Bug 620975 - Apache SNMP module from RHQ server incompatible with SELinux
Summary: Apache SNMP module from RHQ server incompatible with SELinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Monitoring
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-03 21:46 UTC by kr3 cja
Modified: 2014-06-18 16:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-18 16:04:24 UTC
Embargoed:

Attachments (Terms of Use)

Description kr3 cja 2010-08-03 21:46:19 UTC 
Description of problem:
The Apache SNMP module that comes with JON 2.3.1 (connector-apache.zip: ) is not compatible with SELinux even after allowing with semanage command. The only resolution is to disable apache protection in SELinux or change SELinux to Enforcing.

Files:
/etc/httpd/modules:libsnmpcommon.so, libsnmpmonagt.so, libsnmpsubagt.so

Version-Release number of selected component (if applicable):
apache 2.2.x
JON 2.3.1
RHEL 5.5 x86 (did not try on x86_64) or Fedora 13 x86

How reproducible:
Consistent

Steps to Reproduce:
1. Setup the connector-apache.zip on apache 2.2.x in RHEL 5.x as detailed in https://www.redhat.com/docs/en-US/JBoss_ON/2.3/html/Managed_Resources_Guide/chap-Managed_Platform_Configuration.html#sect-Managed_Platform_Configuration-Apache_HTTP
2. Configure SELinux to allow for new /etc/httpd/var directory: sudo chcon –cR –h –t httpd_sys_content_t /etc/httpd/var
3. Configure SELinux to allow udp port 1610: sudo semanage port -a -t http_port_t -p udp 1610
4: Configure iptables to allow udp port 1610
5: Enforce SELinux
6: Restart apache service
7: Observe error message and see JON error message not being able to connect to apache SNMP module
8: Turn off SELinux and restart apache to see the expected result
  
Actual results:
/etc/httpd/logs/error_log:
[error] SNMP: CovalentSNMP/2.3.0 (SNMP) could not be started
init_master_agent: Invalid local port (Permission denied)
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations

Expected results:
/etc/httpd/logs/error_log:
[notice] SNMP: CovalentSNMP/2.3.0 started (user '0' - SNMP address '1610' - pid '31120')
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations

Additional info:
1) RedHat JBoss documentation detailing the setup - https://www.redhat.com/docs/en-US/JBoss_ON/2.3/html/Managed_Resources_Guide/chap-Managed_Platform_Configuration.html#sect-Managed_Platform_Configuration-Apache_HTTP
2) RedHat documentation acknowleding the problem - http://www.redhat.com/docs/en-US/JBoss_ON/2.2/html/FAQ/sect-FAQs-Apache_SNMP-Invalid_local_port.html
3) JBoss support case 976783 - https://access.redhat.com/jbossnetwork/restricted/caseDetail.html?caseId=976783
4) RHEL support case 2045100

Error messages:
1) Apache startup - [error] SNMP: CovalentSNMP/2.3.0 (SNMP) could not be started
init_master_agent: Invalid local port (Permission denied)
2) JON - The agent reported the following error on its last attempt (8/3/10, 5:28:07 PM, EDT) to connect to this resource:
Failed to start component for resource Resource[id=12701, type=Apache HTTP Server, key=/etc/httpd, name=srv9a.phlyinc.com Apache 2.2.3 (/etc/httpd/), parent=srv9a.phlyinc.com_apache_prod_rhel, version=2.2.3].
For more details, see the stack trace.
Please make sure that the managed resource is running and that its connection properties are set correctly.
3) RHQ agent stack trace - org.rhq.core.pluginapi.inventory.InvalidPluginConfigurationException: Failed to start component for resource Resource[id=12701, type=Apache HTTP Server, key=/etc/httpd, name=srv9a.phlyinc.com Apache 2.2.3 (/etc/httpd/), parent=srv9a.phlyinc.com_apache_prod_rhel, version=2.2.3].
	at org.rhq.core.pc.inventory.InventoryManager.activateResource(InventoryManager.java:1280)
	at org.rhq.core.pc.inventory.InventoryManager.refreshResourceComponentState(InventoryManager.java:2256)
	at org.rhq.core.pc.inventory.InventoryManager.processSyncInfo(InventoryManager.java:2057)
	at org.rhq.core.pc.inventory.InventoryManager.processSyncInfo(InventoryManager.java:2063)
	at org.rhq.core.pc.inventory.InventoryManager.synchInventory(InventoryManager.java:807)
	at org.rhq.core.pc.inventory.InventoryManager.handleReport(InventoryManager.java:787)
	at org.rhq.core.pc.inventory.AutoDiscoveryExecutor.call(AutoDiscoveryExecutor.java:121)
	at org.rhq.core.pc.inventory.AutoDiscoveryExecutor.run(AutoDiscoveryExecutor.java:92)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317)
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:619)
Caused by: org.rhq.core.pluginapi.inventory.InvalidPluginConfigurationException: Neither SNMP nor an URL for checking availability has been configured
	at org.rhq.plugins.apache.ApacheServerComponent.start(ApacheServerComponent.java:153)
	at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocationThread.call(ResourceContainer.java:525)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
	at java.util.concurrent.FutureTask.run(FutureTask.java:138)
	... 3 more
4) SELinux denial - 
Summary:

