675019 – mod_cluster from the JBoss does work with the included httpd version

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 675019 - mod_cluster from the JBoss does work with the included httpd version

Summary: mod_cluster from the JBoss does work with the included httpd version

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-03 22:30 UTC by Jim Tyrrell
Modified:	2011-03-03 14:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-02-24 09:52:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (185.03 KB, application/octet-stream) 2011-02-04 15:48 UTC, Jim Tyrrell	no flags	Details
audit log after turning on auditctl -w /etc/shadow -p w (201.03 KB, application/octet-stream) 2011-02-15 16:50 UTC, Jim Tyrrell	no flags	Details
Here are the instructions for installing mod_cluster (2.76 MB, application/pdf) 2011-02-15 16:54 UTC, Jim Tyrrell	no flags	Details
View All

Description Jim Tyrrell 2011-02-03 22:30:22 UTC

Description of problem:
When installing mod_cluster in HTTPD in RHEL 6 and trying to start with SE Linux enabled a custom policy needs to be created. 

Version-Release number of selected component (if applicable):


How reproducible:
Everytime

Steps to Reproduce:
1.  Install mod_cluster
2.  Try to start httpd and see the error
3.
  
Actual results:


Expected results:
The SE Linux policy file should just give the ability for this to work out of the box.  Either some changes need to be made in mod_cluster, a bug has been filed in jira, or some changes in the SE Linux policy file need to be made, or maybe both.

Additional info:
https://issues.jboss.org/browse/MODCLUSTER-211

Generated exception file:
module jbosshttpd 1.0;

require {
	type httpd_log_t;
	type httpd_t;
	type port_t;
	type soundd_port_t;
	class tcp_socket name_bind;
	class file write;
	class dir remove_name;
	class udp_socket name_bind;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file write;
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow httpd_t port_t:udp_socket name_bind;
allow httpd_t soundd_port_t:tcp_socket name_bind;

Comment 2 Daniel Walsh 2011-02-04 15:23:50 UTC

Please attach the audit log?  We need to know things like which socket is it binding too?  Why is mod_cluster listening to a soundd port?  What log file/directory is mod_cluster creating a log file in?

Comment 3 Jim Tyrrell 2011-02-04 15:48:56 UTC

Created attachment 477050 [details]
audit.log

Here is the audit log, let me know what else you need.

Comment 4 Daniel Walsh 2011-02-04 17:12:19 UTC

I want to know what directory it is storing manager.node.nodes and other
files in? manager.host.hosts?
manager.balancer.balancers?
manager.sessionid.sessionid?
manager.domain.domain?

Which ports does it need to relay?  All tcp Ports?  All udp Ports?

Comment 5 Daniel Walsh 2011-02-04 17:17:14 UTC

This is definitely something we want to fix in 6.1.

Comment 6 Jim Tyrrell 2011-02-04 17:24:24 UTC

Thank you wanting to fix this in 6.1!!!!  Let me know how I can be of help.

Comment 7 Miroslav Grepl 2011-02-07 09:44:40 UTC

Jim,
could you add me a quick how to setup mod_cluster?

Could you add the command

# auditctl -w /etc/shadow -p w 

Then you should get a path with the next avc messages.

Also look at Dan's questions.

Comment 8 Jim Tyrrell 2011-02-07 13:18:59 UTC

I am on the road this week with travel, above questions will have to to wait until next week.

Comment 10 Miroslav Grepl 2011-02-09 13:26:04 UTC

I suspect these files are created directly in the /var/log/httpd/ dir. Also I don't think files are log files and should be located in the log dir. Look like more as cache files so should be located in 

/var/cache/httpd

I am trying to setup this environment.

Comment 11 Jim Tyrrell 2011-02-15 16:50:30 UTC

Created attachment 478918 [details]
audit log after turning on auditctl -w /etc/shadow -p w

Comment 12 Jim Tyrrell 2011-02-15 16:54:05 UTC

Created attachment 478921 [details]
Here are the instructions for installing mod_cluster

Please let me know if you have any other questions.

Comment 13 Miroslav Grepl 2011-02-16 11:34:16 UTC

Thanks for the audit.log. So these

manager.balancer.balancers
manager.sessionid.sessionid
manager.domain.domain

files are created in the /etc/httpd/log directory. I was talking with mod_cluster QA also and he confirmed it.

I believe this is wrong and the location should be changed to use the /var/cache/httpd directory since these files are not log files. Then apache policy could cover it.

# sesearch -A -s httpd_t -t httpd_cache_t

Comment 14 Miroslav Grepl 2011-02-16 11:37:39 UTC

I am seeing from the pdf file 

"Listen 127.0.0.1:8000"

This is a reason why htppd is using the soundd port. Again I believe httpd cache port could be used for this.

