand the question, but I'm not sure how running a fully qualified command from anywhere would cause an selinux problem?

so for example 

[root@grandprix ~]# /etc/init.d/httpd stop
Stopping httpd:                                            [  OK  ]
[root@grandprix ~]# pwd
/root
[root@grandprix ~]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[root@grandprix ~]# cd /proc/
[root@grandprix proc]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@grandprix proc]# 


Is it possible to have a selinux problem running a fully qualified command from any dir?
Comment 9 Jan Pazdziora 2009-03-09 17:19:24 EDT
Well, obviously when you were in that log directory (see your shell prompt in comment 4), it made a difference and you got the AVC denial. No change was made in the code or SELinux module, so it's the current directory you call it from which posed the problem.

It's not an issue of running fully qualified command. It's the cwd (current working directory) which the httpd process then gets and actions which it tried to do in that directory.
Comment 10 Miroslav Suchý 2009-08-25 11:29:56 EDT
[root@xen5 ~]# setenforce 1
[root@xen5 ~]# getenforce 1
Enforcing
[root@xen5 ~]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@xen5 ~]# ps axf |grep httpd
 5614 pts/0    S+     0:00          \_ grep httpd
 5573 ?        Ss     0:00 /usr/sbin/httpd
 5575 ?        S      0:00  \_ /usr/bin/perl /etc/rhn/satellite-httpd/conf/satidmap.pl
 5576 ?        S      0:00  \_ /usr/sbin/httpd
 5577 ?        S      0:00  \_ /usr/sbin/httpd
 5578 ?        S      0:00  \_ /usr/sbin/httpd
 5579 ?        S      0:00  \_ /usr/sbin/httpd
 5580 ?        S      0:00  \_ /usr/sbin/httpd
 5581 ?        S      0:00  \_ /usr/sbin/httpd
 5582 ?        S      0:00  \_ /usr/sbin/httpd
 5583 ?        S      0:00  \_ /usr/sbin/httpd

additionaly no denies in audit.log

verified in stage on xen5
Comment 11 Brandon Perkins 2009-09-10 15:12:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.