SELinux is preventing /usr/sbin/httpd from binding to port 1610.

Detailed Description:

SELinux has denied the httpd from binding to a network port 1610 which does not
have an SELinux type associated with it. If httpd should be allowed to listen on
1610, use the semanage command to assign 1610 to a port type that httpd_t can
bind to ().
If httpd is not supposed to bind to 1610, this could signal an intrusion
attempt.

Allowing Access:

If you want to allow httpd to bind to port 1610, you can execute
# semanage port -a -t PORT_TYPE -p udp 1610
where PORT_TYPE is one of the following: .
If this system is running as an NIS Client, turning on the allow_ypbind boolean
may fix the problem. setsebool -P allow_ypbind=1.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ udp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          1610
Host                          localhost.local
Source RPM Packages           httpd-2.2.15-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-39.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     localhost.local
Platform                      Linux localhost.local 2.6.33.6-147.fc13.i686.PAE
                              #1 SMP Tue Jul 6 22:24:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 03 Aug 2010 06:57:44 AM EDT
Last Seen                     Tue 03 Aug 2010 06:57:44 AM EDT
Local ID                      1c844a6d-fd60-4823-998a-b54b0c2b4901
Line Numbers                  

Raw Audit Messages            

node=localhost.local type=AVC msg=audit(1280833064.94:24101): avc:  denied  { name_bind } for  pid=2880 comm="httpd" src=1610 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

node=localhost.local type=SYSCALL msg=audit(1280833064.94:24101): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfcca4c0 a2=9a44f8 a3=fc9fb0 items=0 ppid=2877 pid=2880 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Comment 1 kr3 cja 2010-08-07 01:24:14 UTC 
(In reply to comment #0)

I meant to say "change SELinux to Permissive", not Enforcing.

> The only resolution is to disable apache protection in SELinux or change SELinux > to Enforcing.
Comment 2 kr3 cja 2011-05-24 14:11:57 UTC 
This also happens in RHEL 6 x86_64. Also, if you get the snmp module from JON 2.4.1, the same issue happens.
Comment 3 kr3 cja 2011-05-24 14:22:32 UTC 
Updated links in Additional info:
1) RedHat JBoss documentation detailing the setup -
http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/2.4/html-single/Basic_Admin_Guide/index.html#Apache_SNMP_Configuration
2) RedHat documentation acknowleding the problem -
http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/2.4/html-single/Frequently_Asked_Questions/index.html#qa61
3) JBoss support case 00034153: https://access.redhat.com/support/cases/00034153
4) RHEL support case 00344011: https://access.redhat.com/support/cases/00344011
Comment 4 Jean-frederic Clere 2012-10-23 14:21:54 UTC 
It has been fixed in the rpm of EWS2.

There are no real way to run postinstall in zip probably we could provide the extract of the rpm and add it to .postinstall in EWS zip files.
Comment 5 Jean-frederic Clere 2012-10-25 08:17:19 UTC 
See https://issues.jboss.org/browse/JBPAPP-10250
Note You need to log in before you can comment on or make changes to this bug.