# semanage port -l | grep -w http_cache_port_t
http_cache_port_t              tcp      8080, 8118, 10001-10010
http_cache_port_t              udp      3130


The last issue. Why is 23364/udp port used? Did you setup it?

Jim,
could you add mod_cluster developer(s) to discuss these issues?

Comment 15 Miroslav Grepl 2011-02-24 09:43:42 UTC

As I wrote in the comments #13, #14 I believe it should be fixed in mod_cluster. Since we don't want to allow apache to write own logs or use generic ports. 

I am going to close it as WONTFIX from SELinux perspective for now. If you do not agree, please reopen the bug with requested info.

Comment 16 Miroslav Grepl 2011-02-24 09:52:09 UTC

There is a workaround. But how I said it should be fixed in mod_cluster.

1. Use apache cache ports in mod_cluster conf files

# semanage port -l | grep -w http_cache_port_t
http_cache_port_t              tcp      8080, 8118, 10001-10010
http_cache_port_t              udp      3130

2. Add local policy

# cat> jbosshttpd.te<<  _EOF 

module jbosshttpd 1.0;

require {
 type httpd_log_t;
 type httpd_t;
 class file write;
 class dir remove_name;
}

#============= httpd_t ==============
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file write;

_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i jbosshttpd.pp

Comment 17 Jim Tyrrell 2011-02-24 13:53:49 UTC

How can this be closed, we have engineering work on the mod_cluster side, and then it needs to be tested validated that this is all that is needed to correct the errors that I am seeing?

Comment 18 Miroslav Grepl 2011-02-24 14:07:08 UTC

Well, how I said I closed this from SELinux perspective. 

Where I could bring up this issue for mod_cluster? Or you mean mod_cluster folks work on that?

Comment 19 Jim Tyrrell 2011-02-24 14:12:23 UTC

https://issues.jboss.org/browse/MODCLUSTER-211  Comments can be made here, unfortuntly this has been assigned to a docs person, yet your requests are a touch of docs, but mostly engineering changes.  If you can update that ticket with that info, or tell me what to say I can do that.

Thank you in advance.

Comment 20 Miroslav Grepl 2011-02-24 15:03:05 UTC

So I would like to change

manager.balancer.balancers
manager.sessionid.sessionid
manager.domain.domain

files to be created in /var/cache/httpd directory.

Comment 21 Jim Tyrrell 2011-02-28 23:47:23 UTC

type=AVC msg=audit(1298936751.334:44): avc:  denied  { unlink } for  pid=2461 comm="httpd" name="manager.node.nodes" dev=sda2 ino=40368 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1298936751.334:44): arch=c000003e syscall=87 success=no exit=-13 a0=7fd3f523a8d0 a1=7fd3f52014d8 a2=2 a3=7fff69e5f000 items=0 ppid=1 pid=2461 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Can you decode what is going on with this error message?

 I tried per the jira:
MemManagerFile /var/cache/httpd
and updated the communication port from 8000 to 10001.

Comment 22 Miroslav Grepl 2011-03-01 12:25:22 UTC

Yes, apache calls unlink to remove the "manager.node.nodes" file.

Could you add output of

# ls -lZ /etc/httpd/log

and

# ls -lZ /var/cache/httpd

Comment 23 Jim Tyrrell 2011-03-01 16:02:36 UTC

[root@localhost jimtyrrell]# ls -lZ /etc/httpd/logs/
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access_log-20110215
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log-20110215
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error_log-20110228
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.balancer.balancers.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.context.contexts.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.domain.domain.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.host.hosts.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.node.nodes.slotmem
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid.lock
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 manager.sessionid.sessionid.slotmem
[root@localhost jimtyrrell]# 


[root@localhost jimtyrrell]# ls -lZ /var/cache/httpd/

[root@localhost jimtyrrell]#

Comment 24 Miroslav Grepl 2011-03-01 16:16:45 UTC

If you execute

# semanage permissive -a httpd_t

what avc msgs are you seeing then?

Comment 25 Jim Tyrrell 2011-03-01 16:45:49 UTC

type=AVC msg=audit(1298997487.524:22622): avc:  denied  { unlink } for  pid=2373 comm="httpd" name="manager.node.nodes" dev=sda2 ino=40368 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1298997487.524:22622): arch=c000003e syscall=87 success=yes exit=0 a0=7fbf2ff2b8d0 a1=7fbf2fef24d8 a2=2 a3=7ffff6d64e40 items=0 ppid=1 pid=2373 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Comment 26 Jean-frederic Clere 2011-03-03 14:42:06 UTC

If the manager.* files are still in /etc/httpd/logs/ it is that the directive:
MemManagerFile /var/cache/httpd
Is not the right virtualhost, could you put it in the main server (outside any virtualhost).

Note You need to log in before you can comment on or make changes to this bug.