Details
-
Bug
-
Resolution: Done
-
Minor
-
httpd 2.4.37 SP8 GA
-
None
-
False
-
False
-
undefined
-
Workaround Exists
-
Description
The default location in the mod_jk.conf installed with JBCS 2.4.37 zip and rpm for JkShmFile is logs/jk.sh
type=AVC msg=audit(08/09/2021 19:48:20.767:1454) : avc: denied \{ unlink } for pid=42451 comm=httpd name=jk.shm.42451.lock dev="dm-0" ino=33867215 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(08/09/2021 19:48:20.767:1454) : avc: denied \{ remove_name } for pid=42451 comm=httpd name=jk.shm.42451.lock dev="dm-0" ino=33867215 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1
The solution is to modify /opt/rh/jbcs-httpd24/root/etc/httpd/conf.d/mod_jk.conf to put the files somewhere else, for example in /run which is a safe location since it's private to the service anyway:
JkShmFile /run/jk.shm
This will work because the files will be labeled with httpd_var_run_t which is writable by httpd_t context (the context of /opt/rh/jbcs-httpd24/root/usr/sbin/httpd):
# sesearch -A -s httpd_t -t httpd_var_run_t -c file -p write
allow httpd_t httpd_var_run_t:file \{ append create getattr ioctl link lock open read rename setattr unlink write };
# sesearch -T -s httpd_t -t var_run_t
type_transition httpd_t var_run_t:dir httpd_var_run_t;
type_transition httpd_t var_run_t:file httpd_var_run_t;
type_transition httpd_t var_run_t:sock_file httpd_var_run_t;
