Bug 829025 - Example config in mod_jk does not work / is non-standard
Example config in mod_jk does not work / is non-standard
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: RPMs (Show other bugs)
6.0.0
Unspecified Linux
unspecified Severity low
: ER7
: EAP 6.2.0
Assigned To: Permaine Cheung
Michal Karm Babacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-05 15:37 EDT by Risar
Modified: 2016-10-30 18:57 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:19:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Risar 2012-06-05 15:37:12 EDT
Description of problem:
mod_jk package by default includes an example configuration file (mod_jk.conf.sample) which specifies cache should be stored in /var/log. This is not ideal (use /var/cache ?) and does not work with a SELinux enforcing policy.

Version-Release number of selected component (if applicable):
RHEL 6.2 with mod_jk-ap20-1.2.31-1.1.2 

How reproducible:
Install the default package. 
No config file is supplied.
The example config file is supplied with improper/non-standard values.

Steps to Reproduce:
1. yum install mod_jk
2. cp /usr/share/doc/mod_jk-ap20-1.2.31/mod_jk.conf.sample /etc/httpd/conf.d/mod_jk.conf
3. service restart httpd
  
Actual results:
SELinux denials if default (enforcing) policy is set, cache is written to /var/log/httpd. 

Expected results:
SELinux labels/attributes are properly set on packaged content, cache is written to a non-log directory (eg /var/cache/mod_jk/ perhaps ?) and we deploy a working & tested example config. 

Additional info:
Example config fix:
-JkShmFile logs/jk.shm
+JkShmFile /var/cache/mod_jk/jk.shm

Deploy config as /etc/httpd/conf.d/mod_jk.conf
Label JkShmFile parent directory (/var/cache/mod_jk in example) as httpd_cache_t (?)
Comment 3 Rostislav Svoboda 2013-06-27 08:18:41 EDT
QA Ack granted, really small change 

-JkShmFile logs/jk.shm
+JkShmFile /var/cache/mod_jk/jk.shm

@Risar I think SELinux is supported for EWS 2.x only, not aware of any promise for EAP 6.x
Comment 6 Rostislav Svoboda 2013-08-29 06:03:11 EDT
Setting proper components and resetting owner and and contact
Comment 7 Permaine Cheung 2013-10-11 11:43:33 EDT
John, do we support SELinux in EAP? If so, who is our contact?
We'll need some expertise to set up SELinux policy file besides changing that location of the file.
Comment 8 John Doyle 2013-10-14 10:37:58 EDT
We have not created am SELinux policy for EAP.  Users are free to create a policy but they own the policy.  GSS can assist them with creation of the policy.  If we're going to change the default configuration, we should not do it in a minor release.
Comment 9 Mladen Turk 2013-10-16 09:56:23 EDT
Few comments
1. mod_jk.conf.sample should stay as sample
2. I'm fine with changing default location for jk.shm file

Users usually use .sample conf as a base for their config, changing what they
think needs to be changed leaving everything else intact so enforcing a new default shm file location is probably a good thing.
Comment 10 Permaine Cheung 2013-10-16 10:09:59 EDT
I'm going to update the setting for JkShmFile in the sample to /var/cache/mod_jk/jk.shm, and create the /var/cache/mod_jk in the rpm, but keeping the sample as it is, not deployed by default. This change will only be applied to RHEL RPMs as there's no SELinux on other platform.
Comment 11 Permaine Cheung 2013-10-16 14:03:39 EDT
mod_jk-1.2.37-4.redhat_3.ep6.el5 and mod_jk-1.2.37-4.redhat_3.ep6.el6 are built, jboss-eap-native-webserver-connectors updated on RHEL as well.
Will be in ER7.
Comment 12 Permaine Cheung 2013-11-07 14:11:25 EST
Marking this as ON_QA as this is fixed in ER7.
Comment 13 Michal Karm Babacek 2013-11-12 09:00:02 EST
Cool in EAP 6.2.0.ER7 rpms :-)

Note You need to log in before you can comment on or make changes to this bug.