Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-168

Distribute an selinux policy for httpd RPMs

XMLWordPrintable

    • Hide

      1) Install the service: yum install jbcs-httpd24-httpd

      2) Start the service: service jbcs-httpd24-httpd start

      3) Check the context of the running process to observe unconfined_service_t instead of httpd_t:

      # ps -eZf | grep httpd | head -n1
system_u:system_r:unconfined_service_t:s0 root 3216 1  0 11:58 ?       00:00:00 /opt/rh/jbcs-httpd24/root/usr/sbin/httpd -DFOREGROUND

      4) (Optional) Check the contexts of the httpd configuration, log dir, etc. to see that they're the defaults (bin_t, usr_t, etc) instead of the correct contexts (httpd_exec_t, httpd_config_t, etc).

      # ll -Z /opt/rh/jbcs-httpd24/root/usr/sbin/httpd 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /opt/rh/jbcs-httpd24/root/usr/sbin/httpd
# ll -Z /opt/rh/jbcs-httpd24/root/etc/httpd/conf -d
drwxr-xr-x. root root system_u:object_r:usr_t:s0       /opt/rh/jbcs-httpd24/root/etc/httpd/conf
# ll -Z /opt/rh/jbcs-httpd24/root/var/log/httpd -d
drwx------. root root system_u:object_r:usr_t:s0       /opt/rh/jbcs-httpd24/root/var/log/httpd
      Show
      1) Install the service: yum install jbcs-httpd24-httpd 2) Start the service: service jbcs-httpd24-httpd start 3) Check the context of the running process to observe unconfined_service_t instead of httpd_t: # ps -eZf | grep httpd | head -n1 system_u:system_r:unconfined_service_t:s0 root 3216 1 0 11:58 ? 00:00:00 /opt/rh/jbcs-httpd24/root/usr/sbin/httpd -DFOREGROUND 4) (Optional) Check the contexts of the httpd configuration, log dir, etc. to see that they're the defaults (bin_t, usr_t, etc) instead of the correct contexts (httpd_exec_t, httpd_config_t, etc). # ll -Z /opt/rh/jbcs-httpd24/root/usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /opt/rh/jbcs-httpd24/root/usr/sbin/httpd # ll -Z /opt/rh/jbcs-httpd24/root/etc/httpd/conf -d drwxr-xr-x. root root system_u:object_r:usr_t:s0 /opt/rh/jbcs-httpd24/root/etc/httpd/conf # ll -Z /opt/rh/jbcs-httpd24/root/var/log/httpd -d drwx------. root root system_u:object_r:usr_t:s0 /opt/rh/jbcs-httpd24/root/var/log/httpd

      As of now, we ship a policy update for mod_cluster-native which adds mod_cluster to the httpd_t domain allowing it to bind to the ports it needs. This would be great, except that httpd doesn't run in httpd_t, it's unconfined (which is the equivalent to have selinux disabled). So, we need an selinux policy addition that causes httpd from JBCS to run in httpd_t like rhel/httpd does.

              rhn-support-csutherl Coty Sutherland
              rhn-support-csutherl Coty Sutherland
              Jan Onderka Jan Onderka
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: