Description of problem: The Apache SNMP module that comes with JON 2.3.1 (connector-apache.zip: ) is not compatible with SELinux even after allowing with semanage command. The only resolution is to disable apache protection in SELinux or change SELinux to Enforcing. Files: /etc/httpd/modules:libsnmpcommon.so, libsnmpmonagt.so, libsnmpsubagt.so Version-Release number of selected component (if applicable): apache 2.2.x JON 2.3.1 RHEL 5.5 x86 (did not try on x86_64) or Fedora 13 x86 How reproducible: Consistent Steps to Reproduce: 1. Setup the connector-apache.zip on apache 2.2.x in RHEL 5.x as detailed in https://www.redhat.com/docs/en-US/JBoss_ON/2.3/html/Managed_Resources_Guide/chap-Managed_Platform_Configuration.html#sect-Managed_Platform_Configuration-Apache_HTTP 2. Configure SELinux to allow for new /etc/httpd/var directory: sudo chcon –cR –h –t httpd_sys_content_t /etc/httpd/var 3. Configure SELinux to allow udp port 1610: sudo semanage port -a -t http_port_t -p udp 1610 4: Configure iptables to allow udp port 1610 5: Enforce SELinux 6: Restart apache service 7: Observe error message and see JON error message not being able to connect to apache SNMP module 8: Turn off SELinux and restart apache to see the expected result Actual results: /etc/httpd/logs/error_log: [error] SNMP: CovalentSNMP/2.3.0 (SNMP) could not be started init_master_agent: Invalid local port (Permission denied) [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations Expected results: /etc/httpd/logs/error_log: [notice] SNMP: CovalentSNMP/2.3.0 started (user '0' - SNMP address '1610' - pid '31120') [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations Additional info: 1) RedHat JBoss documentation detailing the setup - https://www.redhat.com/docs/en-US/JBoss_ON/2.3/html/Managed_Resources_Guide/chap-Managed_Platform_Configuration.html#sect-Managed_Platform_Configuration-Apache_HTTP 2) RedHat documentation acknowleding the problem - http://www.redhat.com/docs/en-US/JBoss_ON/2.2/html/FAQ/sect-FAQs-Apache_SNMP-Invalid_local_port.html 3) JBoss support case 976783 - https://access.redhat.com/jbossnetwork/restricted/caseDetail.html?caseId=976783 4) RHEL support case 2045100 Error messages: 1) Apache startup - [error] SNMP: CovalentSNMP/2.3.0 (SNMP) could not be started init_master_agent: Invalid local port (Permission denied) 2) JON - The agent reported the following error on its last attempt (8/3/10, 5:28:07 PM, EDT) to connect to this resource: Failed to start component for resource Resource[id=12701, type=Apache HTTP Server, key=/etc/httpd, name=srv9a.phlyinc.com Apache 2.2.3 (/etc/httpd/), parent=srv9a.phlyinc.com_apache_prod_rhel, version=2.2.3]. For more details, see the stack trace. Please make sure that the managed resource is running and that its connection properties are set correctly. 3) RHQ agent stack trace - org.rhq.core.pluginapi.inventory.InvalidPluginConfigurationException: Failed to start component for resource Resource[id=12701, type=Apache HTTP Server, key=/etc/httpd, name=srv9a.phlyinc.com Apache 2.2.3 (/etc/httpd/), parent=srv9a.phlyinc.com_apache_prod_rhel, version=2.2.3]. at org.rhq.core.pc.inventory.InventoryManager.activateResource(InventoryManager.java:1280) at org.rhq.core.pc.inventory.InventoryManager.refreshResourceComponentState(InventoryManager.java:2256) at org.rhq.core.pc.inventory.InventoryManager.processSyncInfo(InventoryManager.java:2057) at org.rhq.core.pc.inventory.InventoryManager.processSyncInfo(InventoryManager.java:2063) at org.rhq.core.pc.inventory.InventoryManager.synchInventory(InventoryManager.java:807) at org.rhq.core.pc.inventory.InventoryManager.handleReport(InventoryManager.java:787) at org.rhq.core.pc.inventory.AutoDiscoveryExecutor.call(AutoDiscoveryExecutor.java:121) at org.rhq.core.pc.inventory.AutoDiscoveryExecutor.run(AutoDiscoveryExecutor.java:92) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:181) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:205) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: org.rhq.core.pluginapi.inventory.InvalidPluginConfigurationException: Neither SNMP nor an URL for checking availability has been configured at org.rhq.plugins.apache.ApacheServerComponent.start(ApacheServerComponent.java:153) at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocationThread.call(ResourceContainer.java:525) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) ... 3 more 4) SELinux denial - Summary: SELinux is preventing /usr/sbin/httpd from binding to port 1610. Detailed Description: SELinux has denied the httpd from binding to a network port 1610 which does not have an SELinux type associated with it. If httpd should be allowed to listen on 1610, use the semanage command to assign 1610 to a port type that httpd_t can bind to (). If httpd is not supposed to bind to 1610, this could signal an intrusion attempt. Allowing Access: If you want to allow httpd to bind to port 1610, you can execute # semanage port -a -t PORT_TYPE -p udp 1610 where PORT_TYPE is one of the following: . If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ udp_socket ] Source httpd Source Path /usr/sbin/httpd Port 1610 Host localhost.local Source RPM Packages httpd-2.2.15-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name bind_ports Host Name localhost.local Platform Linux localhost.local 2.6.33.6-147.fc13.i686.PAE #1 SMP Tue Jul 6 22:24:44 UTC 2010 i686 i686 Alert Count 1 First Seen Tue 03 Aug 2010 06:57:44 AM EDT Last Seen Tue 03 Aug 2010 06:57:44 AM EDT Local ID 1c844a6d-fd60-4823-998a-b54b0c2b4901 Line Numbers Raw Audit Messages node=localhost.local type=AVC msg=audit(1280833064.94:24101): avc: denied { name_bind } for pid=2880 comm="httpd" src=1610 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket node=localhost.local type=SYSCALL msg=audit(1280833064.94:24101): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfcca4c0 a2=9a44f8 a3=fc9fb0 items=0 ppid=2877 pid=2880 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
(In reply to comment #0) I meant to say "change SELinux to Permissive", not Enforcing. > The only resolution is to disable apache protection in SELinux or change SELinux > to Enforcing.
This also happens in RHEL 6 x86_64. Also, if you get the snmp module from JON 2.4.1, the same issue happens.
Updated links in Additional info: 1) RedHat JBoss documentation detailing the setup - http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/2.4/html-single/Basic_Admin_Guide/index.html#Apache_SNMP_Configuration 2) RedHat documentation acknowleding the problem - http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/2.4/html-single/Frequently_Asked_Questions/index.html#qa61 3) JBoss support case 00034153: https://access.redhat.com/support/cases/00034153 4) RHEL support case 00344011: https://access.redhat.com/support/cases/00344011
It has been fixed in the rpm of EWS2. There are no real way to run postinstall in zip probably we could provide the extract of the rpm and add it to .postinstall in EWS zip files.
See https://issues.jboss.org/browse/JBPAPP-10250